Cyberwarfare falls into a legal gray zone.
Russia may be holding off on a land invasion, but a growing list of cyberattacks against Ukraine has prompted concern that the online incursions might eventually cross into cyberwarfare.
Earlier this week, the website of Ukraine's Ministry of Defense suffered from what appeared to be a distributed denial of service attack, where a bombardment of data requests overwhelms a site. The websites of two banks were also taken offline.
The attacks weren't immediately attributed to Russia, but they follow a string of digital incursions in recent weeks that've been blamed on Ukraine's neighbor. Those attacks defaced government websites and planted destructive malware on Ukrainian computer networks.
Past attacks attributed to Russia but denied by that country have been even more destructive, shutting down power grids and other critical infrastructure.
The cyberattacks come against a backdrop of growing international tension over a Russian troop buildup on Ukraine's borders, which the US and its NATO allies say could presage a military invasion. Russia has said it's pulled back some of its troops, a claim NATO says isn't true. On Thursday, President Joe Biden warned that Russia could still invade Ukraine within days.
The recent cyberattacks fall into a legal gray area as to what constitutes warfare. Though they're unlikely to cause the bloodshed a ground invasion would, cyberattacks can take out critical infrastructure like electrical grids, banks and communications. Such attacks can cause widespread destruction and are potentially deadly if they close hospitals and nursing homes.
Cyberattacks might not remain within Ukraine's borders, experts warn, but could spread across the world. They've been on the rise for years and often go unpunished.
"If Russia attacks the United States or its allies through asymmetric means, like disruptive cyberattacks against our companies or critical infrastructure, we are prepared to respond," Biden said on Tuesday. The US and its NATO allies are boosting their collective defenses in cyberspace, he added.
Quentin Hodgson, a senior international and defense researcher focused on cybersecurity for the Rand Corporation, said that unlike conventional warfare, which is governed by international law, hard-and-fast rules about what constitutes an act of cyberwar don't exist.
There are any number of acts one country could take against another to cause chaos, Hodgson said. Creating a strict list might prevent some kinds of attacks, but it would never be exhaustive enough to cover everything.
"There is a certain value in not being sure where that line is," Hodgson said.
Instead, he said, it's better to look at the impact of a given attack. Even then, the legal gray zone can make deciding whether to respond tough.
Adam Meyers, senior vice president of intelligence at CrowdStrike, said applying the guidelines of conventional warfare to the digital world could be helpful when analyzing a particular attack.
Attacks that have widespread impact or are destructive on a large scale might be considered acts of war, he said. Defacing government websites wouldn't qualify, for example. But unleashing destructive malware, like the NotPetya attack in 2017, might fall into that category.
NotPetya, which has been blamed on Russia, disguised destructive malware as more-common ransomware. When engaged, NotPetya caused a shutdown of parts of Ukraine's electrical grid before it spread across the world online. The malware crippled the operations of companies like FedEx, Merck, Cadbury and AP Moller-Maersk, and caused billions of dollars in damages.
Labeling a cyberattack an act of war comes with its own dangers, Meyers said. Once an attack is called warfare, it requires a response, like with any act of war, he said. Such a response doesn't necessarily have to be another cyberattack, he added. It could be a drone strike or economic sanctions.
Cyberattacks shouldn't be considered separate from warfare, he said. They're now a component of statecraft.
Attributing an attack can be tough. Unlike a ground invasion, where troops and weapons physically cross a border, cyberattacks can be denied by governments or blamed on cybercriminals or hacktivists.
That's long been Russia's trademark, says Christian Sorensen, former leader of the international cyberwarfare team at US Cyber Command and current CEO of cybersecurity firm SightGain.
"They take advantage of the ambiguity. They create ambiguity," Sorensen said. "That gives people pause or makes them indecisive so they can't respond until it's a fait accompli."
Even if denied, the least destructive cyberattacks still send a message that Russia could, and just might, do more if its enemies don't choose their moves carefully, he said.
They also mask quieter and more dangerous attacks that might be in the works, Sorensen said, noting that Russia is very adept at infiltrating computer systems, staying undetected and waiting till the time is right to put that access to use.
That might be something some US companies need to worry about. On Wednesday, US officials warned that Russian state-sponsored cyber actors have regularly targeted US-cleared defense contractors since at least January 2020.
Over the weekend, the director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, tweeted a warning to US organizations to be on guard. Though there aren't any specific credible threats to the US at this point, she said, Russia has a track record of disabling and destroying critical infrastructure through cyberattacks.
Whether Russia ultimately decides to invade, Sorensen said, he thinks its strategy very well could include targeting American critical infrastructure and other softer targets that could grab global headlines.
"Attacking [those targets] would shout to the world that America is at risk," he said.