The Benefits and Risks of Extending Weapons Deliveries to the Cyber Domain
While NATO members continue to supply weapons to Ukraine, they should consider the benefits and risks associated with extending these deliveries to include cyber weapons.
Published by The Lawfare Institute
in Cooperation With
In September, NATO members met to coordinate weapons supplies being sent to Ukraine, identify gaps in weapons stockpiles, and coordinate manufacturing. But all of the talk about delivering HIMARS (High Mobility Artillery Rocket Systems), javelins, and tanks overlooks the important role that unconventional, nonkinetic capabilities, such as cyber tools, can play in defense. This article weighs the arguments in favor of and against delivering cyber weapons to Ukraine or other countries that might request them even if those countries are vital to NATO security and face an acute threat.
Paragraph 41 of NATO’s latest strategic concept is clear in noting that “[t]he security of countries aspiring to become members of the Alliance is intertwined with our own.” The concept explicitly identifies Ukraine and Georgia as such countries. In these states, NATO members aim to build resilience and capabilities against malign influence. Although Georgia has been a recipient of Turkish armored vehicles, French short-range air defense weapons systems, and U.S.-built M240 rifles, a lot of recent effort has gone into supplying Ukraine with conventional weapons equipment. Western countries and companies have also shared cyber defense capabilities with Ukraine. This includes U.S. Cyber Command being deployed on “hunting forward” missions (pre-invasion), the EU activating its cyber rapid-response teams, the FBI and the Cybersecurity and Infrastructure Security Agency sharing intelligence with Ukrainian counterparts, and Microsoft transferring Ukrainian government entities’ data to safer locations for free.
This assistance could be extended to include offensive cyber capabilities because highly sophisticated exploits—for example, tailored to Russian weapons systems—might not be that easily purchasable for Ukraine from the private sector and could be scarce in Ukraine’s own weapons stockpile. Furthermore, international partners’ strategic cyber weapons could complement conventional capabilities by helping to slow down a hostile invasion or propel counteroffensives within the attacked country. James Lewis posits that offensive cyber operations’ utility in wartime “will require emphasizing the use of cyberattacks to focus on disrupting command mechanisms, weapons software, and information as much or more than physical destruction.” Western assistance could focus on enabling Ukraine to surreptitiously corrupt information on military networks and weapons systems in Russian advanced positions in Crimea and the Donbas. This could be done in a sustained and coordinated fashion to press Russian troops into making concessions and instill doubt about their ability to handle malfunctioning equipment. Those types of attacks are likely to have more of an effect than uncoordinated “wipers” or distributed denial-of-service attacks that Russia and its proxies deployed extensively in the first few months of the war. Delivering wipers, for example, would be also more difficult to justify legally as they are aimed at permanently destroying data (see below for more context on this). In sum, if Ukraine manages to corrupt Russian military equipment via cyber means and integrate this capability with conventional weapons, in the context of its counterattacks, it could add to Ukraine’s war efforts.
Sharing Cyber Capabilities in Times of Crisis
Sharing capabilities will have certain trade-offs for the delivering countries. Some offensive capabilities have been dormant in presence-based cyber operations for months or years and are highly secretive and expensive to develop. Their deployment could reveal a friendly power’s capability, potentially rendering it useless, thereby reducing the incentives for sharing. NATO countries will have to make assessments on a case-by-case basis as to the trade-offs of sharing specific capabilities. What are the legal implications of sharing a specific cyber weapon? What were the costs to developing an offensive cyber capability and what are the benefits to the war effort if Ukraine deploys it? How likely will a Ukrainian deployment reveal the capability? How many intelligence-gathering operations might be disrupted if a specific exploit is burnt? How are the shared capabilities complementary to conventional weapons deliveries?
In their sharing effort, NATO countries should avoid the sharing of “logic bombs” that countries might have implanted in Russian critical infrastructure. Such malware implants and “preparation of the ground” capabilities go beyond the defensive nature of the sharing agreements discussed in this article. Those are limited to counteroffensives against adversary military infrastructure within Ukrainian territory. The capabilities to be transferred should be limited to slowing down invading military troops on and around the battlefield and should not include cyber weapons that affect, for instance, Russia’s military intelligence (GRU) headquarters or Russian power plants.
While Ukraine is already engaged in active large-scale hostilities, it is not yet too late to conclude an agreement with NATO countries that lays out the provisions for sharing. Regarding Georgia, such an agreement could be drafted before a new crisis occurs, since it will be even more challenging to coordinate sharing in the midst of imminent hostilities. In the coming months and years, NATO members, Ukraine, and Georgia could establish a framework for the provision of defensive cyber weapons in which they lay out criteria (the receiving country’s cyber maturity, capabilities, and ability to safeguard malware) that would allow supplying countries to limit the types of weapons that could be shared based on the impact the weapons might have. The framework could include an assessment of the possibility of collateral damage, for instance, if Russia obtained the weapon that country X provided to Tbilisi/Kyiv or the potential of the malware spreading uncontrollably when deployed or leaked.
The goal of sharing capabilities with countries critical to NATO’s security would not be to deter future Russian cyber behavior that lies below the threshold of a use of force or armed attack. That undertaking would be futile. Even states that demonstrate sophisticated offensive cyber capabilities, such as the U.S., continue to be subject to disruptive and destructive cyber operations. Similarly, Russia is likely to continue its low- to medium-scale cyberattacks on neighboring countries. The primary goal of concluding sharing arrangements with Georgia and Ukraine would be to further boost their arsenals of asymmetric weapons. With an arrangement in place, cyber weapons could be shared quickly in times of crisis, as opposed to the much slower sharing of fighter jets or missile batteries.
