The Risks of a Self-Directed, Volunteer Army of Hackers
Asomewhat conventional war is underway in Ukraine, featuring organized and professional soldiers, a chain of command, advanced weapons such as drones and tanks, and state-crafted tactics and strategy. But a parallel war is also taking place, mostly in cyberspace, fueled by foreign volunteers fighting for either Russia or Ukraine. These online volunteer forces are loosely organized and don’t have a chain of command. They have grown exponentially since the war began in February—Ukrainian authorities estimate that some 400,000 hackers from numerous countries have aided the country’s digital fight so far. Several high-profile figures have offered to join the cause: the entrepreneur Elon Musk, for instance, has challenged Russian President Vladimir Putin to a “single combat” duel to decide the fate of Ukraine. Hundreds of thousands of people from around the world have begun to engage in cyberwarfare related to the conflict, in an impressive feat of grassroots mobilization.
For those rooting for a besieged country defending its territorial integrity, this arrangement may seem to have no downside: civilians from around the world are volunteering their time and skills to help Ukraine win without expecting remuneration or reward from its government. But there are serious risks involved in waging an informal cyberbattle against Russia, particularly since cyberwarfare may be one of the few remaining tools in the Kremlin’s playbook. This parallel war sets Russia and the West on a collision course—and risks spinning out of control into a chaotic, high-stakes contest that could spread beyond the cyber-domain.
Recognizing the global momentum on its side as people around the world sought to support the Ukrainian defense, the government in Kyiv forged this informal network in the early days of the war. “We are creating an IT army. We need digital talents. . . . There will be tasks for everyone. We continue to fight on the cyber front,” tweeted Mykhailo Fedorov, Ukraine’s vice prime minister and minister of digital transformation, on February 26, including a link to the newly created “IT Army of Ukraine” group on the chat app Telegram. Offers to aid Ukraine’s cyber-efforts began arriving immediately—“Let me know if our team can be of any assistance (free of charge of course),” wrote the CEO of a cybersecurity startup. Since then, the Telegram group has grown to almost 300,000 members.
People from all corners of the world have joined the digital fight. They have worked on projects ranging from disabling Russian government pages to building a website to combat Russian misinformation—and they have often succeeded. But while the efforts on the part of this volunteer army have been impressive, they could very well backfire, threatening to escalate and prolong the conflict rather than delivering a decisive victory for either side.
THE DIGITAL CAVALRY
In the wake of Russia’s invasion of its southern neighbor, civilians from around the world have sought to find ways to get involved in the conflict from afar. Some of these efforts are essentially boosterism: countless people tweet images and videos in support of one side or the other, seemingly irrespective of the accuracy of the information. But some of the volunteer work has been of the more skilled variety: a Norwegian computer expert, for instance, has created a spamming program that sends an automated message denouncing the attack to 150 Russian email addresses at a time. “Dear friend, I am writing to you to express my concern for the secure future of our children on this planet. Most of the world has condemned Putin’s invasion of Ukraine,” reads the Russian-language message, which is followed by an English translation.
Participation has not been limited to the online realm: thousands of foreign volunteers have traveled to Ukraine since the start of the conflict to help the Ukrainian military defense, though their military contribution in the country has for the most part been a disappointment. Instead, cyber-aggression is by far the most powerful element of the global volunteer effort. Victor Zhora, the deputy chief of Ukraine’s information protection service, told BloombergQuint in early March that volunteers had been working on tasks ranging from gathering intelligence to attacking Russian military systems. “It’s a bit like the people who traveled to fight in Syria, but this time both [warring] parties are technologically advanced, so attacking the other side in cyberspace makes sense,” retired Major General Gunnar Karlson, the former chief of Swedish military intelligence, told me. “And receiving such volunteer help is attractive because it brings competence at no cost. For lots of people, hacking for Ukraine in particular is a very attractive alternative to donating money or traveling there to fight. All this is very positive for Ukraine.”
These informal attacks have often been successful. On February 26, for instance, the global hacking collective Anonymous declared “cyber war” on Russia and hacked Russian state television to show harrowing footage from the war, along with other pro-Ukrainian content. On April 13, the collective reportedly claimed that Russia “no longer has control over spy satellites” following a hack on its satellite program, which Russia denied. Other hackers have conducted successful attacks on Russian government websites. On March 16, cyber-intruders modified the Russian Ministry of Emergency Situations website by posting a number for Russian soldiers to call if they want to defect. And some volunteers belonging to the IT Army of Ukraine have voiced a desire to go further by targeting private companies and disrupting Russian government agency operations. “There have been long queues to ATMs in Russia recently. Let’s make them even longer by shutting down online banking,” a recent comment in the Telegram group read. On April 7, the IT Army of Ukraine announced it had hacked Rossgram—a Russian facsimile of Instagram, launched after the U.S. social media platform was banned in Russia in March—and leaked user data. But the successes of Ukraine’s volunteer army of hackers in creating widespread disruption and chaos in Russia could ultimately escalate the war on the ground.
UPPING THE ANTE
In conventional conflicts, including cyberwarfare, each side follows an organizational strategy known as command and control, in which a chain of commanders has oversight and authority over assigned forces in the execution of a mission. This allows a country to decide on a military objective and ensure that everyone down to the last private collectively implements it. Without such a structure, state-on-state conflict would be a free-for-all, as different units and even individuals would attack targets of their own choosing. The command-and-control system, of course, also places ultimate responsibility on state governments.
The shadow war between a global volunteer corps supporting Ukraine and a smaller group of pro-Russia hackers operates outside any such structures. And while many hackers may see freelancing for one’s preferred side as harmless, it is anything but. “No reasonable person will want to condemn volunteers for trying to help Ukraine,” Ciaran Martin, the founding director of Britain’s National Cyber Security Centre, told me. “But just as volunteer soldiers from within Ukraine or from abroad who don’t know what they’re doing and aren’t operating in a proper structure can sometimes do more harm than good, so can volunteer hackers.”
