Ukraine's Volunteer Cyber Army Could Be Blueprint for the World: Experts

It was a hackathon like any other: 300 or so young tech enthusiasts, convened for three days to work in informal groups, seated on bean bags or around tables, to solve a set of tough problems through software and collaboration. Coding teams competed to a soundtrack of live music, fueled by coffee, sandwiches and pizza.

But this one was different. First, it was in a shuttered subway station, deep underground. Second, it was an act of war, and could lawfully be targeted by the enemy.

The Ukraine National Defense Hackathon took place Nov. 24-26 in the Maidan Nezalezhnosti subway station, right in the center of Kyiv. Closed since the start of the war and almost 250 feet underground, the station was "the safest place in the city ... and had the most reliable power," explained Misha Verych, a senior operations manager for CRDF Global, a Department of State contractor working in Ukraine, and one of the event organizers.

The station was also warm, with wifi, and dozens of attendees chose to stay overnight, working and sleeping, rather than go home, creating a kind of slumber party vibe. "We had to order more pizza," he told Newsweek.

The hackathon involved personnel from NATO as well as Ukrainian defense and security officials and worked on problems such as the production and deployment of military drones, and the legal framework for Kyiv's unprecedented multinational volunteer cyberwar militia, the IT Army. The hackathon was one of the more public signs of Ukraine's extraordinarily successful effort to recruit both technology companies and citizens — its own and those of its allies — as cyber soldiers in its online war with Russia.

Ukraine national defense hackathon, Kyiv metro station
The Ukraine National Defense Hackathon Nov 24-26, 2022, took place in the Maidan Nezalezhnosti subway station, in the center of Kyiv. Closed since the start of the war and almost 250 feet underground, organizers said the station was the safest place in the city and had the most reliable power. CRDF Global

Now, as the first anniversary of Russia's invasion approaches, the architects of Ukraine's cyber approach are declaring it a model that more democracies should emulate. In the U.S., some argue that even the mighty Cyber Command and other top tier NATO powers could probably use a surge capacity like that provided by Ukraine's volunteer cyber militia.

But there are also serious questions about this new way of war that Ukraine is waging. Critics argue that it blurs important legal lines between combatants and civilians, including foreigners; ignores norms of international behavior in cyberspace by attacking civilian targets; potentially disrupts other intelligence operations; risks dragging other countries into the war by striking Russian allies such as Belarus, and may give the Russians an excuse to escalate the conflict by striking at pro-Ukrainian hackers based in neighboring third countries. Above all, they say, Ukraine's approach may work well for defense, but could prove dangerously counterproductive on offense.

The effort long predates last February's invasion, according to Ukrainian Deputy Prime Minister and Minister for Digital Transformation Mykhailo Fedorov.

In emailed answers to written questions, he told Newsweek the cyber war started after Russia's 2014 invasion of Eastern Ukraine. "During these nine years Ukraine pushed to develop an effective strategy and cyber defense system ... especially strengthening the interaction between [our] governmental institutions and [the] international cyber security community."

A new form of warfare

Hacktivist collectives have long been employed as proxies, even in times of war. Notably, Russian patriotic hacktivists attacked Georgia in 2008 just as Russian tanks rolled in. But Ukraine is the first country, certainly the first European democracy, to openly embrace a hacktivist militia during a shooting war, and that raises complex and difficult legal questions, retired Marine Corps Lt. Col. Kurt Sanger told Newsweek.

Sanger would know: Until his retirement last fall, he spent eight years at U.S. Cyber Command, his last two as deputy staff judge advocate — the number two top lawyer.

Because the IT Army declares itself to be independent of the Ukrainian military, and its volunteers don't wear a uniform, they don't count as members of the armed forces. But, Sanger said, if they contribute, even in a small way, to the Ukrainian military effort, they arguably become a legitimate target for Russian military. And not just in cyberspace, but potentially in meatspace, too.

