[01:34] The IT Army of Ukraine: Structure, Tasking, and Ecosystem

Rachael: I'm excited about today's guests. We've talked a lot about what he's authored so we finally get to dig into it. So please welcome to the podcast everyone, Stefan Soesanto. He's a Senior Researcher in the Cyber Defense Project with the Risk and Resilience Team at the Center for Security Studies at ETH Zurich. 

Stefan: Well thank you for having me, Rachael and Eric. Excited to be on this.

Rachael: Yes, so much to dig into. And so for all of our listeners, Stefan wrote that amazing IT Army of Ukraine report. I'd say did a lot of research for that report that we talked about a few weeks ago. And we're like blew our minds, but also left so many questions. How did this even come about Stefan? The idea for putting this very serious, dense, chock-full of information report together? I don't even know where you would get started for that.

Stefan: Good question. I think it came out of a little bit of my frustration. Because everybody at the time was talking about Russian activities, and wipers. Then [inaudible 00:02:39] comes into the picture. Everybody's looking out about what are the Russians doing and why don't we see more and why are they not more active and why don't we see Notpetya and so on. But nobody's really looking at what Ukrainians were doing. The narrative was they're getting hammered all over the place. Nobody had the attention span to say oh, they're also doing offensive operations and they're kind of good at it. 

Members of Cyber Army Channel

Stefan: And they've built something out that is really meaningful. Kind of innovative, kind of brings a new perspective to the game. And I think they've created an effective machinery there that's very informative for conflicts in the future.

Rachael: Because they've had, right Eric? Because of proximity to Russia and what's been going on for so many years, they've had this bird's eye view as well into how they operate. But also to start thinking about, okay, how do we really harden our defenses so that we can protect ourselves ahead? Like a test kitchen, if anything.

Eric: Yes. I was talking to a good friend of mine who's in the know, if you will. I was talking about the Baltic states being the best cyber defenders in the world. And his comment was essentially I'd give that one to Ukraine, hands down. They've had the most practice, they're the most skilled at it. I think when you read Stefan's report here on the IT Army, there's a lot of talent available.

Rachael: Yes. It sounds like, what did you say was the number of folks at the height of it Stefan?

Stefan: The height of it, the IT Army channel had around 307,000 members.

Eric: Stefan, hold on. 307,000 members of the Ukraine IT Army?

Stefan: Yes. But to put the figure into context, these are just people from all over the place. From all over the world that joins this one Telegram channel. We don't really know how many people are actively doing DDoS and participating in these campaigns. 

People Became Bored of the Conflict

Stefan: It could be just a hundred people, it could be a 100,000. It could be 500,000 for all we know and not everybody is part of that one channel. So there's a whole network of different channels. We're targeting information that the IT Army publishes in their main channel, and gets disseminated. It's like a megaphone that you just hold up and you say, we're doing these and these sites and everybody who wants to participate, go for it now. Then you have this massive influx of traffic for this one site and you just keep it down every single day. There's no way to stop, we just go and go and go.

So yes, that's essentially what they're doing. But currently, the number stands around 238,000. So there's the drop around 20% of membership over the course of the war. Primarily what we think is happening is that people just become bored of the conflict. If you DDoS for four months all the time, sometimes you're just why am I doing this? Why am I spending time on this? Why is my electric bill this high? I have to go to school or the new semester's starting. So there are different reasons why people stop participating in this. 

There's also from the cyber army side. I think the innovation circle is seeing that dynamic as well because they're more into now looking how can we automize things? Instead of asking people to join the channel, we ask them to essentially give us their servers. Then say okay, we have a free server here in Bulgaria, whatever. You can just take that to launch DDoS attacks. We just need your log in credentials and whatever and we can run those campaigns independently of you actually doing anything.

Funneling the Traffic into the Cyber Army

Stefan: So I think there's a lot of infrastructure that's being built on the Ukrainian side. Just getting service lined up together, funneling the traffic into the cyber army into those operations. So it's almost like a guerrilla campaign.
A grassroots kind of thing where it's not really that organized. But people come together and have a common goal and that's what you see happening here. So at the top of it is essentially the Ministry of Digital Transformation that created this cyber army or kicked it off. Then we have Yegor Aushev who is a cybersecurity entrepreneur in Ukraine. He’s quite famous because he created several cybersecurity companies in Ukraine. One of them is Hacken, another is Cyber Unit Tech and the third one is Cyber School. They're all heavily involved in how the Ukraine government is positioning itself.

