The Cybersecurity Implications Of Russia’s War On Ukraine

The war in Ukraine has demonstrated how vulnerable states are to cyberattacks and how much they rely on transnational tech companies. Multiple actors are involved in cybersecurity – ranging from international tech companies to private security firms to governmental agencies. Since cyberattacks transcend national boundaries, protection against these attacks is always a transnational task. This means that the question of the role of transnational tech companies and their possible regulation is crucial. Private companies such as Microsoft and Google have been pivotal in securing technology and fending off attacks. That is why Czech and EU policies need to reconsider the relationship between government and private companies. What should the responsibility and authority of private tech companies be in times of war?

Russia has targeted critical infrastructure and public institutions inside and outside Ukraine. Attacks on information infrastructure (dis- and misinformation campaigns) have been continuous and the question of securing energy infrastructures is vital not only for Ukraine but also for Czechia and the EU. Czech politics and society need to acknowledge that cybersecurity is not only a military issue but also a societal one.

Securing against cyberattacks is a paramount challenge in this conflict. Protection against cyberattacks requires a set of specific skills, knowledge and technologies that need to be deployed with the right timing. For attacking and defending cyberspace private companies play an important role. The war in Ukraine shows that cybersecurity is a societal problem and that in times of war, the role of private tech companies is pivotal.

The ambiguous role of private companies in cyberwar

Cyberattacks can include targeted attacks such as the destruction of gas pipelines that Ukraine experienced in October 2022 or disinformation campaigns that spread false political information. In Ukraine, what we observe is not a cyberwar but a conflict in which cyberattacks play a crucial role in combination with traditional military attacks.

The images of cyberattacks have changed over the past decades, evolving from doomsday scenarios to recognising their prevalence in all sectors of society. Especially in the wake of 9/11, predictions about a nearing cyberwar usually rested on ideas of high-impact terrorist attacks conducted by a single individual. The past decade, however, has shown that those kinds of high-impact low-probability attacks are not the main problem. What is rather the problem is low-scale attacks that often go unnoticed by the public. DDoS attacks, (industrial) espionage and ransomware attacks cause huge economic losses but are also used by governments for espionage. Ransomware attacks demonstrated to the public how transportation (like the Deutsche Bahn) and health services (like the British NHS) are highly vulnerable. The variety of past incidences shows the vulnerability of many infrastructures and the multiplicity of actors involved as sources but also targets of attack. Cybersecurity can thus no longer be only understood as a military issue but concerns societal security.

One question is then how actors involved in cyberattacks multiply. Not only military and governmental agents are involved. Private tech companies play a major role in conducting, preventing and analysing cyberattacks. These companies appear in different roles in debates on cyberattacks: First, they can be victims of cyberattacks if data is stolen from them or if their infrastructure is disrupted. Second, they can be the direct or indirect perpetrator if they either launch cyberattacks or sell the software or knowledge about vulnerabilities to other actors. Third, they can help secure cyberspace. This role of protection might be their main business model. Think about antivirus software, but it can also just be a side aspect to their main business. This development of the privatisation of security is, of course, neither new nor restricted to the realm of cybersecurity.

However, big tech companies possess unique data such as satellite images or knowledge such as that of vulnerabilities and exploits of commonly used software. In this way tech companies such as Microsoft or Alphabet become part of military efforts. What is remarkable about the Ukrainian-Russian war is how quickly major companies sided with Ukraine and assisted them. This means that their role is never neutral and is critical to understanding future conflicts. The global character of the company but also the data and infrastructures involved, make the question of regulation and control paramount. Early in the conflict, Microsoft published a report about the situation in Ukraine and its efforts to help the country.3 The report is important in summarising the amount and kinds of attacks targeted against Ukraine. Even though Microsoft does not have a full overview of the situation and we cannot be sure of how much of their information they
publicised, the report has been crucial in informing the public about the state of cyberattacks in the conflict. Microsoft highlighted its own capabilities and made visible not only how state and non-state actors rely on a few quasi-monopolistic companies but also how powerful these companies are when cooperating with state actors. Tech companies are core actors for any kind of future conflict. Ongoing questions about regulating Big Tech companies appear in a new light. Regulation is not only a question of protection of rights such as data protection versus hampering innovation; it is now also a question of what kind of power these companies will have in the future.

The need for regulation

Private companies have unique capabilities that in some aspects surpass those of nation states. Czech and European policies need to come to terms with these novel capabilities. Especially in times of war the role of private tech companies needs to be reassessed.

Consequently, the relationship between public and private actors and their responsibilities and capabilities is fundamentally shifting. The recent debate on digital sovereignty shows how the question of dependency on technology and tech companies becomes a problem for the EU.4 The EU – and governments around the world – depend on a few companies that can produce specific high-end technologies, collect or analyse Big Data or provide essential infrastructure. This dependency will only increase. Advanced technologies such as Artificial intelligence (AI) or microprocessors rely on specialised global supply-chains, and raw materials are often rare. In times of war this dependency becomes more visible but also more vital. The question ahead is then how to rethink questions about the power, legitimacy and responsibility of private tech companies. Can we reduce our dependency on specific technologies? And if not, how do we want to govern the access to those technologies and their providers?

The answer to those questions will not be easy and requires us to rethink the relationship between private and public authority and how private companies serve public interest. While the West might applaud the activities by Microsoft and the way other companies boycott Russia, in future conflicts, the power of private companies might become a larger problem for Czechia. That is why we need a more fundamental debate on the role of private tech companies especially in war times and the possibilities of regulation.

This debate must be conducted on the national, European, and global levels. Regulation and innovation are often seen as opposing views but it does not need to be the case when thinking of cybersecurity in a conflict zone. Indeed, major tech companies ask for more regulation when it comes to ethically sensitive technology such as AI. Similarly, regulation is needed for developing sophisticated technology, securing complex supply-chains and protecting critical infrastructure. These kinds of regulations do not harm but allow for innovation. Furthermore, they will allow for better protection in future conflicts.

The way forward: reassessing big tech in society

The war in Ukraine has shown the need to reassess the role of tech companies and digital technologies. Questions about the role of technology in society, the producers, and the authority that determines access to it are complex and require answers. The current Czech Cybersecurity Strategy (2021–2025) states the need for cooperation with private actors. However, policy makers need to reflect on the exact scope of this cooperation. These challenges cannot be met on the national level but need EU-wide responses.

• Policy makers and IT experts must acknowledge that cybersecurity is a societal issue and requires technological, military, sociological and political expertise.
• Czechia and the EU need to reassess their technological dependencies and ensure higher resilience in case of a future disruption of these dependencies.
• Czechia should continue its efforts to reduce the usage of third-party providers coming from China and Russia.
• Higher awareness of the power of private companies should lead to increased regulation efforts.
• A stronger cooperation between public and private actors – on national and transnational levels – has to establish clear boundaries of the responsibilities and authorities in times of war.

The chapter was published in this year's annual publication "Svět v proměnách 2023: Analýzy ÚMV".