A parallel terrain: Public-private defense of the Ukrainian information environment

Conflict Cybersecurity Defense Industry Defense Technologies Disinformation Europe & Eurasia Internet Non-Traditional Threats Russia Security & Defense Technology & Innovation Ukraine United States and Canada

Report

February 27, 2023

A parallel terrain: Public-private defense of the Ukrainian information environment

By Emma Schroeder and Sean Dack

Executive summary

In the year since the Russian invasion of Ukraine, the conventional assault and advances into Ukrainian territory have been paralleled by a simultaneous invasion of the Ukrainian information environment. This environment, composed of cyber infrastructure, both digital and physical, and the data, networks, and ideas that flow through and across it, is more than a domain through which the combatants engage or a set of tools by which combatants interact—it is a parallel territory that Russia is intent on severing from the global environment and claiming for itself.

Russian assaults on the Ukrainian information environment are conducted against, and through, largely privately owned infrastructure, and Ukrainian defense in this space is likewise bound up in cooperative efforts with those infrastructure owners and other technology companies providing aid and assistance. The role of private companies in this conflict seems likely to grow, along with the scale, complexity, and criticality of the information infrastructure they operate.

Examining and mitigating the risks related to the involvement of private technology companies in the war in Ukraine is crucial and looking forward, the United States government must also examine the same questions with regard to its own security and defense:

What is the complete incentive structure behind a company’s decision to provide products or services to a state at war?
How dependent are states on the privately held portions of the information environment, including infrastructure, tools, knowledge, data, skills, and more, for their own national security and defense?
How can the public and private sectors work together better as partners to understand and prepare these areas of reliance during peace and across the continuum of conflict in a sustained, rather than ad hoc, nature?

Russia’s war against Ukraine is not over and similar aggressions are likely to occur in new contexts and with new actors in the future. By learning these lessons now and strengthening the government’s ability to work cooperatively with the private sector in and through the information space, the United States will be more effective and resilient against future threats.

Introduction

Russia’s invasion of Ukraine in 2022 held none of the illusory cover of its 2014 operation; instead of “little green men” unclaimed by Moscow, Putin built up his forces on Ukraine’s border for the entire international community to see. His ambitions were clear: To remove and replace the elected government of Ukraine with a figurehead who would pull the country back under Russia’s hold, whether through literal absorption of the state or by subsuming the entire Ukrainian population under Russia’s political and information control. In the year since the Russian invasion, Ukraine’s defense has held back the Russian war machine with far greater strength than many thought possible in the early months of 2022. President Zelenskyy, the Ukrainian government, and the Ukrainian people have repeatedly repelled Russian attempts to topple the state, buttressed in part by the outpouring of assistance from not just allied states, but also local and transnational private sector companies.

Amidst the largest conventional land war in Europe since the fall of the Third Reich, both Russia and Ukraine have directed considerable effort toward the conflict’s information environment, defined as the physical and digital infrastructure over and through which information moves, the tools used to interact with that information, and information itself. This is not only a domain through which combatants engage, but a parallel territory that the Kremlin seeks to contest and claim. Russian efforts in this realm, to destroy or replace Ukraine’s underpinning infrastructure and inhibit the accessibility and reach of infrastructure and tools within the environment, are countered by a Ukrainian defense that prioritizes openness and accessibility.

The information environment, and all the components therein, is not a state or military dominated environment; it is largely owned, operated, and populated by private organizations and individuals around the globe. The Ukrainian information environment, referring to Ukrainian infrastructure operators, service providers, and users, is linked to and part of a global environment of state and non-state actors where the infrastructure and the terrain is largely private. Russian operations within the Ukrainian information environment are conducted against, and through, this privately owned infrastructure, and the Ukrainian defense is likewise bound up in cooperative efforts with those infrastructure owners and other technology companies that are providing aid and assistance. These efforts have contributed materially, and in some cases uniquely, to Ukraine’s defense.

The centrality of this environment to the conduct of this war, raises important questions about the degree to which states and societies are dependent on information infrastructure and functionalities owned and operated by private actors, and especially transnational private actors. Although private sector involvement in the war in Ukraine has generally been positive, the fact that the conduct of war and other responsibilities in the realm of statehood are reliant on private actors leads to new challenges for these companies, for the Ukrainian government, and for the United States and allies.

The United States government must improve its understanding of, and facility for, joint public-private action to contest over and through the information environment. The recommendations in this report are intended to facilitate the ability of US technology companies to send necessary aid to Ukraine, ensure that the US government has a complete picture of US private-sector involvement in the war in Ukraine, and contribute more effectively to the resilience of the Ukrainian information environment. First, the US government should issue a directive providing assurance and clarification as to the legality of private sector cyber, information, capacity building, and technical aid to Ukraine. Second, a task force pulling from agencies and offices across government should coordinate to track past, current, and future aid from the private sector in these areas to create a better map of US collaboration with Ukraine across the public and private sectors. Third, the US government should increase its facilitation of private technology aid by providing logistical and financial support.

These recommendations, focused on Ukraine’s defense, are borne of and provoke larger questions that will only become more important to tackle. The information environment and attempts to control it have long been a facet of conflict, but the centrality of privately owned and operated technology—and the primacy of some private sector security capabilities in relation to all but a handful of states—pose increasingly novel challenges to the United States and allied policymaking communities. Especially in future conflicts, the risks associated with private sector action in defense of, or directly against, a combatant could be significantly greater and multifaceted, rendering existing cooperative models insufficient.

The Russian information offensive

The Russian Federation Ministry of Foreign Affairs defines information space—of which cyberspace is a part—as “the sphere of activity connected with the formation, creation, conversion, transfer, use, and storage of information and which has an effect on individual and social consciousness, the information infrastructure, and information itself.¹ Isolating the Ukrainian information space is key to both the short- and long-term plans of the Russian government. In the short term, the Kremlin pursues efforts to control both the flow and content of communications across the occupied areas.² In the longer term, occupation of the information environment represents an integral step in Russian plans to occupy and claim control over the Ukrainian population.

In distinct opposition to the global nature of the information environment, over the past decade or so, the Kremlin has produced successive legislation “to impose ‘sovereignty’ over the infrastructure, content, and data traversing Russia’s ‘information space,’” creating a sectioned-off portion of the internet now known as RuNet.³ Within this space, the Russian government has greater control over what information Russian citizens see and a greater ability to monitor what Russian citizens do online.⁴ This exclusionary interpretation is an exercise in regime security against what the Kremlin perceives as constant Western information warfare against it.⁵ As Gavin Wilde, senior fellow with the Carnegie Endowment for International Peace, writes, the Russian government views the information environment “as an ecosystem to be decisively dominated.”⁶

To the Kremlin, domination of the information environment in Ukraine is an essential step toward pulling the nation into its fold and under its control. Just as Putin views information domination as critical to his regime’s exercise of power within Russia, in Ukraine, Russian forces systematically conduct offensives against the Ukrainian information environment in an attempt to create a similar model of influence and control that would further enable physical domination. This strategy is evident across the Kremlin’s efforts to weaken the Ukrainian state for the last decade at least. In the 2014 and 2022 invasions, occupied, annexed, and newly “independent” regions of Ukraine were variously cut off from the wider information space and pulled into the restricted Russian information space.

The Crimean precedent – 2014

The Russian invasion of Ukraine did not begin in 2022, but in 2014. Examining this earlier Russian incursion illustrates the pattern of Russian offensive behavior in and through the information environment going back nearly a decade—a combination of physical, cyber, financial, and informational maneuvers that largely target or move through private information infrastructure. In 2014, although obfuscated behind a carefully constructed veil of legitimacy, Russian forces specifically targeted Ukrainian information infrastructure to separate the Crimean population from the Ukrainian information environment, and thereby the global information environment, and filled that vacuum with Russian infrastructure and information.