For example the Cyber School, they train essentially cybersecurity experts in Ukraine, including the security service of Ukraine, the intelligence agencies. Then you have Cyber Unit Tech which is a cybersecurity company, penetration testing, infrastructure security. They secure infrastructure against internal threats and so on. One of their clients is the National Security and Defense Council of Ukraine. So think about this as being the National Security Council in the US as part of the White House. 

You have very strong links there to the government and they're being used. Particularly in the situation now in warfare where you need to have this expertise. That similarly brings together players that previously had limited connections. But now they're coming together because they're looking for capabilities. For people to actually get things done and make connections that previously didn't exist in that kind of form.

[08:39] The Mind Behind the Cyber Army

Stefan: So Yegor Aushev is the mind that had the initial idea of how about we create this cyber army, it would be really interesting to do. And then Mykhailo Fedorov, the minister of Digital Transformation picked it up and owned it and said like, oh, let's do it. Let's try and see what happens. And so there are many facets that a lot of people call the IT Army of Ukraine. Usually the 'A' is then lowercase, which then includes other parts of this kind of initiative, these grassroots initiatives. 

So Stand for Ukraine is another kind of campaign that people are doing, where we have 1,400 people from people that were previously at agencies, at PR consultancy companies that have no line of hacking background or whatever. But they come together in this room to talk with people that are on the cybersecurity side and say well what kind of operations can we run? How can we help you with this? And then they make things happen.

Then another part is the 1,000 essentially strong Ukrainian cybersecurity volunteer group that Aushev himself created through Cyber Unit Tech. And those are essentially the folks that go into critical infrastructure companies and help them to show up their defenses and they're also working with the government together. So there are 1,000 people that we know of, or at least that was the plan that he had, to do some offensive operations but primarily do defensive.

Eric: And that's in Ukraine?

Stefan: That's in Ukraine, they're on the ground. So you have all these Ukraine experts that are facilitated into this unit and then they'll spread out to these different companies that are vital to Ukraine.

The People in the Cyber Army

Eric: And what percentage of this cyber army would you say is native to Ukraine? I guess positioned in Ukraine. I know it looks like Yegor. It looks like his business, at least the Cyber Unit Tech, is in South Korea and Ukraine. It looks like he splits his time. What percentage of the army would you say is resident within Ukraine versus volunteers from all over the globe?

Stefan: So Cyber Unit Tech, essentially unit, is 1,000 strong person unit. They're pretty much all located in Ukraine so everybody is essentially Ukrainian. They have a secure, I think they communicate over signal primarily, I'm not sure. But they're essentially a well-established group. They have deep linkages, they know each other quite well and so they're able to vouch for each other to say, this is not a Russian insider threat or whatever. Is not somebody who wants to spy for Russia, but they vouch for each other. So they can go into these companies and can do these activities.

When it comes to the IT Army of Ukraine, it's 238,000 people. We don't know how many are Ukrainians, my guess would be that probably like 30% are Ukrainians. We have to discern Ukrainians living in Ukraine or Ukrainians abroad in other countries. But I think the bulk of it essentially comes from abroad, from everywhere. From Brazil, United States, Lithuania, Spain, some even come from Taiwan or Japan, from far away places. But most of them don't speak in the channel or the chat, the attached chat and so we don't know. 

h4>How Big Is the Cyber Army of Ukraine?

Stefan: We don't have any reliable figures. I think what maybe you can discern is when a company gets hit by these DDoS attacks, where is that traffic coming from? But then again, most use VPN [inaudible 00:12:15].

Eric: Right, I would be sending it from somewhere else anyway.