"If you cross a certain line, as a civilian, if you participate in hostilities, you yourself can become lawfully targetable by the lethal operations of a belligerent party in a conflict," said Sanger.

That line is relatively well established in the physical world, but much less so in cyberspace because of its newness, he added. "If a civilian is driving munitions to the front lines, certainly the munitions are targetable. I think most would agree that the individual driving is targetable, as well. But those precedents just aren't there in cyberspace," he said.

Clearly, Sanger added, the Russians weren't going to target IT Army supporters in the U.S. But IT Army volunteers in Poland for example, might be targeted if Russian President Vladimir Putin wanted to broaden the conflict. "Because of the ambiguity and novelty of cyberspace, it will be at least a plausible argument if not a winning one," he said.

"There is a risk of escalation there."

Nonetheless, Sanger, who is married to a Ukrainian and said he has "skin in the game," understands why Kyiv, locked in an existential struggle, has embraced a hacktivist army. "Ukraine needs every ounce of power that they can gather," he said.

Ukraine national defense hackathon, Kyiv metro station
Pro-Ukrainian hactivists have gone after targets such as Russia's space program and its banking system. CRDF Global

A legal and diplomatic gray zone

Loosely corralled behind national goals, but publicly declaring that they pick their own targets, pro-Ukrainian hacktivists like the IT Army operate in a legal and diplomatic gray area.

Indeed, that's why using them has been a hallmark of Russian cyber warfare — they offer plausible deniability to the sponsoring state.

From early in the conflict, Ukraine's international supporters helped fend off Russia's massive cyber attacks, including from its own hacktivist collectives like the recently launched KillNet.

But pro-Ukrainian hacktivists have also gone on the offensive with targets that include both the Russian space program and the country's banking system — targets that might be considered illegal under international law if attacked by belligerent militaries.

"If there's not a military purpose for an operation, if there's nothing to be gained [militarily] by the conduct of an operation, you can't conduct it under the law of armed conflict," said Sanger, who now runs his own consultancy business, Integrated Cybersecurity Partners, LLC.

In emailed responses to questions, a spokesperson for the IT Army said it was "focused on causing economic damage to Russia in order to weaken its ability to wage war against Ukraine ... We do not target ordinary citizens, and we take great care to adhere to the laws of armed conflict."

But Sanger has other doubts about the Ukrainian approach, too.

When Fedorov announced the formation of the IT Army last February, Sanger said, he fretted that it might lead to volunteers accidentally trampling on existing intelligence penetrations of Russian networks.

"They have recruited this IT Army that's scattered all over the world and probably not acting under orders so much as finding opportunities and exploiting them." Cyber operations, including espionage campaigns, take months to prepare and put together, and can be easily disrupted, for instance, by a crude hacktivist attack that might put the enemy's cyber defenders on high alert, he said.

Those concerns are shared by former NSA hacker Dave Aitel, now a partner at cybersecurity firm Cordyceps Partners, who told Newsweek that hacktivists "make the battlefield very noisy."

And it is not only hacktivists who clutter up cyberspace during time of conflict. Just as looters and marauders take advantage of the chaos of war in real life, so cybercriminals have sought to monetize the online chaos that accompanies digital conflict, Ukrainian-American cybersecurity provider Alex Holden told Newsweek.

"Using the fog of war for profit, cyber criminals commit financially motivated crimes and just sign themselves as the IT Army or KillNet, depending on who they are victimizing," said Holden, founder of Hold Security.

Ukraine National Defense Hackathon, 3d printing drone
Technology to produce and control drones was one of the issues worked on by attendees at the Ukraine National Defense Hackathon. Courtesy of Ukraine's Army Inform

An internet-based civil disobedience

The preferred weapon of the IT Army, and other hacktivist collectives, including KillNet, is the DDoS, or distributed denial of service, attack. DDoS is the most basic form of cyber attack, an attempt to overwhelm a server hosting a website with bogus connection requests, such as from hundreds of thousands of hacktivist volunteers who have downloaded a simple software tool. DDoS attacks can effectively shut down public facing websites, and have been called a form of internet-based civil disobedience. But the disruption they cause, though it can be long lasting, is generally temporary.