The Russian invasion of eastern Ukraine in 2014 was a direct response to the year-long Euromaidan Revolution, which took place across Ukraine in protest of then-President Viktor Yanukovych’s decision to spurn closer relations with the European Union and ignore growing calls to counter Russian influence and corruption within the Ukrainian government. These protests were organized, mobilized, and sustained partially through coordination, information exchange, and message amplification over social media sites like Facebook, Twitter, YouTube, and Ustream—as well as traditional media.⁷ In February 2014, after Yanukovych fled to Russia, the Ukrainian parliament established a new acting government and announced that elections for a new president would be held in May. Tensions immediately heightened, as Russian forces began operating in Crimea with the approval of Federal Assembly of Russia at the request of “President” Yanukovych, although Putin denied that they were anything other than “local self-defense forces.”⁸ On March 21, Putin signed the annexation of Crimea.⁹

During the February 2014 invasion of Crimea, the seizure and co-option of Ukrainian physical information infrastructure was a priority. Reportedly, among the first targets of Russian special forces was the Simferopol Internet Exchange Point (IXP), a network facility that enables internet traffic exchange.¹⁰ Ukraine’s state-owned telecommunications company Ukrtelecom reported that armed men seized its offices in Crimea and tampered with fiber-optic internet and telephone cables.¹¹ Following the raid, the company lost the “technical capacity to provide connection between the peninsula and the rest of Ukraine and probably across the peninsula, too.”¹² Around the same time, the head of the Security Service of Ukraine (SBU), Valentyn Nalivaichenko, reported that the mobile phones of Ukrainian parliament members, including his own, were blocked from connecting through Ukrtelecom networks in Crimea.¹³

Over the next three years, and through the “progressive centralization of routing paths and monopolization of Internet Service market in Crimea … the topology of Crimean networks has evolved to a singular state where paths bound to the peninsula converge to two ISPs (Rosetelecom and Fiord),” owned and operated by Russia.¹⁴ Russian forces manipulated the Border Gateway Protocol (BGP)—the system that helps connects user traffic flowing from ISPs to the wider internet—modifying routes to force Crimean internet traffic through Russian systems, “drawing a kind of ‘digital frontline’ consistent with the military one.”¹⁵ Residents of Crimea found their choices increasingly limited, until their internet service could only route through Russia, instead of Ukraine, subject to the same level of censorship and internet controls as in Russia. The Russian Federal Security Service (FSB) monitored communications from residents of Crimea, both within the peninsula and with people in Ukraine and beyond.¹⁶ Collaboration between ISPs operating in Crimea through Russian servers and the FSB appears to be a crucial piece of this wider monitoring effort. This claim was partially confirmed by a 2018 Russian decree that forbade internet providers from publicly sharing any information regarding their cooperation with “the authorized state bodies carrying out search and investigative activities to ensure the security of the Russian Federation.”¹⁷

From March to June 2014, Russian state-owned telecom company Rostelcom began and completed construction of the Kerch Strait cable, measuring 46 kilometers (about 28.5 miles) and costing somewhere between $11 and $25 million, to connect the Crimean internet with the Russian RuNet.¹⁸ Rostelcom, using a local agent in Crimea called Miranda Media, became the main transit network for several Crimean internet service providers (ISPs), including KCT, ACS-Group, CrimeaCom, and CRELCOM in a short period of time.¹⁹ There was a slower transition of customers from the Ukrainian company Datagroup to Russian ISPs, but nonetheless, the number of Datagroup customers in Crimea greatly decreased throughout 2014. According to one ISP interviewed by Romain Fontugne, Ksenia Ermoshina, and Emile Aben, “the Kerch Strait cable was used first of all for voice communication … The traffic capacity of this cable was rather weak for commercial communications.”²⁰ But by the end of 2017, remnant usage of Ukrainian ISPs had virtually disappeared, following the completion of a second, better internet cable through the Kerch Strait and a series of restrictions placed on Russian social media platforms, news outlets, and a major search engine by Ukrainian President Poroshenko.²¹The combination of the new restrictions, and the improved service of Russian ISPs encouraged more Crimeans to move away from Ukrainian ISPs.

Russia’s efforts to control the information environment within Crimea, and the Russian government’s ability to monitor communications and restrict access to non-Russian approved servers, severely curtailed freedom of expression and belief—earning the region zero out of four in this category from Freedom House.²² Through physical, and formerly private, information infrastructure, Russia was able to largely take control of the information environment within Crimea.

A parallel occupation – 2022

Digital information infrastructure

Just as in 2014, one of the first priorities of invading Russian forces in 2022 was the assault of key Ukrainian information infrastructure, including digital infrastructure. Before, during, and following the invasion, Russian and Russian-aligned forces targeted Ukrainian digital infrastructure through cyber operations, ranging in type, target, and sophistication. Through some combination of Ukrainian preparedness, partner intervention, and Russian planning shortfalls, among other factors, large-scale cyber operations disrupting Ukrainian critical infrastructure, such as those seen previously in 2015 with BlackEnergy and NotPetya, did not materialize.²³ This could be because such cyber operations require significant time and resources, and similar ends can be more cheaply achieved through direct, physical means. Russian cyber operators, however, have not been idle.

Preceding the physical invasion, there was a spate of activity attributed to both Russian and Russian-aligned organizations targeting a combination of state and private organizations.²⁴ From January 13 to 14, for example, hackers briefly took control of seventy Ukrainian government websites, including the Ministries of Defense and Foreign Affairs, adding threatening messages to the top of these official sites.²⁵ The following day, January 15, Microsoft’s Threat Intelligence Center reported the discovery of wiper malware, disguised as ransomware, in dozens of Ukrainian government systems, including agencies which “provide critical executive branch or emergency response function,” and an information technology firm that services those agencies.²⁶ A month later, on February 15, Russian hackers targeted several websites with distributed denial of service (DDoS) attacks, forcing Ukrainian defense ministry and armed forces websites, as well as those of PrivatBank and Oschadbank, offline.²⁷ Around the same time, according to Microsoft’s special report on Ukraine, “likely” Russian actors were discovered in the networks of unidentified critical infrastructure in Odessa and Sumy.²⁸ The day before the invasion, cybersecurity companies ESET and Symantec reported that a new destructive wiper was spreading across Ukrainian, Latvian, and Lithuanian networks, as a second round of DDoS attacks again took down a spate of government and financial institution websites.“²⁹ This activity centered around information—with defacements sending a clear threat to the Ukrainian government and population, DDoS attacks impairing accurate communication, and wiper malware degrading Ukrainian data—and gaining access to Ukrainian data for Russia. Although many of these operations targeted Ukrainian government networks, the attacks moved through or against privately operated infrastructure and, notably, the first public notification and detailing of several of these operations was undertaken by transnational technology companies.

After February 24, Russian cyber activity continued and the targets included a number of private information infrastructure operators. A March hack of Ukrtelecom—Ukraine’s largest landline operator, which also provides internet and mobile services to civilians and the Ukrainian government and military—resulted in a collapse of the company’s network to just 13 percent capacity, the most severe disruption in service the firm recorded since the invasion began.³⁰ Another such operation targeted Triolan—a Ukrainian telecommunications provider—on February 24 in tandem with the physical offensive and a second time on March 9. These incursions on the Triolan network took down key nodes and caused widespread service outages. Following the March 9 attack, the company was able to restore service, but these efforts were complicated by the need to physically access some of the equipment located in active conflict zones.³¹ These attacks against Ukraine-based information infrastructure companies caused service outages that were concurrent with the physical invasion and afterwards, restricted communications among Ukrainians and impeded the population’s ability to respond to current and truthful information.