Stefan: Exactly. So we don't really have reliable figures or any kind of figures to discern where are these people actually sitting. But what we do know is that the attached chat of the IT Army channel on Telegram, we have people conversing in English, we have people openly saying I'm based in Switzerland, I'm DDoS-ing on this site now, who wants to join, and whatever. So Switzerland is also involved, which is kind of complicated. Because we're a neutral country and so that's bigger than other when it comes to neighboring countries who are almost population conflict. Because they have IT Army of Ukraine and Switzerland have a traditional neutrality, which makes it very complicated if Swiss citizens start to DDoS Russian infrastructure.

Eric: So we have this cyber army, it's several hundred thousand personnel in size with different levels of engagement. Some people may just have a little fun on a Sunday evening, other people may be spending 24 by 7 attacking predominantly the Russian infrastructure, the country of Russia and Russian citizens I'm assuming. So Rachael, just so you know, 300 and some thousand personnel here, the US Marine Corps is 181,000 people. So this cyber army is bigger than the United States Marine Corps. The German army, I just looked this up you'll be very proud, 184,000 active duty members. 

[13:50] How the Cyber Army Communicates

Eric: So this cyber army is bigger than the physical army of Germany and they've been able to marshal these resources together for, dare we say, the common good? Let's take a position here as a podcast group, right? I will say the common good. Maybe I'm speaking for Rachael, maybe I'm not.

Rachael: Ostensibly the common good. Yes.

Eric: Are you betting on black or red while you're in Vegas right now? I'm betting on black, go Ukraine. Anyway Stefan, we've got this cyber army bigger than the Marine Corps, bigger than the German army that's out there that's attacking Russia from a cyber perspective. How are they communicating? Can you share with our listeners a little bit of the tools like Telegram. You mentioned Signal and Twitter, but what are they using, and how does this global army that was created communicate?

Stefan: So primarily they communicate through their Telegram channel. This essentially serves like a megaphone that trumps out target information to say, "Today we are hitting 56 banks. These are the banks, these are the ports, these are the IPs. Go for it." And then what they additionally do is they put out instructions for DDoS tools. So they have a whole website openly accessible https://itarmy.com.ua/. And it's protected by CloudFlare, so it's all legal I guess. But they publish all these instructions for all kinds of DDoS tools that you can use. Whether it's virtual machines on cloud servers, so AWS, Google,

Microsoft Cloud, they have all these instructions to abuse them, to run DDoS attack on them.

The Growing Channel of Cyber Army

Stefan: They have various DDoS tools where they just say, install this, download these proxy list, we update the target information. You don't have to do anything, just start the tool and just let it run. That's all you need to do. So there is a sense of automation to this, which gets larger and larger and more heavily relied on the more we go on. But there is also the sense that the megaphone on the Telegram channel serves a distinct purpose. Because other Telegram groups, other DDoS groups, they jump on and take that information then disseminate in their channel.

So we have other channels that have 600,000 people, other channels there's 500 people. There are groups like the Cyber Student Army, for example, which are actually students at a university in Kyiv. And they're not shy about this, but you see this mobilization, this network that just takes that information the IT Army publishes and they'll run with it. And it depends on how many members want to join at any particular point in time to run this operation or participate in it. So there's a lot of flexibility in terms of how effective they are, how long they're being conducted on certain targets. Some websites are down weeks on end, sometimes some websites only down for a day to a week. But others can be down for five weeks, several months and it just continues and continues.

Eric: Rachael what do you think? Student army? Huge army?

Rachael: How do you manage all this? That's the question. And to your point, Stefan, when does it end? I think you had characterized cyber war versus cyber chaos, and it's kind of a fine line here.

Who’s in Charge?

Eric: Who's in charge?

Rachael: I feel left out, I need to be on this Telegram channel. Like everybody else is. Where's my invite?

Eric: Quick comment to all of our sponsors of which there are none, Rachael is just joking, she does not mean it. Although she's amazing at PR, she could probably help out if anybody needs it. Okay Stefan, how do you coordinate? How do you target? Who's in charge? 

Stefan: Actually it's pretty easy on how they're doing it. Individuals can simply, you don't have to be a part of the Telegram channel, you can be part, but you can essentially recommend targets. That's how in the beginning it started where the IT Army got recommendations from other users. They were like, how about we DDoS this site? Because this site is very important to the Russian economy.