Agreements that concern the sharing of cyber capabilities would not be a first. NATO’s Sovereign Cyber Effects Provided Voluntarily by Allies (SCEPVA) serves as an example of a similar undertaking. Through the SCEPVA framework, allies can voluntarily offer to target an aggressor’s system during Alliance operations and missions. There remain challenges to SCEPVA’s implementation as no member would like to disclose to the entirety of the Alliance that it can target certain systems. After all, some exploits targeting devices in adversary territory might expose a capability to exploit similar hardware or software in allied countries. This challenge could be mitigated if a country requested assistance and an ally approached it secretly offering the effects. A mechanism then needs to be put in place announcing to other allies that someone helped. Without this, a country might receive offers from several partners and, again, gain too much knowledge about allies’ capabilities, which could in turn disincentivize sharing in the future.
The SCEPVA framework is ill suited for aiding Ukraine and Georgia as it focuses on the sharing of effects only within the alliance. But SCEPVA does not preclude alliance members from acting in Ukraine’s support. The U.S., for instance, is already conducting cyber operations in support of Ukraine and thereby runs the risk of participating in hostilities alongside another state. In June, the head of U.S. Cyber Command Gen. Paul Nakasone told reporters that “[w]e’ve conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations” and added that they were lawful. Former U.S. government officials have also stated that the U.S. might only be conducting low-impact operations below the threshold of use of force, such as changing passwords for Russian systems that are used to launch cyberattacks against Ukraine.
Mitigating Risks
Shipping offensive cyber capabilities comes with its own set of challenges and risks. Therefore, a plan to put in place cyber-sharing agreements needs to involve ways to mitigate the associated risks and costs that come with sharing. Delivering cyber weapons, such as the above-mentioned U.S. offensive cyber involvement in support of Ukraine, runs the risk of making NATO members co-belligerents. It could be argued that sharing exploits counts as providing Ukraine with intelligence for use in targeting, which in international law circles might be considered as establishing co-belligerency. One could place the alleged U.S. provision of intelligence to sink the Moskva and to shoot down a Russian transport plane with hundreds of soldiers on board as such cases. To mitigate this risk, the cyber arrangement could lay out precisely how Ukraine and Georgia ought to use the cyber capabilities provided—for example, that capabilities should be used only to temporarily disrupt hostile systems, not to permanently disable or destroy them.
Another challenge with NATO allies sharing malware with Ukraine or Georgia is how Russia would aim to disrupt these activities. Deputy Foreign Minister of the Russian Federation Sergei Ryabkov noted in March that the Kremlin considers convoys of Western conventional arms shipments to Ukraine as legitimate targets. And indeed, a few weeks later Russia bombarded railway stations that were used to move weapons and ammunition depots where Western supplies were stored within Ukraine.
As illustrated above, when it comes to conventional arms supplies, they are most likely to be disrupted while they are being delivered or once they reach their destination, not while they are still on NATO territory. Similarly to conventional shipments, it is unlikely that Russia would be able to disrupt involved NATO member entities that deliver the code without having to conduct disruptive or destructive cyber operations against military entities within NATO, which it has avoided until now. When it comes to digital weapons, Russia will probably try to curtail those capabilities once they have been delivered to Ukraine and once it sees first signs that they are being deployed. If Ukrainian deployments turn out to be successful, Russia might try to degrade Ukrainian units that are engaged in launching Western offensive capabilities.
Another challenge to sharing capabilities will be to maintain internet connectivity in receiving countries. Ukrainian internet connectivity has proved to be resilient. Increasing power outages could, however, impede sharing offensive capabilities. Concerning Georgia, a potential Russian assault on the country might entail the disruption or severing of internet connectivity to Georgia. Georgia is connected to the outside world primarily through two submarine cables, one linking it to Bulgaria and the second to Russia. Those cables are vulnerable and could be cut by divers. If these links are disrupted, it would have second-order impacts on Azerbaijan and Armenia, both of which rely heavily on these cables for connectivity. Building a backup satellite communications network in Georgia, akin to that created by Taiwan, might be a way to build redundancy if undersea cables are severed. Perhaps Georgia could also rely on the newly proposed EU satellite system IRIS (infrastructure for resilience, interconnectivity, and security by satellite), which should be up and running by 2027, to uphold communications. Availability of all of these communication channels is crucial in the event of an invasion, but their security is just as important if cyber capabilities are to be transferred.
Conclusion
Perhaps the discussion around sharing cyber capabilities has already been concluded in Western policymaking circles. Cyber weapons supplies could be occurring in secret. If this is the case, Western democracies must become more transparent and explain their actions to the public. It is just as likely, however, that countries are wary of sharing cyber capabilities with Ukraine (and Georgia), recognizing that cyber weapons deliveries come with significant risk and considerable legal gray zones. Precisely because of those risks and unresolved legal challenges, countries might be forgoing the delivery of cyber weapons for now and focusing primarily on building Ukrainian cyber resilience.
A special thanks to Lawfare editors and Isabella Brunner for comments on this article.