Ukraine Scrambles to Draft Cyber Law, Legalizing Its Volunteer Hacker Army

Ukraine's government is drafting a new law to bring its volunteer hacker brigade, the IT Army, into the armed forces, aiming to put an end to uncertainty about its status in a legal gray area that has drawn pointed warnings from the Red Cross.

The IT Army of Ukraine has claimed responsibility for cyber attacks such as knocking offline the websites of Russian state media during President Vladimir Putin's recent annual State of the Nation speech. But the hacktivist group, which has recruited foreign volunteers who need only a computer or a smartphone to join the fight, has also drawn criticism for attacking civilian targets such as Russian banks, food delivery servces and video-sharing sites.

The IT Army has been held up as an example for other countries. If the law passes, Ukraine would join a handful of other Western nations, led by Finland and Estonia, that have a full-scale reserve cyber force to augment their regular military, although several more countries have reserve military units with cyber capabilities.

"The law on the creation and functioning of cyber forces within the Ministry of Defense of Ukraine should be adopted as soon as possible," Nataliya Tkachuk, Secretary of Ukraine's National Coordination Center for Cybersecurity, told Newsweek in written responses to detailed questions. The center is part of President Volodymyr Zelenskiy's National Security and Defense Council.

Tkachuk added the new law would "become the basis for building the state's cyber defense capabilities, engaging cyber volunteers in these activities, and creating a cyber reserve"—a force of civilian cyber experts, trained by the military, who could be mobilized to the nation's defense during times of increased cyber threat or conflict.

Tkachuk didn't answer follow-up questions, but based on her description of the law, it appears that Ukraine's cyber reserve would effectively replace or absorb the loosely organized volunteers of the IT Army with a much more formal force, the core of which would be former conscripts, identified as technically adept during their post-highschool compulsory military service and given special training with technical skills.

The IT Army itself embraces its proposed dissolution. In a statement emailed in response to Newsweek questions, the group said its interests would be represented in the drafting process by the Ministry of Digital Transformation. "We fully trust the efforts of the working group to legalize a massive fight in the cyber sector and welcome the moment when it will stop being the grey zone. We ... believe that the integration of the IT Army into the cyber reserve will help in building a more effective defense against cyber threats."

The precise contours of the legal framework that Kyiv adopts will reverberate far beyond today's battlefield. The war Ukraine is fighting has become a laboratory for the conflicts of the 21st century. The country's success in fending off Russia's vaunted hackers has made their embrace of both volunteer hacktivists and a close partnership with western tech giants a model other democracies are looking at. Even in the U.S., some are arguing that the U.S. Cyber Command would benefit from the additional surge capacity a cyber reserve force would represent.

Tkachuk declined to give a timeline for completing a draft of the new law, but the process has been complicated by bureaucratic wrangling, said one foreign aid contractor working in Ukraine, who asked for anonymity because the person is not authorized to speak to the press. "There is friction between agencies," the contractor told Newsweek, "It's not a secret."

Ukraine UJ-22 Airborne
A military operator of the UJ-22 Airborne (UkrJet) reconnaissance drone, bought in the frame of the program 'The Army of Drones' sits at the HOTAS ground control center, during a test flight in the Kyiv region on August 2, 2022, prior to being sent to the front line. - 'The Army of Drones' is a project initiated by the General Staff of the Armed Forces and the Ministry of Digital Transformation which is a comprehensive program in which organisation purchases drones, repair them, and train operators. Ukraine's government is drafting a new law to bring its volunteer hacker brigade, the IT Army, SERGEI SUPINSKY/AFP via Getty Images

The contractor said that the new law would build on the public-private partnerships Ukraine had developed with both its domestic tech sector and foreign companies including giant U.S. providers such as Microsoft, Amazon and Google. "We have incredible experience, we have know-how that no one else has because no one else has been through this," the contractor said.

Adopting the Estonian model

One decision that appears to have emerged at this early stage is for Ukraine to adopt the Estonian model for its cyber reserve—creating a cadre whose technical aptitude is identified during compulsory post high school military service, and who then get additional training. The skills they learn will equip them to both defend the country during their service and provide value to employers once they are done.

Estonia is a NATO member state that had a vibrant tech sector long before it found itself on the frontline of Russia's new hybrid wars in Europe. In 2007, the country was hit by a series of massive cyber attacks and information operations as part of a dispute with Russia about the relocation of a Soviet-era WWII war memorial. Ever since, the country has sought to make itself a model for smaller Western democracies leveraging advanced technology and skills to boost both its online defenses and the national economy.