Eric: So we're sitting around having a little vodka with our friends and we're like, hey we should take Aeroflot offline for a couple of weeks.

Stefan: Exactly, something like that. Or you're like oh, Putin is giving a talk at this conference. How about we DDoS that conference? And so you can actually on the IT Army website, you can just send in recommendations for sites to target and that's essentially how a lot of targets in the beginning were chosen. Because they themselves needed to organize, they need to have on the backside in terms of, well, what are we going to achieve on this end? And I think in the beginning, they went essentially from sector to sector. So they said like, oh, let's target this sector of Russian’s economy, let's go to the next one and then the next one. 
 

How Cyber Hacking Has Changed

Stefan: In the beginning it was a bit incoherent because you had a lot of overlaps there and sometimes you only have five sites that could be DDoS-ed. But nowadays they have become sophisticated to the extent that they're saying, we are going to hit Russian pension funds or Russian banks and they've hacked like 50, 60 targets at one time.

So you immediately feel the repercussions on the Russian side saying that all these sites are going down. And so for any Russian user or citizen, that's kind of really like, okay, what are we going to do now? If you target banks, suddenly people going to the ATM can't get money from the ATM or from this bank. Then you look over to the other bank, you can't get money from there either. And so it is really this kind of an assault on Russian society at large and that's how they see themselves. Saying, it's not about stopping the war, but it's really about stopping the war by attacking Russia's economy and by making individual Russian citizens feel that pain.

Eric: And we're not just talking DDoS.

Stefan: We're not just talking DDoS. They have become very sophisticated in other means. So there is an “in-house” group that I think is dis-attached from the Telegram channel. Because nothing the in-house group does is ever discussed on the Telegram channel. So it happens behind the scenes. And so what the in-house group was doing is, for example, go against Rossgram. Rossgram was a Russian Instagram clone startup that wanted to fill that void. 

When Cyber Army Hacked Rossgram and RUTUBE

Stefan: And what the in-house team was, look at the beta subscriber list and they got their hands on it. So they hacked the company, got the subscriber list. They built a fake application, a Rossgram application, and then distributed it to those beta test subscribers. They installed the app on their phones and then they received push notification messages saying you have been hacked, all your private information will be released in public. And so that's how essentially they wanted to destroy Rossgram as a company.

Eric: Now, did they hack those phones? Or did they just make the initial beta subscribers, “Oh-oh, I better get off Rossgram.”

Stefan: We don't know. They could have done more. They could have done more, we don't know. That's the end of the information as far as that operation.

Eric: Well, they certainly installed an app on that device.

Stefan: Correct. So I mean that's pretty sophisticated, right? That's a very neat operation. If you want to run follow-up information, you are already on that mobile devices. Then another time they breach RUTUBE. So RUTUBE is essentially the YouTube clone in Russia. It's very well established, there's a huge audience there. 

What they did was they did breach RUTUBE and essentially shut it down. They locked the administrators, the physical administrators at RUTUBE, they locked them out of their own building by changing the entry codes on the doors. Then they started to delete infrastructure. So they deleted a host of files, they tore it down.

Who Is Running the Cyber Army?

Stefan: And so RUTUBE itself, I think it took them a week to reestablish the operation. They were lucky that they have backups. So if the IT Army in-house team would've gone there, and I think they've even said that they deleted backups. But if they deleted backups then it would be a much bigger operation in terms of impact. RUTUBE was able to stand up again after one week. 

But you see, this is only initial operations from the in-house team. And what happens in the future I think they become more and more sophisticated. They will look at more experimental operations they can pull off and so in the future, it's anybody's guess what they're going to do. We'll know when they tell us essentially.

Eric: Who is in charge of this army? What does the leadership look like?

Stefan: We don't actually know who is in charge of it. Mykhailo Fedorov, the minister of Digital Transformation created the IT Army. And then we know that there are several administrators, I think the number that I know is eight administrators that are responsible for the Telegram channel. Where they're coming from, what their background is, and how they were chosen, we don't really know. But as you can imagine, you don't choose just random strangers on the internet to lead your 300,000-strong cyber army.

Eric: It's not Rachael and Eric running the cyber army, just for our listeners.