The IT Army has DDoS'ed thousands of targets, and says it has successfully taken down websites varying from the Russian court system to online payment providers, and even the government system that certifies and tracks alcoholic beverages, in an effort to disrupt vodka supplies.

The IT Army spokesperson said the group didn't seek "to degrade the quality of life for ordinary Russians," but attacked targets "that have a direct or indirect role in supporting the Russian war effort.

Fedorov, declining to comment directly on target selection, told Newsweek: "The Ukrainian Government appreciates the input of volunteers of the IT Army in terms of strengthening cyber frontline, which in 21st century is as important as [the] battlefield."

Nonetheless, veterans of cyber conflict have questioned the value and relevance of the army's mass activities.

In general, Aitel said, hacktivist operations tend to be "at best duplicative or ineffectual and at worst counterproductive ... making it so you might get caught where otherwise you would not have," he said. Exquisite operations, months of preparation, with the potential to strategically influence the outcome of the war could easily be exposed or disrupted by blundering volunteers. "Your actual national effort might be impeded by your [hacktivist] proxies," said Aitel.

Oleksiy Danilov addresses Ukraine national defense hackathon
Oleksiy Danilov, secretary of the National Security and Defense Council, addresses the Ukraine National Defense Hackathon. CRDF Global

Yegor Aushev, a Ukrainian cyber entrepreneur, told Newsweek: "From a strategic point of view - what can you do to win the war - DDoS attacks are useless." He added that the IT Army nonetheless had some important psychological benefits by helping to make people feel included in the fight.

Indeed, the IT Army offers anyone with an internet connection the chance to "join" Ukraine's war. At its height, more than 300,000 people signed up for the army's public channel on Telegram, an encrypted messaging app. Subscription has fallen since then, and is now just under 200,000.

Welcome to the brave new world of cyber warfare, where anyone, anywhere in the world, can join the hostilities from their sofa, with a mouse click.

In the early days, IT Army organizers (who remained anonymous, although available to news media) provided DDoS tools and published targets on the Telegram channel, including civilian infrastructure such as payment systems.

Notwithstanding their limited strategic impact, DDoS attacks often have an outsize public profile because it is easily seen and quantified when web sites go down. "Probably the biggest contribution of [the] IT Army," said Fedorov, "is that they totally broke the myth" about Russia's strength in cyberspace.

But that impact potentially adds to the reputational risk for Ukraine holding the moral high ground, Russian-born U.S. cyber entrepreneur and policy expert Dmitri Alperovitch told Newsweek.

"Ukraine can't win without Western support," he said, "And if you have a bunch of vigilantes are attacking random civilian targets in Russia, that can erode that support."

The IT Army spokesperson said that the group "adhere[s] to international humanitarian law, including the principles of distinction [not directly targeting solely civilian targets] and proportionality [avoiding civilian casualties except where necessary]. These principles are fundamental to protecting civilians in conflict and are taken into account when selecting targets."

Both Kyiv and the IT Army deny the Ukraine government exercises control over the hacktivists.

"We are not communicating directly with IT soldiers from the IT Army of Ukraine," Fedorov told Newsweek. The IT Army "operates independently, and its leadership is not composed of senior officers or officials of the Ministry of Defense or the Security Service of Ukraine," as has been reported, added its spokesperson. Nonetheless, the spokesperson added, the group was happy to recieve "inquiries" about its missions "from the military and intelligence bodies of Ukraine."

Pulling strings from behind the scenes

Despite these denials, the exact relationship between the IT Army and Ukraine's military and security agencies remains murky, according to Stefan Soesanto, a senior cyber defense researcher at the Center for Security Studies, part of the prestigious ETH University in Zurich, Switzerland.