This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine.¹

Council of the European Union

These types of operations, however, were not restricted to Ukraine-based information infrastructure. A significant opening salvo in Russia’s invasion was a cyber operation directed against ViaSat, a private American-based satellite internet company that provides services to users throughout the world, including the Ukrainian military.³² Instead of targeting the satellites in orbit, Russia targeted the modems in ViaSat’s KA-SAT satellite broadband network that connected users with the internet.³³ Specifically, Russia exploited a “misconfiguration in a VPN [virtual private network] appliance to gain remote access to the trusted management segment of the KA-SAT network.”³⁴ From there, the attackers were able to move laterally though the network to the segment used to manage and operate the broader system.³⁵ They then “overwrote key data in flash memory on the modems,” making it impossible for the modems to access the broader network.³⁶ Overall, the effects of the hack were short-lived, with ViaSat reporting the restoration of connectivity within a few days after shipping approximately 30,000 new modems to affected customers.³⁷

SentinelOne, a cybersecurity firm, identified the malware used to wipe the modems and routers of the information they needed to operate.³⁸ The firm assessed “with medium-confidence“ that AcidRain, the malware used in the attack, had ”developmental similarities” with an older malware, VPNFilter, that the Federal Bureau of Investigation and the US Department of Justice have previously linked to the Russian government.³⁹ The United States, United Kingdom, and European Union all subsequently attributed the ViaSat hack to Russian-state backed actors.⁴⁰

The effectiveness of the operation is debated, although the logic of the attack is straightforward. Russia wanted to constrain, or preferably eliminate, an important channel of communication for the Ukrainian military during the initial stages of the invasion. Traditional, land-based radios, which the Ukrainian military relies on for most of their communications, only work over a limited geographic range, therefore making it more difficult to use advanced, long-range weapons systems.⁴¹ It should be expected that landline and conventional telephony would suffer outages during the opening phases of the war and struggle to keep up with rapidly moving forces.

Initially, it was widely reported that the Russian strike on ViaSat was effective. On March 15, a senior Ukrainian cybersecurity official, Viktor Zhora, was quoted saying that the attack on ViaSat caused “a really huge loss in communications in the very beginning of the war.⁴² When asked follow-up questions about his quote, Zhora said at the time that he was unable to elaborate, leading journalists and industry experts to believe that the attack had impacted the Ukrainian military’s ability to communicate.⁴³ However, several months later, on September 26, Zhora revised his initial comments, stating that the hack would have impacted military communications if satellite communications had been the Ukrainian military’s principal medium of communication. However, Zhora stated that the Ukrainian military instead relies on landlines for communication, with satellites as a back-up method. He went on to say that “in the case land lines were destroyed, that could be a serious issue in the first hours of war.”⁴⁴ The tension, and potential contradictions, in Zhora’s comments underlines the inherent complications in analyzing cyber operations during war: long-term consequences can be difficult to infer from short-term effects, and countries seek to actively control the narratives surrounding conflict.

The effectiveness of the ViaSat hack boils down to how the Ukrainian military communicates, and how adaptable it was in the early hours of the invasion. However, it is apparent how such a hack could impact military effectiveness. If Russia, or any other belligerent, was able to simultaneously disrupt satellite communications while also jamming or destroying landlines, forces on the frontlines would be at best poorly connected with their superiors. In such a scenario, an army would be cut off from commanders in other locations and would not be able to report back or receive new directives; they would be stranded until communications could be restored.

The ViaSat hack had a military objective: to disrupt Ukrainian military access to satellite communications. But the effects were not limited to this objective. The operation had spillover effects that rippled across Europe. In Germany, nearly 6,000 wind turbines were taken offline, with roughly 2,000 of those turbines remaining offline for nearly a month after the initial hack due to the loss of remote connectivity.⁴⁵ In France, modems used by emergency services vehicles, including firetrucks and ambulances, were also affected.⁴⁶

ViaSat is not a purely military target. It is a civilian firm that counts the Ukrainian military as a customer. The targeting of civilian infrastructure with dual civilian and military capability and use has occurred throughout history and has been the center of debate in international law, especially when there are cross-border spillover effects in non-combatant countries. Both the principle of proportionality and international humanitarian law require the aggressor to target only military objects, defined as objects “whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage” in a manner proportional to the military gain foreseen by the operation. ⁴⁷ What this means in practice, however, is that the aggressor determines whether they deem a target to be a military object and a beneficial target and, therefore, what is legitimate. Konstantin Vorontsov, the Head of the Russian Delegation to the United Nations, attempted to justify Russian actions in October 2022 by saying that the use of civilian space infrastructure to aid the Ukrainian war effort may be a violation of the Outer Space Treaty, thereby rendering this infrastructure a legitimate military target.⁴⁸ Similar operations like that against ViaSat are likely to be the new norm in modern warfare. As Mauro Vignati, the adviser on new digital technologies of warfare at the Red Cross, said in November 2022, insofar as private companies own and operate the information infrastructure of the domain, including infrastructure acting as military assets, “when war start[s], those companies, they are inside the battlefield.”⁴⁹

Physical information infrastructure

In February 2022, as Russian forces moved to seize airfields and key physical assets in Ukraine, they simultaneously assaulted the physical information infrastructure operating within and beneath the Ukrainian information environment. Russian forces targeted this infrastructure, largely privately operated, by taking control of assets where possible and destroying them where not, including through a series of Russian air strikes targeting Ukrainian servers, cables, and cell phone towers.⁵⁰ As of June 2022, about 15 percent of Ukrainian information infrastructure had been damaged or destroyed; by July, 12.2 percent of homes had lost access to mobile communication services, 11 percent of base stations for mobile operators were out of service, and approximately 20 percent of the country’s telecommunications infrastructure was damaged or destroyed.⁵¹ By August “the number of users connecting to the Internet in Ukraine [had] shrunk by at least 16 percent nationwide.”⁵²

In some areas of Ukraine, digital blackouts were enforced by Russian troops to cut the local population off from the highly contested information space. In Mariupol, the last cell tower connecting the city with the outside world was tirelessly tended by two Kyivstar engineers, who kept it alive with backup generators that they manually refilled with gasoline. Once the Russians entered the city, however, the Ukrainian soldiers who had been protecting the cell tower location left to engage with the enemy, leaving the Kyivstar engineers alone to tend to their charge. For three days the engineers withstood the bombing of the city until March 21, when Russian troops disconnected the tower and it went silent.⁵³

Russian forces coerced Ukrainian occupied territories onto Russian ISPs, once again through Rostelcom’s local agent Miranda Media, and onto Russian mobile service providers.⁵⁴ Information infrastructure in Ukraine is made up of overlapping networks of mobile service and ISPs, a legacy of the country’s complicated post-Soviet modernization process. This complexity may have been a boon for its resilience. Russian forces, observed digital-rights researcher Samuel Woodhams, “couldn’t go into one office and take down a whole region … There were hundreds of these offices and the actual hardware was quite geographically separated.⁵⁵ Across eastern Ukraine, including Kherson, Mlitopol, and Mariupol, the Russians aimed to subjugate the physical territory, constituent populations, and Ukrainian information space. In Kherson, Russian forces entered the offices of a Ukrainian ISP and at gunpoint, forced staff to transfer control to them.⁵⁶

Russian bombardment of telecommunications antennas in Kiev (Attribution: Mvs.gov.ua)