Stefan: They need to have a particular set of skills, a particular background. And the question that bugged me, for example, was that the minister of Digital Transformation is not specialized in DDoS campaigns. 

[24:06] The Military Has Taken Over the Cyber Army

So in that sense, I think the military has taken over, even though the minister of Digital Transformation might not know it. Maybe even the administration does notknow it. But I think they're essentially in charge of this now and are utilizing this in this war.

What's kind of interesting is that even from the IT Army, we're seeing some behavior in terms of, they're DDoS-ing but then they've come out. I think it was in mid-July where they said, okay, we DDoS-ed this target and you all helped DDoS-ing this target. But DDoS-ing was not the primary aim of this, we actually ran a second operation to exfiltrate data from the target and we only needed those DDoS to feint.

So the security folks have the attention on some other things. And so you see that the kind of innovating and using this machine of DDoS for other purposes. So far they haven't released the data they exfiltrated, we're still waiting for it. But maybe after hearing this podcast, they will release that information.

How the Cyber Army Prevents Rogue Agents from Going After Non-Russian Assets

Eric: Yes. I don't know how we're tracking in Russia compared to the competition, but I'm sure we're pretty high.

Rachael: We are. We do, I don't know it off the top of my head.

Eric: Yes. They could hear us. Stefan, be careful what you do say. We are pretty popular in a number of European and African countries. Well, really India too. So how do they prevent rogue agents from going after non-Russian assets? Let's say Switzerland or other governments. Or even accidental friendly fire?

Stefan: I think there haven't been any instances that we know of. But the IT Army in the beginning, they targeted, for example, Belorussian sites, even though Belarus was not a belligerent in that war. They always said, we're not part of this war. Russians are on our territory but we are not shooting any missiles over there. So it's always the questions, is Belarus a belligerent or not? And so in the beginning, a few sites in Belarus were DDoS-ed by the IT Army, but then that suddenly stopped. So far I think there were only one or two other instances where they decided to do so, but generally they don't target Belorussian sites anymore.

But that's I think a conscious choice there because they realize the IT Army is getting political in what they're doing and so there's an acute awareness that what the IT Army does is also reflective of the Ukraine government because you have the minister of Digital Transformation connection there. So that's official. 

Controlling and Leading the Cyber Army

Stefan: So if the IT Army, for example, cooperates with Anonymous, that would give it a whole different kind of outlook. Same if they incorporate with Belorussian Cyber Partisans, would that be seen as Ukrainian government cooperating with the government of Belarus. The opposition government. So you don't want to complicate things. You want to keep it simple, you want to have simple tasking and people that know what they're doing so they don't get involved in other politics across the world.

Eric: But you have 300,000 people loosely organized over Telegram and Signal and the like that have a very disconnected leadership chain. In probably almost all cases they haven't met the people who are running the show. How do you control that? How do you control rogue agents? And how do you control someone who is a member of Anonymous and the IT Army from not taking it too far or going rogue or doing something? That would be the concern that I have.

 We see the Russian army today, some of the atrocities they're causing or they're involved in just based on, what we say from a Western perspective, poor leadership. Lack of discipline. The IT Army seems orders of magnitude less structured, organized. How do you prevent that?

Stefan: Essentially on the IT Army Telegram channel, only the administrators can post. So it's more like a Facebook group where only the admin can post and everybody else can comment on that one or can react with emojis or whatever. So there is a sense of control that no other individual apart from the admins can redirect the army into the different directions. That's simply not possible.

Eric: Okay, so there is control in that way. Got it.

The Sense of Control

Stefan: There is control in that way, right? I would say there are different groups out there who are kind of affiliated with the IT Army, they do support them in their activities. So they latch onto the information that the IT Army posts and DDoS the same targets, but they also run their own independent operations. The IT Army doesn't endorse that, but also they don't avoid doing them, they don't say don't do this or whatever. It's kind of like, okay, you do this, whatever.

You don't do it under our banner so it's fine. Whatever you do, it's your mess. So in that sense I think there is a sense of control and there is a sense of distance to other groups. No individual can redirect the IT Army apart from the admin

Eric: That makes perfect sense to me. So I want to switch gears if I could for a second here. Stefan, when you were a cyber security and defense fellow at the European Council on Foreign Relations you designed and held cyber war game exercises for some pretty big organizations.