Estonia's volunteer hackers are organized into a Cyber Defense Unit, part of the nation's century-old Estonian Defense League. "This is exactly the model we would like to see in Ukraine," Tkachuk said. "We would like to see conscripts not only defend the country using their IT skills, but also acquire up-to-date and necessary knowledge in the field of cybersecurity and defense during their service."

Once their military service is finished, she added, cyber reservists with their advanced skills "will become a personnel pool for all security and defense sector entities in the field of cybersecurity."

Ukraine state cyber threat operations center
Personnel at the Cyber Threat Operations and Response Center, of the State Service for Special Communications and Information Protection (SSSCIP) of Ukraine, monitor government networks for online attacks in this undated photograph. Russia has launched several waves of cyberattacks against Ukraine since its invasion in February 2022. State Service of Special Communications and Information Protection SSSCIP of Ukraine

In the U.S., a number of leading cyber executives have expressed interest in the possibility of a cyber reserve.

"There are a lot of cybersecurity leaders who want to volunteer and serve. They want to do something for the country without leaving current careers and roles full-time," Marcus Fowler, CEO of cybersecurity vendor Darktrace Federal, told Newsweek.

Fowler, a former senior CIA official who served in the Marine Corps, said the "perfect place to start" is with cyber leaders who, like him, had served in the military, law enforcement or intelligence agencies. "Many of [them] would still have active security clearances," he said. "There are practical issues, obviously, but the spirit and expertise is there."

For Ukraine, adopting the Estonian model of a cyber reserve would also lay to rest questions about the legal status of Ukraine's IT Army, according to a NATO legal analysis.

The Cyber Defense Unit is an integral part of the Estonian Defense League, an NGO that is effectively the country's military reserve. Its members are volunteers who take an oath of service, who are bound to obey orders while on duty, and who, in wartime, are integrated with the regular defense forces, according to the legal analysis from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn.

As such, the analysis states, they clearly qualify as combatants in a declared war, because they are "a volunteer corps forming part of the armed forces."

A dangerous blurring of the line

By contrast, one of the major concerns about volunteer hacktivist groups such as the IT Army and its Russian counterparts is that they blur the line between combatants and civilians by encouraging civilians to take part in attacks.

The International Committee of the Red Cross is alarmed about the growing tendency in recent armed conflicts to recruit civilian volunteers to take part in military cyber operations, ICRC legal adviser Kubo Mačák told Newsweek.

The difference between combatants and civilians "is a fundamental principle of international humanitarian law (IHL)," civilians may not be targeted, and combatants enjoy legal protections — they cannot generally be prosecuted for killing enemy troops, for instance — as long as they respect the laws of war.

But if civilians take part in offensive cyber operations — hacking attacks, for instance — those activities might change the legal calculus, he said.

Civilians who join the war effort may be "exposed to harm because they might be temporarily deprived of the protections they have as civilians under IHL," Mačák said.

Under international humanitarian law, civilians are protected against attack, as long as they don't directly participate in hostilities. If they join the fight, they can be targeted while they're taking part. The problem is it's very unclear what counts as "direct participation in hostilities" in cyberspace.

"Even though not every form of civilian involvement on the digital battlefield qualifies as direct participation," Mačák said, "the danger is that it may be seen as such by the enemy, thus exposing numerous civilians to a grave risk of harm."

The use of civilian volunteers in war, even only online, also undermines another important legal principle, that of accountability, Mačák said. "Civilians that are in such [volunteer] units do not fall under the military hierarchy, they do not fall under the disciplinary proceedings of the military," he said.

In order to ensure accountability in war time, there must be a clear chain of command so that responsibility for military actions can be established and violations of IHL can be punished, he said.

Unanswered questions linger

Tkachuk, from the National Coordination Center for Cybersecurity, noted that, although there is a broad consensus among legal experts that international law applies in cyberspace and to military cyber operations, there are no legal cases that have set precedents, and barely even a historical record of what nations do in practice.

"There are no (International Court of Justice) decisions on these issues, there is no practice of applying existing norms by states," she said.

"At the same time, each expert has his own point of view," she noted, adding a long list of unanswered questions about what the application of international law to military cyber operations might mean in practice.

With the experience it is gaining on the digital battlefield, "Ukraine must become a leader or at least a mandatory participant in shaping the answers to these questions in the international arena," Tkachuk said.

This article has been corrected. An earlier version erroneously stated that hackers from the IT Army had staged cyber attacks against Russian hospitals. The IT Army has attacked Russian civilian sites, but never targeted hospitals.

Shaun Waterman can be reached at Follow him on Twitter @WatermanReports.