Routing the internet and communications access of occupied territories through Russia meant that Moscow could suppress communications to and from these occupied areas, especially through social media and Ukrainian news sites, sever access to essential services in Ukraine, and flood the populations with its own propaganda, as was proved in Crimea in 2014. Moving forward, Russia could use this dependency to “disconnect, throttle, or restrict access to the internet” in occupied territories, cutting off the occupied population from the Ukrainian government and the wider Ukrainian and international community.⁵⁷

The Kremlin’s primary purpose in the invasion of Ukraine was and is to remove the Ukrainian government and, likely, install a pro-Russian puppet government to bring to an end an independent Ukraine.⁵⁸ Therefore, isolating the information environment of occupied populations, in concert with anti-Ukrainian government disinformation, such as the multiple false allegations that President Zelenskyy had fled the country and abandoned the Ukrainian people,⁵⁹ were a means to sway the allegiances, or at least dilute the active resistance, of the Ukrainian people.⁶⁰ Without connectivity to alternative outlets, the occupying Russians could promote false and largely uncontested claims about the progress of the war. In early May 2022 for example, when Kherson lost connectivity for three days, the deputy of the Kherson Regional Council, Serhiy Khlan, reported that the Russians “began to spread propaganda that they were in fact winning and had captured almost all of Mykolaiv.”⁶¹

Russia used its assault on the information environment to undermine the legitimacy of the Ukrainian government and its ability to fulfill its governmental duties to the Ukrainian people. Whether through complete connectivity blackouts or through the restrictions imposed by Russian networks, the Russians blocked any communications from the Ukrainian government to occupied populations—not least President Zelenskyy’s June 13, 2022 address, intended most for those very populations, in which he promised to liberate all occupied Ukrainian land and reassured those populations that they had not been forgotten. Zelenskyy acknowledged the Russian barrier between himself and Ukrainians in occupied territories, saying, “They are trying to make people not just know nothing about Ukraine… They are trying to make them stop even thinking about returning to normal life, forcing them to reconcile.”⁶²

Isolating occupied populations from the Ukrainian information space is intended, in large part, said Stas Prybytko, the head of mobile broadband development within the Ukrainian Ministry of Digital Transformation, to “block them from communicating with their families in other cities and keep them from receiving truthful information.”⁶³ Throughout 2022, so much of what the international community knew about the war came—through Twitter, TikTok, Telegram, and more—from Ukrainians themselves. From videos of the indiscriminate Russian shelling of civilian neighborhoods to recordings tracking Russian troop movements, Ukrainians used their personal devices to capture and communicate the progress of the war directly to living rooms, board rooms, and government offices around the world.⁶⁴The power of this distributed information collection and open-source intelligence relies upon mobile and internet access. The accounts that were shared after Ukrainian towns and cities were liberated from Russian occupation lay bare just how much suffering, arrest, torture, and murder was kept hidden from international view by the purposeful isolation of the information environment and the constant surveillance of Ukrainians’ personal devices.⁶⁵ The war in Ukraine has highlighted the growing impact of distributed open source intelligence during the conduct of war that is carried out by civilians in Ukraine and by the wider open source research community though various social media and messaging platforms.⁶⁶

Narrative Warfare: How the Kremlin and Russian news outlets justified a war of aggression against Ukraine

Undermining Ukraine: How the Kremlin employs information operations to erode global confidence in Ukraine

Russian operations against, especially transnational, digital infrastructure companies can mostly be categorized as disruption, degradation, and information gathering, which saw Russian or Russian-aligned hackers moving in and through the Ukrainian information environment. The attacks against Ukrainian physical infrastructure, however, are of a slightly different character. Invading forces employed physically mediated cyberattacks, a method defined by Herb Lin as “attacks that compromise cyber functionality through the use of or the threat of physical force” to pursue the complete destruction or seizure and occupation of this infrastructure.⁶⁷ Both ends begin with the same purpose: to create a vacuum of information between the Ukrainian government, the Ukrainian people, and the global population, effectively ending the connection between the Ukrainian information environment and the global environment. But the seizure of this infrastructure takes things a step beyond: to occupy the Ukrainian information environment and pull its infrastructure and its people into an isolated, controlled Russian information space.

Reclaiming the Ukrainian information environment

Preparation of the environment

The Russian assault on the Ukrainian information environment is far from unanswered. Russian efforts have been countered by the Ukrainian government in concert with allied states and with technology companies located both within and outside Ukraine. Russia’s aim to pull occupied Ukrainian territory onto Russian networks to be controlled and monitored has been well understood, and Ukraine has been hardening its information infrastructure since the initial 2014 invasion. Ukraine released its Cyber Security Strategy in 2016, which laid out the government’s priorities in this space, including the defense against the range of active cyber threats they face, with an emphasis on the “cyber protection of information infrastructure.”⁶⁸ The government initially focused on centralizing its networks in Kyiv to make it more difficult “for Russian hackers to penetrate computers that store critical data and provide services such as pension benefits, or to use formerly government-run networks in the occupied territories to launch cyberattacks on Kyiv.”⁶⁹

As part of its digitalization and security efforts, the Ukrainian government also sought out new partners, both public and private, to build and bolster its threat detection and response capabilities. Before and since the 2022 invasion, the Ukrainian government has worked with partner governments and an array of technology companies around the world to create resilience through increased connectivity and digitalization.

Bolstering Ukrainian connectivity

Since the 2014 invasion and annexation of Crimea, Ukraine-serving telecommunications operators have developed plans to prepare for future Russian aggression. Lifecell, the third largest Ukrainian mobile telephone operator, prepared its network for an anticipated Russian attack. The company shifted their office archives, documentation, and critical network equipment from eastern to western Ukraine, where it would be better insulated from violence, added additional network redundancy, and increased the coordination and response capabilities of their staff.⁷⁰ Similarly, Kyivstar and Vodafone Ukraine increased their network bandwidth to withstand extreme demand. In October 2021, these three companies initiated an infrastructure sharing agreement to expand LTE (Long Term Evolution) networks into rural Ukraine and, in cooperation with the Ukrainian government, expanded the 4G telecommunications network to bring “mobile network coverage to an estimated 91.6 per cent of the population.”⁷¹

The expansion and improvement of Ukrainian telecommunications continued through international partnerships as well. Datagroup, for example, announced a $20 million partnership in 2021 with Cisco, a US-based digital communications company, to modernize and expand the bandwidth of its extensive networks.⁷² Since the February 2022 invasion, Cisco has also worked with the French government to provide over $5 million of secure, wireless networking equipment and software, including firewalls, for free to the Ukrainian government.⁷³

This network expansion is an integral part of the Ukrainian government’s digitalization plans for the country, championed by President Zelenskyy. Rather than the invasion putting an end to these efforts, Deputy Prime Minister and Minister for Digital Transformation Mykhailo Fedorov claimed that during the war “digitalization became the foundation of all our life. The economy continues to work … due to digitalization.⁷⁴ The digital provision of government services has created an alternate pathway for Ukrainians to engage in the economy and with their government. The flagship government initiative Diia, launched in February 2020, is a digital portal through which the 21.7 million Ukrainian users can access legal identification, make social services payments, register a business, and even register property damage from Russian missile strikes.⁷⁵ The Russian advance and consequent physical destruction that displaced Ukrainians means that the ability to provide government services through alternate and resilient means is more essential than ever, placing an additional premium on defending Ukrainian information infrastructure.