Stefan: Well, it was one big exercise for Microsoft at the time. It was kind of special to me.

Eric: Okay. So we are really big, we've had some guests on talking about simulations, talking about war gaming. I think it's a really important exercise to go through as a leadership team. How would you redesign it today, watching this IT Army of Ukraine come up, knowing that there could be a parallel cyber army that would attack, I don't know, friendly nations or organizations, companies, whatever.

[31:31] Acceptable or Unacceptable Conduct

Eric: It's not like anybody copyrighted the idea and nobody else step on that, this could happen and will likely happen going forward. How does that change your thinking? Long-winded question, but how does it change your thinking?

Stefan: It's a good question. I think other states, they are looking very carefully about what the IT Army does and how other countries are reacting to it. Do we say this is unacceptable, that conduct? This is unacceptable for Ukraine to create such a monster, essentially. And for Ukraine to essentially recruit people that are not living in Ukraine, that are not Ukrainians but living in countries that essentially are non-belligerent in this conflict. 

So I think a lot of countries, particularly in Europe, I think NATO is kind of concerned about this but publicly nobody has found a solution. EU officials at one event, they voiced that the IT Army are essentially criminals and we should arrest them. But then again, if you look at some EU member days that are allowing their citizens to actually go to Ukraine and participate in facilities, are carrying arms, and actually going to the front lines. That seems kind of odd that you would at home arrest people that are in their own homes just DDoS-ing. The double standards would be so obvious.

Eric: Well you can't prevent a private citizen in a free country from going to another country and taking up arms. You can potentially prevent a crime from happening from the country that's harming another country or an organization. 

Preventing People to Join the Cyber Army

Eric: So if the FBI found out that I was reaching into Russia and taking whatever you want offline, pick your organization, that's technically a crime and they can prosecute me for that. Me, if I go to Ukraine and I join the Ukrainian cyber army in Ukraine, I don't think the US government could do anything about that. I'll speak to the US, I know it better than others.

Stefan: Liz Truss, British foreign minister. She openly said if more people wanted to go to Ukraine and fight there, they should go. It's really weird.

Eric: But you can't stop them now. If they become captured, they're POWs, you may not put all the chips on the table and try to bail them out. But you can't stop them from going. If I'm creating a crime or actively involved in criminal activity from inside the borders of the country, I think that's a little different.

But I'm certainly no lawyer.

Stefan: It should be a little different. There is a whole discussion about due diligence and how states are responsible for what happens on their territory in terms of if that activity affects another country. And that's what we get a lot with the countries in terms of ransomware. Ransomware campaigns that are coming out of Russia targeting US infrastructure. Infrastructure across Europe and now the shoe is only for the other foot. So if the Russians are saying, well, we know where these DDoS campaigns are coming from, they're coming from Germany. 

A Political Decision

Stefan: Why don't you arrest them? Then the German government is like, well if we do that, are we right anti-Ukraine in that sense? Are we doing Russia's bidding on our territory or are we upholding ourselves to a higher standard and say, we don't want to get involved in this conflict and no citizens of ours is allowed to do this activity? But I think currently it's a political decision, we have to put that line. But nobody's willing to do that.

Rachael: Yes. It's a tough one in this kind of new world as well. Something that is a cyber war with volunteer cyber army, does it ever end at that point either? And nobody wants to get to article five because we don't want to go to the nuclear option. It's so thorny with no clear answer. This is such an interesting, I don't want to say use case is the wrong word, but it's just opened up all these questions, I guess.

Stefan even you were posing in your report that just doesn't have any clear answers or anything neat and tidy to say, okay, here's the end. Woo, we're done. But we may never be done and that's fascinating but daunting at the same time.

Eric: Well Rachael, we've seen volunteer armies in the past. Over all of time there have been volunteer armies, but this is a whole new level. The level of disconnectedness, while at the same time the level of connectedness with social media. You could be on the space station, I'm not suggesting anybody is, but you could be on this space station and participate. You could be in Antarctica and participate. Yet you're not there.