But Soesanto, who has made a study of the IT Army, told Newsweek that the idea it's really independent doesn't pass the laugh test.

"You can't just create an IT Army and don't have the military or intelligence agencies involved," Soesanto said. He concluded that "strings were being pulled from behind the scenes. They had to be. You don't give some random person online the management responsibility over 300,000 people in your Telegram channel, that's simply not how any of this works."

Ukraine national defense hackathon, Kyiv metro station
Tech giants such as Microsoft and Amazon have rallied to the Ukrainian cause. CRDF Global

In October last year, Soesanto noted, the IT Army stopped publishing its targets on Telegram, meaning that members can only participate in DDoS attacks through the automated tools provided by the army's administrators.

And the admins urge members to install the tools in a free-trial cloud account with one of the major U.S. providers such as Microsoft Azure or Amazon Web Services. They provide instructions and note that running the attack from a cloud instance will avoid overloading the volunteer's own internet connection and enable the IT Army to weaponize the power of cloud resources.

The providers "don't seem to be taking any action to stop this," Soesanto said, "They are at least turning a blind eye."

A spokesperson for Amazon Web Services responded to requests for comment by referring Newsweek to its Acceptable Use Policy, which bans "any illegal or fraudulent activity" and any use of AWS "to violate the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device."

A Microsoft spokesperson did not provide any comment.

An unprecedented outpouring of support

But tech giants such as Microsoft and AWS, and an alliance of a dozen major cybersecurity firms, have rallied to Ukraine's defense, providing a refuge in U.S.-based clouds for Ukrainian government IT systems, and deploying their cybersecurity expertise.

"The support Ukraine gets from international big tech companies is huge and we are very grateful for every piece of it," Fedorov told Newsweek.

Large companies have traditionally tried to steer clear of involvement in major geopolitical disputes, but not this time.

"We're not neutral in this conflict," Christopher Ahlberg, CEO of cyber threat intelligence provider Recorded Future said last year, pledging his company "will apply our full resources to battle Russia and help Ukraine."

Recorded Future is part of the Cyber Defense Assistance Collaborative, which calls itself an "extensive network of cyber defense leaders across a range of U.S. companies and organizations" that is working to buttress the country's cyber defenses.

Helping a country shore up its defenses, especially where the UN has declared it the victim of an illegal invasion, is unproblematic under international law, Glenn Gerstell, the former general counsel of the National Security Agency, told Newsweek. "We've got a rich history of doing that and [in cyber] it is closer along the continuum toward humanitarian aid rather than combat activities."

But if those same U.S.-based tech giants have also supported, at least passively, Ukraine's offensive efforts against Russia, by allowing the IT Army to weaponize their cloud resources, that might change the legal calculus.

AWS Liam Maxwell and Ukraine's Mykhailo Federov
Liam Maxwell, director of government transformation at Amazon Web Services (AWS), meets with Ukrainian Minister for Digital Transformation and Deputy Prime Minister Mykhailo Fedorov (center) at The Venetian in Las Vegas last November. Getty Images for Amazon Web Services/Noah Berger

"If you look at this from the Russian perspective, you're seeing Amazon host all this Ukrainian government data from all the ministries, plus [the IT Army] are using Amazon services to hit us, to hit our infrastructure. They have to be wondering whether those Amazon cloud server farms might be a legitimate target," Soesanto said.

A model for future conflicts?

For all the questions over the IT Army, Ukrainian creativity and ingenuity could nonetheless have created a model for a new kind of warfare, said Soesanto, noting the E-Enemy app that lets people report sightings of Russian troops in a highly effective intelligence gathering program.

"So many militaries will learn from this and it will shape the future of conflict," he said.

Indeed, Fedorov called Ukraine's experience "a great example for other countries and even businesses how to stand and keep running under constant pressure and cyber attacks." And the IT Army spokesperson said, "the approach taken by Ukraine in soliciting aid from the tech community and recruiting a volunteer hacker army can serve as a model for other democracies in prosecuting conflicts in the 21st century."