Backing up a government

As Russian forces built up along Ukraine’s borders, Ukrainian network centralization may have increased risk, despite the country’s improved defense capabilities. In preparation for the cyber and physical attacks against the country’s information infrastructure, Fedorov moved to amend Ukrainian data protection laws to allow the government to store and process data in the cloud and worked closely with several technology companies, including Microsoft, Amazon Web Services, and Google, to effect the transfer of critical government data to infrastructure hosted outside the country.⁷⁶ Cloud computing describes “a collection of technologies and organizational processes which enable ubiquitous, on-demand access to a shared pool of configurable computing resources.”⁷⁷ Cloud computing is dominated by the four hyperscalers—Amazon, Microsoft, Google, and Alibaba—that provide computing and storage at enterprise scale and are responsible for the operation and security of data centers all around the world, any of which could host customer data according to local laws and regulations.⁷⁸

According to its April 2022 Ukraine war report, Microsoft “committed at no charge a total of $107 million of technology services to support this effort” and renewed the relationship in November, promising to ensure that “government agencies, critical infrastructure and other sectors in Ukraine can continue to run their digital infrastructure and serve citizens through the Microsoft Cloud” at a value of about $100 million.⁷⁹ Amazon and Google have also committed to supporting cloud services for the Ukrainian government, for select companies, and for humanitarian organizations focused on aiding Ukraine.⁸⁰ In accordance with the Ukrainian government’s concerns, Russian missile attacks targeted the Ukrainian government’s main data center in Kyiv soon after the invasion, partially destroying the facility, and cyberattacks aggressively tested Ukrainian networks.⁸¹

Unlike other lines of aid provided by the international community to strengthen the defense of the Ukrainian information environment, cloud services are provided only by the private sector.⁸² While this aid has had a transformative effect on Ukrainian defense, that transformative quality has also raised concerns. Microsoft, in its special report on Ukraine, several times cites its cloud services as one of the determining factors that limited the effect of Russian cyber and kinetic attacks on Ukrainian government data centers, and details how their services, in particular, were instrumental in this defense.⁸³ In this same report, Microsoft claims to be most worried about those states and organizations that do not use cloud services, and provides corroborating data.⁸⁴ Microsoft and other technology companies offering their services at a reduced rate, or for free, are acting—at least in part—out of a belief in the rightness of the Ukrainian cause. However, they are still private companies with responsibilities to shareholders or board members, and they still must seek profit. Services provided, especially establishing information infrastructure like Cloud services, are likely to establish long-term business relationships with the Ukrainian government and potentially with other governments and clients, who see the effectiveness of those services illustrated through the defense of Ukraine.

Mounting an elastic defense

Working for wireless

Alongside and parallel to the Ukrainian efforts to defend and reclaim occupied physical territory is the fight for Ukrainian connectivity. Ukrainian telecommunications companies have been integral to preserving connectivity to the extent possible. In March 2022, Ukrainian telecom operators Kyivstar, Vodafone Ukraine, and Lifecell made the decision to provide free national mobile roaming services across mobile provider networks, creating redundancy and resilience in the mobile network to combat frequent service outages.⁸⁵ The free mobile service provided by these companies is valued at more than UAH 980 million (USD 26.8 million).⁸⁶ In addition, Kyivstar in July 2022 committed to the allocation of UAH 300 million (about USD 8.2 mil) for the modernization of Ukraine’s information infrastructure in cooperation with the Ukrainian Ministry of Digital transformation.⁸⁷ The statements that accompanied the commitments from Kyivstar and Lifecell—both headquartered in Ukraine—emphasized each company’s dedication to Ukrainian defense and their role in it, regardless of the short-term financial impact.⁸⁸ These are Ukrainian companies with Ukrainian infrastructure and Ukrainian customers, and their fate is tied inextricably to the outcome of this war.

As Russian forces advanced and attempted to seize control of information infrastructure, in at least one instance, Ukrainian internet and mobile service employees sabotaged their own equipment first. Facing threats of imprisonment and death from occupying Russians, employees in several Ukrtelecom facilities withstood pressure to share technical network details and instead deleted key files from the systems. According to Ukrtelecom Chief Executive Officer Yuriy Kurmaz, “The Russians tried to connect their control boards and some equipment to our networks, but they were not able to reconfigure it because we completely destroyed the software.”⁸⁹ Without functional infrastructure, Russian forces struggled to pull those areas onto Russian networks.

The destruction of telecommunications infrastructure has meant that these areas and many others along the war front are, in some areas, without reliable information infrastructure, either wireless or wired. While the Ukrainian government and a bevy of local and international private sector companies battle for control of on-the-ground internet and communications infrastructure, they also pursued new pathways to connectivity.

Searching for satellite

Two days after the invasion, Deputy Prime Minister Fedorov tweeted at Elon Musk, the Chief Executive Officer of SpaceX, that “while you try to colonize Mars — Russia try [sic] to occupy Ukraine! While your rockets successfully land from space — Russian rockets attack Ukrainian civil people! We ask you to provide Ukraine with Starlink stations and to address sane Russians to stand.”⁹⁰ Just another two days later, Fedorov confirmed the arrival of the first shipment of Starlink stations.⁹¹

Starlink, a network of low-orbit satellites working in constellations operated by SpaceX, relies on satellite receivers no larger than a backpack that are easily installed and transported. Because Russian targeting of cellular towers made communications coverage unreliable, says Fedorov, the government “made a decision to use satellite communication for such emergencies” from American companies like SpaceX.⁹² Starlink has proven more resilient than any other alternative throughout the war. Due to the low orbit of Starlink satellites, they can broadcast to their receivers at relatively higher power than satellites in higher orbits. There has been little reporting on successful Russian efforts to jam Starlink transmissions, and the Starlink base stations—the physical, earthbound infrastructure that communicates directly with the satellites—are located on NATO territory, ensuring any direct attack on them would be a significant escalation in the war.⁹³

Starlink has been employed across sectors almost since the war began. President Zelenskyy has used the devices himself when delivering addresses to the Ukrainian people, as well as to foreign governments and populations.⁹⁴ Fedorov has said that sustained missile strikes against energy and communication infrastructure have been effectively countered through the deployment of Starlink devices that can restore connection where it is most needed. He even called the system “an essential part of critical infrastructure.”⁹⁵

Starlink has also found direct military applications. The portability of these devices means that Ukrainian troops can often, though not always, stay connected to command elements and peer units while deployed.⁹⁶ Ukrainian soldiers have also used internet connections to coordinate attacks on Russian targets with artillery-battery commanders.⁹⁷ The Aerorozvidka, a specialist air reconnaissance unit within the Ukrainian military that conducts hundreds of information gathering missions every day, has used Starlink devices in areas of Ukraine without functional communications infrastructure to “monitor and coordinate unmanned aerial vehicles, enabling soldiers to fire anti-tank weapons with targeted precision.”⁹⁸ Reports have also suggested that a Starlink device was integrated into an unmanned surface vehicle discovered near Sevastopol, potentially used by the Ukrainian military for reconnaissance or even to carry and deliver munitions.⁹⁹ According to one Ukrainian soldier, “Starlink is our oxygen,” and were it to disappear, “our army would collapse into chaos.”¹⁰⁰

The initial package of Starlink devices included 3,667 terminals donated by SpaceX and 1,333 terminals purchased by the United States Agency for International Development (USAID).¹⁰¹ SpaceX initially offered free Starlink service for all the devices, although the offer has already been walked back by Musk, and then reversed again. CNN obtained proof of a letter sent by Musk to the Pentagon in September 2022 stating that SpaceX would be unable to continue funding Starlink service in Ukraine. The letter requested that the Pentagon pay what would amount to “more than $120 million for the rest of the year and could cost close to $400 million for the next 12 months.” It also clarified that the vast majority of the 20,000 Starlink devices sent to Ukraine were financed at least in part by outside funders like the United States, United Kingdom, and Polish governments.¹⁰²

