Cyberwar against Russia is creating a risky legal precedent, says expert

While hitting Russia with cyberattacks helps ease the pressures Moscow has put on Ukraine, what will happen if hackers use the cyberwar as a pretext to focus on another, unrelated, target?

Setting a precedent can have far-reaching and unforeseen consequences, Kim Zetter, investigative cybersecurity journalist and author, argued at the Nordic-Baltic Security Summit 2022 in Tallinn last week.

One example is the use of Stuxnet, a malicious computer worm developed by the US and Israel. The digital weapon was launched in 2007 and helped attackers to destroy close to one-fifth of Iran’s nuclear centrifuges.

According to Zetter, Stuxnet marked the first time a digital weapon caused actual physical destruction in the real world. However, the successful and arguably well-intentioned attack had unforeseen consequences.

"Once you tell Anonymous that it’s OK to be attacking governments, critical infrastructure in Russia, what’s going to stop them attacking another country whose policies they disagree with,"

Kim Zetter, investigative cybersecurity journalist and author, said.

“But what we saw after Stuxnet was discovered was that it was the impetus for a lot of other countries to start launching their own offensive cyber operations. […] We’ve seen probably a couple of dozen other countries shortly after announcing their offensive operations,” Zetter said.

She argued that the attack against Iran showed everyone around the globe that there’s legitimacy in using digital weapons to resolve diplomatic and cultural disputes. It’s highly unlikely that the cyberwar sparked by Russia’s invasion of Ukraine will not leave a similar imprint on the future.

Flames of cyber war

Cyberwarfare has been plaguing Europe since Russia invaded Ukraine on 24 February. Groups supporting Ukraine started targeting organizations in Russia to help the country defend against the invasion.

Kyiv rallied an international IT army to help it fight the digital war, while Anonymous, Hacker Forces, and many other hacktivist groups started targeting Russia’s private and state-owned enterprises.

However, Zetter argues that the way Ukraine mobilized the global hacker community has long-term legal implications, especially given previous international agreements on the waging of cyberwar.

The risky precedent cyber war against Russia has created
Kim Zetter.

In 2015, major cyber powers, including the US, Russia, the UK, China, and others, agreed to a set of norms for cyber conduct.

“One of the things that they agreed on was that states should not intentionally damage another state and other states’ critical infrastructure […]. And they also agreed that states shouldn’t allow their territory to be used for cyberattacks against other states,” Zetter said.

However, at least some of the cyber exchanges originated from within NATO countries: even though hacker groups and governments keep each other at arm's length, legal questions on who is responsible for what could arise soon.

The floodgates are open

Zetter stressed that there should be no doubt that Russia is the obvious aggressor in the war against Ukraine, and called for Kyiv to be provided with aid to repel the Kremlin’s military advances. However, it would be naïve to expect that volunteer-based cyber warfare will not affect how the wider digital conflict is prosecuted.

“But the problem here is that when you are opening this up in this way to activists and volunteers, you’re creating some legal issues. There’s also the idea of how do you rein that in after you’ve unleashed this – it’s setting a precedent for other actors going forward,” Zetter said.

What makes matters more confusing is that governments in the US and EU aren’t entirely clear about their position towards hacking groups targeting mutual enemies. On the one hand, governments distance themselves from prominent hacking groups, while at the same time endorsing the help that Ukraine receives from them.

Zetter argues that while the situation can seem clear-cut when solely viewed within the confines of Russia’s war against Ukraine, avoiding questions posed by the cyberwar could create future situations that will be difficult to handle.

For example, Zetter asked, what if a Russia-owned company in Germany were to organize an offensive bug-bounty program that targeted Ukrainian critical infrastructure, and shared the discovered vulnerabilities with the Russian intelligence community – would Berlin, Brussels, and Washington deem this acceptable private-sector behavior?

“Once you tell Anonymous that it’s OK to be attacking governments, critical infrastructure in Russia, what’s going to stop them attacking another country whose policies they disagree with?” Zetter said.

The same goes for hacker groups with different allegiances. For example, Russia launched a crippling cyberattack against Estonia in retaliation for its decision to relocate a Soviet-era war statue.

“To ignore the essence of the IT army will wreak havoc on the future stability of cyberspace and, with it, the national security landscape in Europe and beyond,” Zetter said.