Skip to main content

Why the U.S. can engage Russia on cyber over Ukraine

Image Credit: Getty Images

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Following a report that the U.S. Cyber Command has been working to counter Russian cyberattacks against Ukraine, the former general counsel of the command said that the U.S. makes every effort to ensure that all of its military activities — including on the cyber front — steer clear of making the country a “co-belligerent” under the terms of international law.

“The United States is not a party to the current armed conflict between Russia and Ukraine and by all indications is calibrating its support to Ukraine to keep it that way,” said Gary Corn, who served as staff judge advocate (general counsel) for U.S. Cyber Command from 2014 to 2019, in an email to VentureBeat.

“That means [the U.S.] is not engaging in any activities that would amount to a prohibited use of force under the UN Charter, or would otherwise make it a co-belligerent of Ukraine,” said Corn, who is now a professor with American University’s Tech Law and Security Program.

Corn, a retired U.S. Army colonel and military attorney who served in the Army for 27 years, noted that “co-belligerent” is the correct term under international law (as opposed to the term “co-combatant” that is sometimes used).

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

The New York Times reported on Sunday that teams with the U.S. Cyber Command — which is a part of the Department of Defense — have been working out of military bases in Eastern Europe to help neutralize Russian cyber offensives against Ukraine.

These so-called “cybermission teams” from the unified combatant command have been working to “interfere with Russia’s digital attacks and communications,” according to the Times.

VentureBeat has reached out to the U.S. Cyber Command and the Department of Defense (DoD) for comment.

Complying with the law

Deploying a cyber operation is “one of many tools available to the President to potentially employ in this crisis to defend against cyber threats and, as appropriate, advance U.S. interests,” Corn said in the email to VentureBeat.

Russia has proven itself to be an active cyber threat, whether connected to the current conflict or not, and it’s the job of Cyber Command to defend against that threat, he said.

However, “if the President were to direct U.S. Cyber Command to conduct activities beyond its normal operations to defend DoD networks — and that is a big ‘if’ — you can be sure those activities would be subject to intense coordination across the interagency and in the NSC [National Security Council],” Corn said.

This coordination would be meant to “ensure, among other things, that they comply with domestic and international law and account for risks of unintended consequences,” Corn said.

In tandem with Russia’s many reported assaults against Ukrainian civilians, cyberattacks have been observed against a number of civilian digital targets in Ukraine since the unprovoked Russian invasion of the country on February 24, according to tech vendors such as Microsoft and Amazon.

Those have included cyberattacks aimed at humanitarian aid organizations and emergency response services in Ukraine, and the cyberattacks may end up being deemed violations of the Geneva Convention, Microsoft president Brad Smith has said. Amazon says it has observed “particularly egregious” cyberattacks in which “malware has been targeted at disrupting medical supplies, food and clothing relief” in Ukraine.

‘Red lines’

As Russia’s assault against Ukraine expanded this week, so did the debate around whether the U.S. should do more to aid Ukrainian forces. Supplying weapons, for instance, has so far been seen as OK.

“The line of what makes a state a co-belligerent under international law is not black and white, but generally, providing arms, financing or other similar support is not enough,” Corn said.

On the other hand, establishing no-fly zones over Ukraine — or assisting with the transfer of Polish fighter jets — would amount to the U.S. getting too involved militarily, Pentagon officials have said.

There appears to be less risk, though, that reported activities by U.S. Cyber Command to oppose Russia in the cyber realm would be perceived in the same way.

Still, it’s not zero risk — given that Russian President Vladimir Putin has issued a general threat of retaliation against “those who may be tempted to interfere” and try to “stand in our way” in Ukraine.

“As military planners say, the enemy always gets a vote,” Corn told VentureBeat. “And Putin has already telegraphed that he will draw his own red lines, regardless of what international law has to say.”

The New York Times report indicated that U.S. officials believe the country’s cyber forces can “temporarily interrupt Russian capability” without the activity being considered an act of war. But permanently disabling Russian systems would be seen as going too far, according to the report.