After the letter was sent, but before it became public, Musk got into a Twitter spat with Ukrainian diplomat Adrij Melnyk after the former wrote a tweet on October 3 proposing terms of peace between Russia and Ukraine. Musk’s proposal included Ukraine renouncing its claims to Crimea and pledging to remain neutral, with the only apparent concession from Russia a promise to ensure water supply in Crimea. The plan was rejected by the public poll Musk included in the tweet, and Melnyk replied and tagged Musk, saying “Fuck off is my very diplomatic reply to you @elonmusk.”¹⁰³ After CNN released the SpaceX letter to the Pentagon, Musk seemingly doubled down on his decision to reduce SpaceX funding at first. He responded on October 14 to a tweet summarizing the incident, justifying possible reduced SpaceX assistance stating, “We’re just following his [Melnyk’s] recommendation,” even though the letter was sent before the Twitter exchange. Musk then tweeted the following day, “The hell with it … even though Starlink is still losing money & other companies are getting billions of taxpayer $, we’ll just keep funding Ukraine govt for free.”¹⁰⁴ Two days later, in response to a Politico tweet reporting that the Pentagon was considering covering the Starlink service costs, Musk stated that “SpaceX has already withdrawn its request for funding.”¹⁰⁵ Musk’s characterization of SpaceX’s contribution to the war effort has sparked confusion and reprimand, with his public remarks often implying that his company is entirely footing the bill when in fact, tens of millions of dollars’ worth of terminals and service are being covered by several governments every month.

The Starlink saga, however, was not over yet. Several weeks later in late October, 1,300 Starlink terminals in Ukraine, purchased in March 2020 by a British company for use in Ukrainian combat-related operations, were disconnected, allegedly due to lack of funding, causing a communications outage for the Ukrainian military.¹⁰⁶ Although operation was restored, the entire narrative eroded confidence in SpaceX as a guarantor of flexible connectivity in Ukraine. In November 2022, Federov noted that while Ukraine has no intention of breaking off its relationship with Starlink, the government is exploring working with other satellite communications operators.¹⁰⁷ Starlink is not the only satellite communications network of its kind, but its competitors have not yet reached the same level of operation. Satellite communications company OneWeb, based in London with ties to the British military, is just now launching its satellite constellation, after the Russian invasion of Ukraine required the company to change its launch partner from Roscosmos to SpaceX.¹⁰⁸ The US Space Development Agency, within the United States Space Force, will launch the first low earth orbit satellites of the new National Defense Space Architecture in March 2023. Other more traditional satellite companies cannot provide the same flexibility as Starlink’s small, transportable receivers.

UA Support Forces use Starlink (Attribution: Mil.gov.ua)

With the market effectively cornered for the moment, SpaceX can dictate the terms, including the physical bounds, of Starlink’s operations, thereby wielding immense influence on the battlefield. Starlink devices used by advancing Ukrainian forces near the front, for example, have reported inconsistent reliability.¹⁰⁹ Indeed CNN reported on February 9^th that this bounding was a deliberate attempt to separate the devices from direct military use, as SpaceX President Gwynne Shotwell explained “our intent was never to have them use it for offensive purposes.”¹¹⁰ The bounding decision, similar to the rationale behind the company’s decision to refuse to activate Starlink service in Crimea, was likely made to contain escalation, especially escalation by means of SpaceX devices.¹¹¹

But SpaceX is not the only satellite company making decisions to bound the area of operation of their products to avoid playing—or being perceived to play—a role in potential escalation. On March 16, 2022, Minister Fedorov tweeted at DJI, a Chinese drone producer, “@DJIGlobal are you sure you want to be a partner in these murders? Block your products that are helping russia to kill the Ukrainians!”¹¹² DJI responded directly to the tweet the same day, saying “If the Ukrainian government formally requests that DJI set up geofencing throughout Ukraine, we will arrange it,” but pointed out that such geofencing would inhibit all users of their product in Ukraine, not just Russians.¹¹³

While Russia continues to bombard the Ukrainian electrical grid, Starlink terminals have grown more expensive for new Ukrainian consumers, increasing from $385 earlier this year to $700, although it is unclear if this price increase also affected government purchasers.¹¹⁴ According to Andrew Cavalier, a technology industry analyst with ABI Research, the indispensability of the devices gives “Musk and Starlink a major head start [against its competitors] that its use in the Russia–Ukraine war will only consolidate.”¹¹⁵ Indeed, the valuation of SpaceX was $127 million in May 2022, and the company raised $2 billion in the first seven months of 2022.¹¹⁶ For SpaceX, the war in Ukraine has been an impressive showcase of Starlink’s capabilities and has proven the worth of its services to future customers. The company recently launched a new initiative, Starshield, intended to leverage “SpaceX’s Starlink technology and launch capability to support national security efforts. While Starlink is designed for consumer and commercial use, Starshield is designed for government use.”¹¹⁷ It is clear that SpaceX intends to capitalize on the very public success of its Starlink network in Ukraine.

Reclaiming Territory

The Russian assault is not over, but Ukraine has reclaimed “54 percent of the land Russia has captured since the beginning of the war” and the front line has remained relatively stable since November 2022.¹¹⁸ Videos and reports from reclaimed territory show the exultation of the liberated population. As Ukrainian military forces reclaim formerly occupied areas, the parallel reclamation of the information environment, by or with Ukrainian and transnational information infrastructure operators, follows quickly.

In newly liberated areas, Starlink terminals are often the first tool for establishing connectivity. In Kherson, the first regional capital that fell to the Russian invasion and reclaimed by Ukrainian troops on November 11, 2022, residents lined up in public spaces to connect to the internet through Starlink.¹¹⁹ The Ministry of Digital Transformation provided Starlink devices to the largest service providers, Vodaphone and Kyivstar, to facilitate communication while their engineers repaired the necessary infrastructure for reestablishing mobile and internet service.¹²⁰ A week after Kherson was recaptured, five Kyivstar base stations were made operational and Vodaphone had reestablished coverage over most of the city.¹²¹

Due to the importance of reclaiming the information space, operators are working just behind Ukrainian soldiers to reconnect populations in reclaimed territories to the Ukrainian and global information environment as quickly as possible, which means working in very dangerous conditions. In the Sumy region, a Ukrtelecom vehicle pulling up to a television tower drove over a land mine, injuring three of the passengers and killing the driver.¹²² Stanislav Prybytko, the head of the mobile broadband department in the Ukrainian Ministry of Digital Transformation, says “It’s still very dangerous to do this work, but we can’t wait to do this, because there are a lot of citizens in liberated villages who urgently need to connect.”¹²³ Prybytko and his eleven-person team have been central to the Ukrainian effort to stitch Ukrainian connectivity back together. The team works across a public-private collaborative, coordinating with various government officials and mobile service providers to repair critical nodes in the network and to reestablish communications and connectivity.¹²⁴ According to Ukrainian government figures, 80 percent of liberated settlements have partially restored internet connection, and more than 1,400 base stations have been rebuilt by Ukrainian mobile operators since April 2022.¹²⁵

Key Takeaways

The information environment is a key domain through which this war is being contested. The Russian government has demonstrated for over a decade the importance it places on control of the information environment, both domestically and as part of campaigns to expand the Russian sphere of influence abroad. Yet, despite this Russian focus, the Ukrainian government has demonstrated incredible resilience against physical assaults, cyberattacks, and disinformation campaigns against and within the Ukrainian information environment and has committed to further interlacing government services and digital platforms.