Telemanual Effort

Stefan: Exactly. The kind of strategy to mirror what happens, international law applicable to real space and how we transfer it into cyberspace, it's still a huge discussion where we haven't really figured out how does it actually work? Are certain things actually transferable? And the Telemanual effort. There's Telemanual 1.0, 2.0 and they're currently working on 3.0. It's an effort by academics to come together and make this mirroring effort and say okay, if this is applicable in real space then international law should be applicable this way in cyberspace. 

This effort is still ongoing and certain countries are endorsing the Telemanual effort and certain countries are coming out with their own positions in terms of how should neutrality apply in cyberspace. Things like how does [inaudible 00:37:37] apply in cyberspace?
All huge questions that currently different states have different answers to that and coming to a common ground is what we want to achieve in the future.

There are so many other states who haven't really discussed this at all. I think most of the African countries haven't even formed an opinion on it. It's primarily driven by Europeans, by the Americans.

Eric: But I think we have had double standards, so maybe we can have double standards. We don't want them necessarily, but I feel like we've had double standards. Right before the conflict in Ukraine kicked off, hell let's call it a war, Russia had been, I guess they stepped up a little bit on the ransomware side publicly. What they did, didn't do, who knows. 

Double Standards

Eric: But I think it's pretty clear we've had a lot of ransomware activity out of Eastern Europe, that region that has not been prosecuted or stopped by the nation states. So I think we can have some double standards, we just don't like double standard.

Stefan: Yes, that's what you would file under customary law.

Eric: It's like hypocrites. They exist, but you don't like it necessarily.

Rachael: When it suits you though, it's great.

Eric: Well, I think that's exactly what we're seeing here, Rachael. They've set up massive internet to Africa and they're making a ton of money by all the adversaries who operate out of there. They kind of have set up an opinion, there's great bandwidth to a lot of African countries because they don't have the rule of law that a lot of countries have. That allows criminal behavior to proliferate. 

That's not necessarily bad for an African country when money is being brought into, as long as it stays there. So by inaction they are stating an opinion, in my opinion. It's like piracy. If you do nothing about piracy and you allow the pirates to go and plunder ships and then come into your ports and spend the money on wine and drink and gifts and whatever, you're kind of condoning piracy, right?

So I think we are seeing some norms that are being established in the world. It's a very fast, loose, unregulated type of world we live in with cyber security. I mean, we've got an army here of 300,000 people from all over the globe governed by, or not, hundreds of different legal entities and rule sets and everything else. 
 

A Very Good Reason to Get Away from Criminal Violation

Eric: And quite frankly, and I don't want to come down against the IT Army of Ukraine here, but quite frankly they're violating a lot of laws because they can get away with it and they want to. Some might say for a very good reason.

Stefan: That's true. I think what complicates this situation in terms of the enormous building effort in the past is that we're now having a war between two countries, a real war, an international war.

So then you have to consider the laws of armed conflict, the civilized conduct of warfare. That we don't torture people, we don't kill hostages, we don't send children, we don't recruit them into the army. We don't willfully destroy villages that are in the path because we were up to it. So there are rules in terms of targeting processes that militaries go through. 

There are all kinds of processes that we developed over the decades past and over centuries to say, this is what civilized nations do when we go to war. This is not some unregulated space. Because if you violate them, you're committing war crimes and you might end up in the Hague. The question then becomes, can you commit war crimes in cyber space? And the answer to that is, yes kind of but you will probably not be sentenced in the Hague. That kind of threshold is simply not there.

So nobody will say after this war ends to say, well the IT Army violated the rules of warfare and so we sent Mykhailo Fedorov, the minister of Digital Transformation, to the Hague. 

Red Lines

Stefan: Nobody is going to be up for that. He will be throwing the hands in the air and say I've never done any DDoS, I'm not responsible for this and whatever. So you really come into an area where there are fundamental questions as to whether certain conduct actually violates any rules and whether there's certain responsibilities that people in the end take. Because currently it's just the individual sitting in front of his computer that will have those responsibilities and if that's true, then governments can do whatever and they can entice citizens to do stuff that they normally wouldn't.

