First, a little geography lesson.  Ukraine sits north of the Black Sea, bordering Poland, Hungary, and Romania on its west and surrounded by Russia to the north and east. 

Like Poland, the Ukraine has been subjugated for much of its history by foreign powers — the old USSR for most of the twentieth century, and even by Lithuania back in the 1400’s. 

But when the USSR collapsed, the Ukraine gained independence again.  It is the poorest country of Europe, but has rich farmlands, which is one reason why foreigners want to take it over.

Russian rumblings

If you’ve been paying any attention to world news, you know that Vladimir Putin has been sabre-rattling about a possible invasion of Ukraine recently, massing 100,000 troops on the border between the two countries and ramping up his warlike rhetoric. 

Russia has been chipping away at the country since at least 2014, when the pro-Russian President of Ukraine, Viktor Yanukovych, lost an election, and Putin invaded the Crimea, the peninsula that sticks out into the Black Sea and separates it from the Sea of Azov to its northeast. 

Having succeeded in that, Putin has since been backing forces that have taken over portions of eastern Ukraine, and it appears that he would like nothing better than to welcome the entire country back to the domination of Russia.  So far, the government of Ukraine has had different ideas.

Stealth war

As part of Putin’s campaign, a war that isn’t quite a war, most authorities agree that Russian-based hackers mounted a cyberattack called NotPetya back in 2017.  It was aimed primarily at Ukrainian institutions, but it also affected thousands of other systems as well.  The White House later estimated that NotPetya caused about $10 billion worth of damage worldwide. 

Now we come down to this week.  On January 15, dozens of Ukrainian government computer systems were infected with malware disguised as ransomware.  An infected computer displayed a demand for a certain ransom to be paid in Bitcoin, but what really happened is that the malware “renders the computer system inoperable,” ransom or no ransom. 

Microsoft issued a statement saying that they observed these attacks aimed primarily at Ukrainian government agencies and closely-allied organisations, and that they had issued updates that will address the problems.  But in the meantime, the Ukraine is suffering yet another cyberattack which appears to be instigated by Russia, although no firm evidence of the source has yet been forthcoming.

Life-threatening

To my knowledge, nobody has actually died as a result of the most recent cyberattack on the Ukraine.  But to the extent that the public relies on computer-mediated government services, the consequences of a massive shutdown of government computers can range from the inconvenient to the life-threatening, in government-run hospitals, for example. 

In the logic of war, an enemy’s assets are always a target, and now that computer networks and systems form so much of the infrastructure of modern life, they have become a uniquely vulnerable target.

New form of war

Cyberattacks borrow from the fields of espionage, sabotage, and terrorism to create an insidious threat that knows no boundaries.  And defending against such attacks is a responsibility that is widely distributed among both public and private actors. 

All these features make cyberwarfare a different kind of thing from conventional warfare, and it is taking time for both military and civilian thinking to catch up to it. 

Military myopia

When this topic has come up in the past, I have taken the position that the U.S military, in any event, seems to have an overly narrow focus on what cyberwarfare might amount to in the future. 

While I am no technical expert in this area, I can see that even cyberattacks on U. S. organisations that have been definitely attributed to government-sponsored hackers in China or Russia do not seem to cause much concern on the part of our government, except to provoke warnings to private interests to do their cybersecurity better. 

That may make sense if you’re a Boeing or a Kaiser Permanente, with entire staffs of IT security specialists.  But especially in the US, we have a great many small businesses whose functioning is nonetheless critical to our economy.  Many of them can’t afford a full-time IT person, so IT maintenance is handled on an as-needed basis:  if something breaks, the owner hires somebody to fix it, but otherwise deals with things on his or her own. 

Devastation

A supply-chain cyberattack similar to what was used against Ukraine could target a popular piece of software such as, for example, Quicken — something that almost all small businesses use.

With a few keystrokes, such an attack could cause devastation far beyond what we are presently seeing with the Omicron COVID-19 variant, which has done nothing worse than kill thousands of people and cause massive absenteeism, both involuntary due to sickness and voluntary due to vaccine mandates. 

The fact that nothing like that has happened in the US, with a few exceptions, may mean that the way we are doing things is just fine and we don’t need to worry about a massive cyberattack that would bring the US economy to its knees. 

On the other hand, it may mean that whoever is capable of mounting such an attack is simply biding their time, awaiting the proper geopolitical moment when such an attack could be coordinated with more conventional warlike actions for maximum effect.  I hope it’s the former, but I suspect it might be the latter.

Defence

What am I asking for?  Certainly not for every software app to be government-certified as secure.  At the university where I work, we have experienced a small-scale version of that type of thing, and all it has done so far is to create a lot of confusion and delays in purchasing needed software. 

If there are government and military forces out there safeguarding not only their own systems, but those belonging to the public at large, I would at least like to know about it, in a general way.  And because my federal taxes are paying for it, I’d like to know what I’m getting for my money.

In the meantime, we can hope that the Ukrainian government has figured out how to defend itself and its citizens from what has to be the worst spate of cyberwarfare endured by any nation so far.  And maybe we can learn some lessons from them:  either good examples if they succeed, or bad examples if they lose and get absorbed into Russia.

Republished with permission from the Engineering Ethics blog.

Karl D. Stephan received the B. S. in Engineering from the California Institute of Technology in 1976. Following a year of graduate study at Cornell, he received the Master of Engineering degree in 1977...