The centrality of this environment to the conduct of this war means that private actors are necessarily enmeshed in the conflict. As providers of products and services used for Ukrainian defense, these companies are an important part of the buttressing structure of that defense. The centrality of private companies in the conduct of the war in Ukraine brings to light new and increasingly important questions about what it means for companies to act as information infrastructure during wartime, including:

What is the complete incentive structure behind a company’s decision to provide products or services to a state at war?
How dependent are states on the privately held portions of the information environment, including infrastructure, tools, knowledge, data, skills, and more, for their own national security and defense?
How can the public and private sectors work together better as partners to understand and prepare these areas of reliance during peace and across the continuum of conflict in a sustained, rather than ad hoc, nature?

Incentives

The war in Ukraine spurred an exceptional degree of cooperation and aid from private companies within Ukraine and from around the globe. Much of public messaging around the private sector’s assistance of Ukrainian defense centers around the conviction of company leadership and staff that they were compelled by a responsibility to act. This is certainly one factor in their decision. But the depth of private actor involvement in this conflict demands a more nuanced understanding of the full picture of incentives and disincentives that drive a company’s decision to enter into new, or expand upon existing, business relationships with and in a country at war. What risks, for example, do companies undertake in a war in which Russia has already demonstrated its conviction that private companies are viable military targets? The ViaSat hack was a reminder of the uncertainty that surrounds the designation of dual-use technology, and the impact that such designations have in practice. What role did public recognition play in companies’ decisions to provide products and services, and how might this recognition influence future earnings potential? For example, while their remarks differed in tone, both Elon Musk on Twitter and Microsoft in its special report on Ukraine publicly claimed partial credit for the defense of Ukraine.

As the war continues into its second year, these questions are important to maintaining Ukraine’s cooperation with these entities. With a better understanding of existing and potential incentives, the companies, the United States, and its allies can make the decision to responsibly aid Ukraine much easier.

Dependencies

Private companies play an important role in armed conflict, operating much of the infrastructure that supports the information environment through which both state and non-state actors compete for control. The war in Ukraine has illustrated the willingness of private actors, from Ukrainian telecommunications companies to transnational cloud and satellite companies, to participate as partners in the defense of Ukraine. State dependence on privately held physical infrastructure is not unique to the information environment, but state dependence on infrastructure that is headquartered and operated extraterritorially is a particular feature.

Prior to and throughout the war, the Ukrainian government has coordinated successfully with local telecommunication companies to expand, preserve, and restore mobile, radio, and internet connectivity to its population. This connectivity preserved what Russia was attempting to dismantle—a free and open Ukrainian information environment through which the Ukrainian government and population can communicate and coordinate. The Ukrainian government has relied on these companies to provide service and connectivity, working alongside them before and during the war to improve infrastructure and to communicate priorities. These companies are truly engaging as partners in Ukrainian defense, especially because this information infrastructure is not just a medium through which Russia launches attacks but an environment that Russia is attempting to seize control of. This dependence has not been unidirectional—the companies themselves are inextricably linked to this conflict through their infrastructure, employees, and customers in Ukraine. Each is dependent to some degree on the other and during times of crisis, their incentives create a dynamic of mutual need.

The Ukrainian government has also relied on a variety of transnational companies though the provision of technology products or services and information infrastructure. As examined in this report, two areas where the involvement of these companies has been especially impactful are cloud services and satellite internet services. Cloud services have preserved data integrity and security by moving information to data centers distributed around the world, outside of Ukrainian territory and under the cyber-protection of those cloud service companies. Satellite services have enabled flexible and resilient connectivity, once again located and run primarily outside of Ukraine. These companies can provide essential services within the information environment and the physical environment of Ukraine, but are not fundamentally reliant on the integrity of the country. This dynamic is heightened by the fact that cloud service providers like Microsoft, Amazon Web Services, Google, and satellite internet service providers like Space X’s Starlink are operating within a market with global reach and very few competitors. While these companies and others have made the laudable decision to contribute to Ukrainian defense, the fact is that had they not, there are only a few, if any, other companies with comparable capabilities and infrastructure at scale. Additionally, there’s very little Ukraine or even the US government could have done to directly provide the same capabilities and infrastructure.

Coordination

Built into the discussions around dependency and incentives is the need for government and the private companies who own and operate information infrastructure to coordinate with each other from a more extensive foundation. While coordination with Ukrainian companies and some transnational companies emerged from sustained effort, many instances of private sector involvement were forged on an ad hoc basis and therefore could not be planned on in advance. The ad hoc approach can produce rapid results, as seen by Minister Fedorov’s tweet at Elon Musk and receipt of Starlink devices just days later. While this approach has been wielded by the Ukrainian government, and the Ministry for Digital Transformation in particular, to great effect, this very same example illustrates the complexity of transforming ad hoc aid into sustainable partnerships. Sustainability is especially important when states are facing threats outside of open war, across the continuum of insecurity and conflict where many of these capabilities and infrastructures will continue to be relied upon. Security and defense in the information environment requires states to work in coordination with a diverse range of local and transnational private actors.

Recommendations

Key recommendations from this paper ask the US government, in coordination with the Ukrainian government, to better understand the incentives that surround private sector involvement, to delineate states’ dependency on private information infrastructure, and to improve long-term public-private coordination through three pathways:

Define support parameters. Clarify how private technology companies can and should provide aid
Track support. Create a living database to track the patterns of technological aid to Ukraine from US private companies
Facilitate support requests. Add to the resilience of the Ukrainian information environment by facilitating US private aid.

Define support parameters

Private information infrastructure companies will continue to play a key role in this war. However, there are a number of unresolved questions regarding the decisions these companies are making about if, and how, to provide support to the Ukrainian government to sustain its defense. A significant barrier may be the lack of clarity about the risks of partnership in wartime, which may disincentivize action or may alter existing partnerships. Recent SpaceX statements surrounding the bounding of Starlink use is an example, at least in part, of just such a risk calculous in action. The US government and its allies should release a public directive clarifying how companies can ensure that their involvement is in line with US and international law—especially for dual-use technologies. Reaffirming, with consistent guidelines, how the United States defines civilian participation in times of war will be crucial for ensuring that such actions do not unintentionally legitimize private entities as belligerents and legitimate targets in wartime. At the direction of the National Security Advisor, the US Attorney General and Secretary of State, working through the Office of the Legal Advisor at the State Department, should issue public guidance on how US companies can provide essential aid to Ukraine while avoiding the designation of legitimate military target or combatant under the best available interpretation of prevailing law.

Track support

While a large amount of support for Ukraine has been given directly by or coordinated through governments, many private companies have started providing technological support directly to the Ukrainian government. Some private companies, especially those with offices or customers in Ukraine, got in touch directly with, or were contacted by, various Ukrainian government offices, often with specific requests depending on the company’s products and services.¹²⁶

However, the US government does not have a full and complete picture of this assistance, which limits the ability of US policymakers to track the implications of changing types of support or the nature of the conflict. Policymakers should have access to not only what kind of support is being provided by private US companies, but also the projected period of involvement, what types of support are being requested and denied by companies (in which case, where the US government may be able to act as an alternative provider), and what types of support are being supplied by private sector actors without a significant government equity or involvement. A more fulsome mapping of this assistance and its dependency structure would make it possible for policymakers and others to assess its impact and effectiveness. This data, were it or some version of it publicly available, would also help private companies providing the support to better understand how their contributions fit within the wider context of US assistance and to communicate the effect their products or services are having to stakeholders and shareholders. Such information may play a role in a company’s decision to partner or abstain in the future.

The US government should create a collaborative task force to track US-based private sector support to Ukraine. Because of the wide equities across the US government in this area, this team should be led by the State Department’s Bureau of Cyberspace and Digital Policy and include representatives from USAID, the Department of Defense’s Cyber Policy Office, the National Security Agency’s Collaboration Center, and the Cybersecurity and Infrastructure Security’s Joint Cyber Defense Collaborative. This task force should initially focus on creating a picture of public-private support to Ukraine from entities within the United States, but its remit could extend to work with allies and partners, creating a fulsome picture of international public-private support.