For example, Ukraine government does have an application out there where citizens on their phone, they have an app, they can make a picture of a Russian soldier, geolocation tag and say well, the Russians are here. I'm sending you this information. But at that moment, that person takes that picture.

Does that person, the civilian, become a belligerent or become a combatant in that situation? So the Russian soldier would be allowed to shoot that belligerent because it's not any more civilian, he's now combatant who gives information to the Ukrainian government. 

So there's a split-second kind of interaction. If you are on the other side, if you're a Russian soldier and see somebody taking out their phone, you're probably allowed to shoot them. And if that is encouraged by the Ukraine state, then they're putting their civilians in a harmful situation.

But for the Ukrainian state, the fact is we need as much information as possible to waste this warfare no matter where it comes from. And so there are a lot of red lines that we are currently treading over because we are putting civilians in harm's way and it's not just DDoS. 
 

Certain State Responsibilities That Come into Play

Stefan: Its people are physically taking pictures that's really risky for those people and they have no idea what they're doing. And so I think there's certain state responsibility that comes into play, but apparently we don't hold them accountable. Nobody's there to call them out. We're having this discussion in an academic sense, but on the political landscape it's not happening.

Eric: I would argue, go well before the times of cyber security. You could go back to spies, the population drawing pictures, stealing documents, advising one side, or the other in pretty much any conflict or even non-conflict times going back to the beginning of time. So these are norms we're going to have to figure out and I suggest that we take our time doing it, but they'll evolve over time also. And I don't know what the answer is. We are at the end of our time together, unfortunately and Rachael has to go hit the roulette table. Or get out of Las Vegas.

Anyway Stefan, it has been an academically stimulating learning experience here. I am betting that the bulk of people out there never knew about the IT Army of Ukraine. Rachael and I were talking about it when we talked about the idea for the show weeks ago, maybe months ago and our minds were blown by the report. So thank you for the research, pulling it together. It's a well-written, documented report. So thank you for that.

Stefan: Thank you for reading it and thanks for inviting me. It was a super pleasure.

Thumbs Up or Thumbs Down on the IT Army of Ukraine

Eric: Stefan, watch this. Rachael thumbs up or thumbs down on the IT Army of Ukraine. Woo. Two thumbs up from Rachael, there you go.

Rachael: Well thank you so much Stefan, again. This has been wonderful. I was a huge fan of the paper and Eric knows. I've been talking about you incessantly for the last few months since I saw that paper. So I'm so excited that we had you on today and would love to continue the conversation because there's so much more to dig in here. 

I mean, we're not even scratching the surface here and I think the future implications are going to be crazy. Which is kind of cool and scary at the same time, which I love. So to all of our listeners, thank you for listening again this week. We love having you here. As always, feel free to smash that subscription button because you get Stefan right to your email inbox on a Tuesday. You get to hear amazing conversations like this and so much more.

We're just so lucky to have guests like Stefan join us. Because these are really important conversations that I think we're going to be talking about for a long time and not having clear answers for.

Eric: And all of the opinions of the host and co-hosts of the show, Rachael and Eric, are not the opinions of Forcepoint LLC, Forcepoint incorporated, or any other legal entity of any sort whatsoever. I'm running out of steam here, Rachael, but you can listen to Rachael's opinion anytime.

About Our Guest

Stefan Soesanto is a Senior Researcher in the Cyberdefense Project with the Risk and Resilience Team at the Center for Security Studies (CSS) at ETH Zurich. Prior to joining CSS, he was the Cybersecurity & Defense Fellow at the European Council on Foreign Relations (ECFR) and a non-resident James A. Kelly Fellow at Pacific Forum CSIS.

At ECFR, he designed and held cyber wargame exercises in cooperation with Microsoft, and organized a closed Cybersecurity and Defense conference in Odense together with the Center for War Studies at the University of Southern Denmark and the Office of the Danish Tech Ambassador.

Stefan also served as a Research Assistant at RAND's Brussels office, co-authoring reports for the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE), the European Network Information Security Agency (ENISA), and Dutch Ministry of Security and Justice.

Stefan holds an MA from Yonsei University (South Korea) with a focus on security policies, and international law, and a BA from the Ruhr-University Bochum (Germany) in political science and Japanese.