Aushev, the Ukrainian cyber entrepreneur, adds that for many countries, which simply can't afford a purpose built Cyber Command like the U.S., the Ukrainian model is a viable way to develop a cyberwar capacity that can be swiftly deployed.

"What I would suggest to every country, it's very important to create some kind of cyber reservist force," Aushev said, adding that other countries should prepare better than Ukraine. A professional military cyber capability takes three years to develop, and Ukraine had to deploy one in two days, he said.

Attendees at Ukraine's National Defense Hackathon
NATO was one of the biggest partners in staging Ukraine's National Defense Hackathon. Courtesy of Ukraine's Army Inform

Even in the U.S., the idea of a cyber reserve force has a bevy of supporters, who see it as a way to address the capacity constraints on the U.S. military created by the labor market in peace time and become even more important in time of war, said Steve Grobman, CTO of cybersecurity firm McAfee.

"If you get into a situation where there are civilians who want to help the cause, it's important to give them an avenue where they can do that," he said, suggesting it could also head off independent hacktivism to make sure that everyone is "operating according to a well-formulated plan."

Estonia, a NATO member and a recognized leader in cyberwar doctrine, has a cyber reserve force, the Cyber Defence Unit of the Estonian Defence League, a volunteer organization separate from, but under the command of, the country's military.

"The Estonians have command and control," said Chris Painter, the top U.S. cyber diplomat during the Obama administration, contrasting their Cyber Defense Unit with the IT Army.

Ukraine's reliance on such a large outpouring of international support was another factor that raises questions over whether the model could be repeated in another country, Painter said.

For example, NATO was "one of the biggest organizational partners" in staging the National Defense Hackathon, according to event organizer Verych. NATO personnel provided simultaneous translation services for the opening session, which featured remarks from David Cattler, NATO assistant secretary general for intelligence and security, highlighting "The mutually beneficial partnership between NATO and Ukraine." NATO also presented cybersecurity training certificates to participants and invited the winners in the hackathon contest to join NATO's own hackathon, which will be held later this year in Poland.

Ukraine national defense hackathon, Kyiv metro station
Officials say the US Cyber Command has stayed in touch with Ukraine since the Russian invasion. Courtesy of Ukraine's Army Inform

In war, the enemy gets a vote

The question of international support highlights the role of U.S. Cyber Command, which first sent a "hunt forward" team to Ukraine in 2018. The mission was part of the U.S. government's massive multi-agency mobilization to learn about and disable Russian cyber and information warfare capabilities prior to the 2018 U.S. midterm elections. But it was the start of an enduring relationship, retired U.S. Air Force Lt. Gen. Charles "Tuna" Moore told Newsweek. Before his retirement last fall, Moore spent five years at U.S. Cyber Command - three as its director of operations and two as deputy commander.

"In the lead up to the invasion, we had cyber teams on the ground there as well," he said. "Helping them evaluate their infrastructure, remove malware, eliminate vulnerabilities, and prepare for what we believed was going to be an actual invasion."

Although the Cyber Command teams pulled out ahead of the invasion, the preparation paid off. When Russian tanks crossed the border Feb. 24, Ukraine's cyber defenders had already fended off two brutal waves of cyberattacks.

And the attacks that have been reported are only the tip of an iceberg, Moore said. "There have been a lot of cyber operations conducted by the Russians against the Ukrainians that have not made their way into the public arena."

Moore said that Cyber Command has stayed in touch with Ukraine since the invasion, and is watching the conflict closely. "We've maintained that relationship throughout the conflict, and continue to assist them," Moore said. "This is the first time we've seen full spectrum cyber operations in a major shooting war against a nuclear armed superpower. There are a lot of lessons to be learned."

Shaun Waterman can be reached at Follow him on Twitter @WatermanReports.