The Russian invasion of Ukraine has undoubtedly been the most digital of all time. The access to mobile phones and social media has given Ukrainians the ability not only to share what is happening in real-time but also to disrupt traditional attempts to control the flow of information and propaganda that has been such a bedrock of warfare for generations.
The war has moved from a more static process where information is provided by journalists reporting via their predetermined formats towards a far more fragmented and often participatory format. In this new way, information about the war becomes content, and those not directly involved feel they can participate in at least a small way.
This marks an evolution from the so-called Nintendo War that pushed the arrival of 24-hour news coverage of the Gulf War towards an era where speed and fragmentation are common characteristics.
"We're seeing an information war, which is important as we don't often view misinformation as a cyber threat, but it very much is one," says Deeph Chana, Co-Director of the Institute for Security & Technology at Imperial College London. "The information warfare aims to grab the narrative around the truth and this has been really interesting in this conflict as we've seen both sides recognize the importance of controlling the narrative and using digital means to spread information and disinformation."
While the “battle for truth” has perhaps been the defining feature of the conflict, it has nonetheless prompted many nations to seek to bolster more traditional cyber defenses. For instance, the Australian government recently announced a $7.4 billion investment in people, equipment, and training to bolster the country's cyber defenses. The investment will support the creation of around 1,900 new roles to help with electronic monitoring and surveillance of threats.
Fears of just how the invasion might unfold in terms of cyber warfare have largely been unfolded. Those fears were stoked in large part by the long history of Russian cyberattacks, with notable attacks on the power grid in 2015 and via the NotPetya virus in 2017. While Russia has launched a number of smaller hacks since the invasion, they haven't been as catastrophic as many feared.
That is perhaps because Ukraine spent the years since 2015 investing heavily in its infrastructure and cyber defenses to try and ensure that similar attacks don't happen again. A similar trigger was experienced by Estonia, which experienced a series of Russian cyberattacks in 2007. The attacks prompted a renewed investment into cybersecurity in the Baltic nation.
"Situations like we're seeing in Ukraine and the various major cyberattacks on areas like electricity grids and other key infrastructure present real threats that have to be taken seriously," Allan Allmere, Project Director at the Estonian Ministry of Economic Affairs and Communications, says.
One element of this response was the creation of a "data embassy", which is an Estonian data center located in Luxembourg but fully under the control of the Estonian government. The facility houses critical digital backups from 10 government datasets, including the population register and the treasury information system, with the intent being to provide both a deterrent to attackers but also an effective way to reboot any systems that do suffer an attack.
"The data center is owned by Luxembourg but it operates in many ways just like an embassy in that Luxembourg police or military are forbidden from entering," Allmere continues.
The data center operates under Tier 4 level security, with all of the data housed at the facility retaining Estonian sovereignty, with blockchain technology used to produce secure copies of data and ensure a high degree of operational continuity for key government services.
Thus far, the data embassy approach has achieved limited traction, with only Monaco joining Estonia in establishing one, although Bahrain's recently issued Cloud Computing Law allows the country to offer cloud services to foreign entities, with a framework for hosting data embassies established.
It’s possible that the existing Vienna Convention will need to be similarly modified to allow diplomatic rules and relations to extend to the hosting of data and even IT systems overseas. Perhaps the biggest challenge, however, remains finding partners that are sufficiently reliable and stable to guarantee the survival of the data embassy in the event of a crisis.
As such, Chana believes that while such innovations are certainly interesting, the most effective responses to geopolitical cyber threats will remain in relatively humdrum areas, such as boosting digital literacy, especially given the particular challenges involved in developing data embassies for larger countries with significantly greater datasets to backup.
"That's really at the core of things, as everyone needs to have a better understanding of how technology works, both at home and at work," Chana explains. "It's a core skill that you really need as a citizen these days, and Covid has really shone a light on the importance of understanding how things like home networks work."
It is also vital that, just as in the private sector, policymakers and other officials take cybersecurity as seriously as they do more traditional means of defense and security. Former President Obama "identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter," back in 2009 and while that did help to focus minds, the events of the past few years have clearly shown the work that is still needed.
"The core of this is that there isn't the technical literacy that is needed in our organizations to fully grasp the risks and ramifications of cybersecurity for our organizations," Chana says. "This can result in it getting lost on the risk register and not being given the importance it merits."
By doing more to prioritize cybersecurity then organizations can help to make digital secure by design rather than trying to bolt on policies that may seem like a good idea but which people will do their best to work around. While the realm of cyber warfare can seem like an inherently high-tech sphere, it’s perhaps worth remembering that the best defenses are often the least high tech, and therefore, the most accessible.