The Times did not provide specifics on the activities that U.S. Cyber Command has carried out, but suggested that the effort is more focused on mitigating Russian cyberattacks against Ukraine than on offensive operations against Russia.

Not much about the mission is known for sure, though, given that the U.S. cyber operations are among the “most classified elements of the conflict,” the Times report noted.

Cyberweapons are weapons

U.S. Cyber Command was established in 2010 and is headquartered at Fort Meade in Maryland with the National Security Agency (NSA).

Also known as “USCYBERCOM,” the organization is “a military command that operates globally in real time against determined and capable adversaries,” according to the command’s website.

U.S. Cyber Command was elevated to a unified combatant command in 2018, and its commander is General Paul Nakasone, who also serves as director of the NSA.

Many of the personnel in U.S. Cyber Command are members of the military, and “they do view cyberweapons as weapons,” said David Murphy, a U.S. Air Force veteran who served as a dedicated mission trainer for the U.S. Cyber Command from 2017 to 2018.

Murphy said he wasn’t surprised to see the report that USCYBERCOM is playing a role to aid Ukraine’s cyber defense against Russia.

The command has been “spending a lot of money and a lot of effort training new recruits and training military personnel, specifically to do this type of mission,” he said. “This is really what they’ve intended on Cyber Command doing.”

Still, deploying U.S. Cyber Command in this way appears to be without precedent — at least as far as we know publicly, said Murphy, who is now cybersecurity manager at accounting firm Schneider Downs.

At a House Intelligence Committee hearing on Tuesday, Nakasone reportedly said that U.S. Cyber Command has carefully tracked “three or four” major cyberattacks by Russia against Ukraine so far. The report from Cyberscoop did not indicate if Nakasone discussed other U.S. Cyber Command activities around the Russia-Ukraine situation.

Attribution is tough

Whatever role U.S. Cyber Command has been playing, their actions are “highly likely to be justified, proportionate and fit within the wider armed conflict law,” said Chris Morgan, senior cyber threat intelligence analyst at digital risk protection firm Digital Shadows.

Still, “attribution is often extremely challenging with any attack or move made in cyberspace,” Morgan said in an email. “While the actions taken by the cybermission teams would likely be appropriate, it is realistically possible that their activity could become misattributed with other cyber threat actors, who are also conducting other equally impactful attacks.”

All of which means that there’s a “fine line” that U.S. Cyber Command must walk in attempting to counter Russia’s offensive cyber capabilities, he said.

In another sense, though, the challenge of cyberattack attribution may actually be favorable for the U.S. in this situation, said Jason Hicks, field CISO at cybersecurity advisory services firm Coalfire.

To evade attribution by Russia, U.S. Cyber Command would just need to avoid launching any attacks that only the command, or a U.S. intelligence agency, could have done, Hicks said. “Ideally, our forces are employing tools and techniques that are available to the general public, versus custom tools and exploits,” he said in an email.

However, “if mistakes are made, or an attack that only our government could conduct happens, then that’s a different story,” Hicks said.

Cyber détente?

In the event of a major cyberattack against Russian targets, there’s also no guarantee that Russia won’t just assume that the U.S. military is involved anyway, Hicks said.

But hopefully, Russia is too distracted to worry about what the U.S. might be doing on cyber, said John Bambenek, principal threat hunter at IT and security operations firm Netenrich.

“Russia is fully engaged in Ukraine with cyber operations and frankly is caught in an unexpected quagmire, so their ability to respond is limited,” Bambenek said in an email.

Another possibility: The U.S. and Russia are essentially at a cyber détente at the moment.

“In the unwritten rules of cyber warfare, escalations will result in counter-attacks, which could easily paralyze systems on the attacker’s side of the border,” said Aaron Turner, vice president of SaaS posture at threat detection and response firm Vectra, in an email.

“We have most likely reached a sort of détente,” Turner said, “where both sides understand that catastrophic cyberattacks will most likely result in mutually assured destruction of systems.”

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.