State governments should brace themselves for a rise in cyber-accidents, cyberattacks, and potential escalation.
The lack of a command-and-control system—or any commanding authority, in fact—poses enormous risks. In the absence of any guidance or direction, “the volunteers . . . could do completely unhelpful things like attacking the wrong targets,” said Karlson. Many independent hackers could use the pretext of the conflict to carry out serious cybercrimes. And even though these volunteers aren’t following instructions from their home government, they are residents or citizens of countries that risk being linked to their activities. “This is more dangerous than U.S. citizens traveling to Ukraine to fight with the Ukrainian foreign legion, because it brings the very real risk of aggression launched from our territory,” said retired Rear Admiral Mark Montgomery, the executive director of the Cyberspace Solarium Commission. “Everyone instinctively understands that it’s not OK if some guy in Europe or the U.S. fires off a missile to help the Ukrainians. Volunteering as cyber-aggressors is the same thing, just in a different domain.” The efforts of thousands of foreign volunteer fighters on the ground in Ukraine have, in fact, already raised questions regarding to what extent governments should be held accountable for the participation of their citizens in the conflict. The United States is in a particularly vulnerable situation regarding pro-Ukraine freelance hacking emanating from its territory, given that U.S. President Joe Biden told Putin last year that Washington will hold Moscow responsible for hacking originating from Russian soil. Russia could well feel entitled to hold a similar position on cyber-activity emanating from the United States.
This is true on a global scale: with most of the foreign cyber-volunteers supporting Ukraine, high-profile hits by pro-Ukraine hackers could prompt an already violence-prone Kremlin to retaliate. Moscow would not retaliate against the attackers—who might be a few different individuals dispersed around the world—but against Ukraine or against the attackers’ countries of origin or residence. That, in turn, could trigger further escalation. “If you’re hacking Russia from your living room in London, it poses a risk to the [United Kingdom],” Karlson said. “Putin wouldn’t fire off cruise missiles against the UK to avenge hacking from London, but he could use such means to retaliate against hacking attacks originating in neighboring countries.” That risk extends to the countries hosting the servers that handle hackers’ traffic—including the United States. The West’s extreme dependence on electricity and the Internet already makes it an attractive target for Russia. “Just imagine what would happen if the power went out for a few hours in New York City,” Montgomery said. “And with Americans already active in this parallel war, the Russians could stage a false-flag attack to suggest an attack was being conducted from the U.S. or another Western country. Attribution is extremely hard in cyber, and that makes it hard to prove a negative.” The Ukrainian government, meanwhile, might likewise choose to retaliate against any crippling cyberattacks that appear to have a Russian connection.
Another crucial difference sets these novel volunteers apart from soldiers in the employ of armed forces: they are not obliged to follow the Geneva Conventions, nor do they seem familiar with them or with national laws that, for example, ban citizen cyber-intrusions, even against foreign countries. Ever since Russia’s invasion began, supporters of Ukraine have been sharing videos on social media of Russian prisoners of war held captive in Ukraine in what is almost certainly a genuine effort to help spread optimism regarding Ukraine’s chances of defeating its invader. But sharing footage of POWs violates the Geneva Conventions, which stipulate that “prisoners of war must at all times be protected, particularly against acts of violence or intimidation and against insults and public curiosity.” Naive social media users are thus providing Russia with an opportune pretext to likewise mistreat Ukrainian POWs. In Montgomery’s words, “Yes, the war is deplorable, but you can’t say it’s so terrible that you’ll go ahead and violate international rules and norms.”
LESS IS MORE
For many volunteer hackers, that ship may have already sailed. Russia’s invasion of Ukraine is reminiscent of the Spanish Civil War, in that the invasion has compelled countless people from around the world to play a part in the struggle. But in contrast to the Spanish conflict, Ukraine’s cyber-volunteers can choose to take part from the safety of their homes. “It’s inevitable that we’ll see more such shadow wars in the future,” Karlson predicted. “And countries that can’t afford big armed forces can wage war on the cheap by appealing for volunteers to join such shadow armies. For younger generations, this could become the natural way to participate.” As the volunteer cyberwar over Ukraine grows bigger, the United States and its allies must not be caught flat-footed should this shadow conflict—or the next—threaten to spiral out of control.
In the absence of any official authority over volunteer hackers, state governments should brace themselves for a rise in cyber-accidents, cyberattacks, and potential escalation—and most importantly, they should attempt to regulate freelance shadow wars. Despite the West’s military contributions to the Ukrainian defense, as well as some states’ tacit approval of foreign military volunteers, the United States and its allies must work to differentiate the shadow cyberconflict—and to drive home the stakes for average citizens inclined to join the cause. A retaliatory Russian cyberattack targeting the United States could devastate critical infrastructure, the private sector, and civilians who have played no part in the conflict. Washington must make clear that hacking Russia from U.S. soil is not worth the risk. It must also revise and update its neutrality laws to account for these new forms of informal cyberconflict, to be able to hold hackers fighting from U.S. soil accountable.
Perhaps most importantly, U.S. officials should encourage the public to help the Ukrainian defense in ways that cannot be used as a pretext for retaliation. Private citizens can help by housing Ukrainian refugees, supporting Russian dissidents, and taking care not to spread disinformation about the conflict. Residents in the United States and Europe could deliver the ultimate blow to Russia by reducing energy consumption: that move would deprive the Russian government of an influx of cash and mitigate the possibility of Russia threatening energy cutoffs to retaliate against governments providing aid to Ukraine. If private citizens are looking to make a difference for Ukraine, turning off the lights at home would be a good start.