Russia’s alleged interference in the US presidential election and cyberattacks against Ukraine were unprecedented, but precedent is rapidly being established.
Although security researchers have long suspected that the Russian state had the means and motivation of committing these attacks, those attributions have always been couched with caution.
Following this week’s legal indictment in the US, and a collective blaming by Western nations of the Ukrainian cyberattack on Russia, this caution can be put to one side.
Naming the perpetrator is the first step in addressing the Kremlin’s growing aggression and disregard of international norms. The problem is that for cyberspace, many norms – including those on the response to aggression – do not yet exist.
Speaking to Sky News, a NATO-affiliated cybersecurity expert noted how few people suspected two years ago that a nation state might interfere in the domestic affairs of another by manipulating social media during an election.
Such a notion was definitely alien in 2009, when an international group of experts began writing the Tallinn Manual; a NATO academic study into how international law should be applied to cyber conflicts.
This was similar to the #MeToo movement, the same researcher told Sky News, noting that speaking up and naming the perpetrator is the first step towards responding to their crimes.
Cyber hostilities cover a range of activities, not all of which meet the standard for war. Espionage for instance is considered an acceptable state behaviour and not considered a reasonable pretext for a forceful response, but cyber-espionage has blurred this line.
Physical acts in the physical world have always been considered a justification for a physical response, but it is not yet clear whether the physical consequences of a digital attack could justify such a response – and making matters more complicated, establishing the responsibility for any given online action is difficult.
The attributions made with the gravity and accountability of government are important. They are not frivolous, but also they are not, in a sense, news.
Many experts believed that Russia was responsible for the NotPetya attack. What is notable is that now governments are also saying so suggests that there is a response being planned.
Friday’s indictment regarding Russian interference, alongside the attribution of the NotPetya cyberattack on Ukraine to Russia, is a signal that the Western response to the Kremlin’s cyberspace aggression is going to become more public.
Industry veteran Chris Kubecka told Sky News: “The significance of public attribution and statement of incitement is extremely serious. Any public rebuke is not typically undertaken lightly.
“It paves the way for further punitive actions more severe and can be a double-edged sword. To go public, this usually means private attempts at mediation and mitigation have usually failed and there is tangible proof.
“Discussing the matter publicly can give an adversary and the public knowledge about tools and techniques used to obtain any proof. Many times, the tools and techniques are no longer operationally usable afterwards.”
When the NotPetya malware began to infect financial and government computer systems in Ukraine, it appeared very similar to the WannaCry malware which disrupted NHS services.
Although it instructed victims that their computers had been encrypted and requested a ransom in Bitcoin, the malware was not genuinely designed to generate the attacker revenues through ransom payments.
Rather, the NotPetya malware was designed to destroy the computers it infected. It masqueraded as a criminal virus to provide Russia with deniability, but as it spread beyond Ukraine it affected computer systems in Russia – and, crucially – in NATO member states.
Jens Stoltenberg, NATO’s secretary general, has warned that cyberattacks are capable of triggering Article 5, the organisation’s collective defence arrangement which commits each member to consider an attack against one to be an attack against all.
It has only been triggered once in NATO’s history, by the US following the terrorist attacks of 11 September 2001 which killed 2,996 people, injured more than 6,000 others, and caused at least $10bn in damage.
Despite the damage caused by NotPetya, there has not yet been a cyberattack of this scale. However, according to Ciaran Martin, the head of the NCSC, it is a matter of “when, not if” the UK is hit by a Category One cyberattack.
What will happen then is not clear. The UK’s Foreign Office has promised to respond to the NotPetya attack in veiled language, threatening that it would be “imposing costs on those who would seek to do us harm”.
That statement doesn’t reveal much and as with many Government statements regarding security it leaves plenty of its terms of reference undefined.
But even if we do not know what “imposing” or “costs” might mean, we now know that “those who would do us harm” have a name, and their name – for the first time since the end of the Cold War – is Russia.