Facilitate support requests

Tracking the technical support that is requested, promised, and delivered to the Ukrainian government is an important first step toward gaining a better understanding of the evolving shape of the critical role that the private sector is increasingly playing in conflict. But closer tracking, perhaps by an associated body, could go further by acting as a process facilitator. Government offices and agencies have long been facilitators of private aid, but now states are increasingly able to interact with, and request support from, private companies directly, especially for smaller quantities or more specific products and services. While this pathway can be more direct and efficient, it also requires a near constant churn of request, provision, and renewal actions from private companies and Ukrainian government officials.

Private organizations have stepped into this breach, including the Cyber Defense Assistance Collaboration (CDAC), founded by Greg Rattray and Matthew Murray, now a part of the US-based non-profit CRDF Global. CDAC works with a number of US private technology companies, as well as the National Security and Defense Council of Ukraine and the Ukrainian think tank Global Cyber Cooperative Center, to match the specific needs of Ukrainian government and state-owned enterprises with needed products and services offered by companies working in coordination.¹²⁷

The growth and reach of this effort demonstrate the potential impact that a government-housed, or even a government-sponsored mechanism, could have in increasing the capacity to facilitate requests from the Ukrainian government, decreasing the number of bureaucratic steps required by Ukrainian government officials while increasing the amount and quality of support they receive. In addition, government facilitation would ease progress toward the previously stated recommendations by building in clarity around what kind of support can be provided and putting facilitation and aid tracking within a single process. As discussed above, this facilitation should start with a focus on US public-private support, but can grow to work alongside similar allied efforts. This could include, for example, coordination with the United Kingdom’s Foreign, Commonwealth and Development Office (FCDO) program, which “enables Ukrainian agencies to access the services of commercial cybersecurity companies.”¹²⁸ Crucially, this task force, helmed by the State Department’s Bureau of Cyberspace and Digital Policy, would act as a facilitator, not as a restricting body. Its mission in this task would be to make connections and provide information.

In line with tracking, US government facilitation would enable government entities to communicate where assistance can be most useful, such as shoring up key vulnerabilities or ensuring that essential defense activities are not dependent on a single private sector entity, and ideally, avoiding dependency on a single source of private sector assistance. A company’s financial situation or philanthropic priorities are always subject to change, and the US government should be aware of such risks and create resilience through redundancy.

Central to this resilience will be the provision of support to bolster key nodes in the Ukrainian telecommunications infrastructure network against not just cyber attacks but also against physical assault, including things like firewalls, mine clearing equipment, and power generators. Aiding the Ukrainian government in the search for another reliable partner for satellite communication devices that offer similar flexibility as Starlink is also necessary, and a representative from the Pentagon has confirmed that such a process is underway, following Musk’s various and contradictory statements regarding the future of SpaceX’s aid to Ukraine back in October.¹²⁹ Regardless, the entire SpaceX experience illustrates the need to address single dependencies in advance whenever possible.

A roadblock to ensuring assistance redundancy is the financial ability of companies to provide products and services to the Ukrainian government without charge or to the degree necessary. While the US government does provide funding for private technological assistance (as in the Starlink example), creating a pool of funding that is tied to the aforementioned task force and overseen by the State Department’s Bureau of Cyberspace and Digital Policy, would enable increased flexibility for companies to cover areas of single dependence, even in instances that would require piecemeal rather than one-to-one redundancy. As previously discussed, many companies are providing support out of a belief that it is the right thing to do, both for their customers and as members of a global society. However, depending on whether that support is paid or provided for free, or publicly or privately given, a mechanism that provides government clarity on private sector support, tracks the landscape of US private support to Ukraine, and facilitates support requests would make it easier for companies to make the decision to start or continue to provide support when weighed against the costs and potential risks of offering assistance.

Looking forward and inward

The questions that have emerged from Ukraine’s experience of defense in and through the information environment are not limited to this context. Private companies have a role in armed conflict and that role seems likely to grow, along with the scale, complexity, and criticality of the information infrastructures they own and operate. Companies will, in some capacity, be participants in the battlespace. This is being demonstrated in real time, exposing gaps that the United States and its allies and partners must address in advance of future conflicts.

Russia’s war on Ukraine has created an environment in which both public and private assistance in support of Ukrainian information infrastructure is motivated by a common aversion toward Russian aggression, as well as a commitment to the stability and protection of the Ukrainian government and people. This war is not over and despite any hopes to the contrary, similar aggressions will occur in new contexts, and with new actors in the future. It is crucial that in conjunction with examining and mitigating the risks related to the involvement of private technology companies in the war in Ukraine, the US government also examines these questions regarding its own national security and defense.

The information environment is increasingly central to not just warfighting but also to the practice of governance and the daily life of populations around the world. Governments and populations live in part within that environment and therefore atop infrastructure that is owned and operated by the private sector. As adversaries seek to reshape the information environment to their own advantage, US and allied public and private sectors must confront the challenges of their existing interdependence. This includes defining in what form national security and defense plans in and through the information environment are dependent upon private companies, developing a better understanding of the differing incentive structures that guide private sector decision-making, and working in coordination with private companies to create a more resilient information infrastructure network through redundancy and diversification. It is difficult to know what forms future conflict and future adversaries will take, or the incentives that may exist for companies in those new contexts, but by better understanding the key role that private information and technology companies already play in this domain, the United States and allies can better prepare for future threats.

About the Authors

Emma Schroeder is an associate director with the Atlantic Council’s Cyber Statecraft Initiative, within the Digital Forensic Research Lab, and leads the team’s work studying conflict in and through cyberspace. Her focus in this role is on developing statecraft and strategy for cyberspace that is useful for both policymakers and practitioners. Schroeder holds an MA in History of War from King’s College London’s War Studies Department and also attained her BA in International Relations & History from the George Washington University’s Elliott School of International Affairs.

Sean Dack was a Young Global Professional with the Cyber Statecraft Initiative during the fall of 2022. He is now a Researcher at the NATO Parliamentary Assembly, where he focuses on the long-term strategic and economic implications of Russia’s invasion of Ukraine. Dack graduated from Johns Hopkins School of Advanced International Studies in December 2022 with his MA in Strategic Studies and International Economics.

Acknowledgements

The authors thank Justin Sherman, Gregory Rattray, and Gavin Wilde for their comments on earlier drafts of this document, and Trey Herr and the Cyber Statecraft team for their support. The authors also thank all the participants, who shall remain anonymous, in multiple Chatham House Rule discussions and one-on-one conversations about the issue.

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

Issue briefs and reports

Fast Thinking

New Atlanticist

Inflection Points

UkraineAlert

MENASource

Econographics

A parallel terrain: Public-private defense of the Ukrainian information environment

Table of contents

Executive summary

Introduction

The Russian information offensive

The Crimean precedent – 2014

A parallel occupation – 2022

Digital information infrastructure

Physical information infrastructure

Narrative Warfare: How the Kremlin and Russian news outlets justified a war of aggression against Ukraine

Undermining Ukraine: How the Kremlin employs information operations to erode global confidence in Ukraine

Reclaiming the Ukrainian information environment

Preparation of the environment

Bolstering Ukrainian connectivity

Backing up a government

Mounting an elastic defense

Working for wireless

Searching for satellite

Reclaiming Territory

Key Takeaways

Incentives

Dependencies

Coordination

Recommendations

Define support parameters

Track support

Facilitate support requests

Looking forward and inward

About the Authors

Acknowledgements