The standard argument about the European Union’s role in the Russia-Ukraine crisis is that, since Brussels is ill-equipped to counter the Russian military threat, it should limit its support to the Ukrainian economy and sanctions on Russia. However, this is a narrow vision of the EU’s capabilities and potential actions. Russia is launching a digital war against Ukraine. And the EU has extensive cyber, connectivity, and counter-disinformation capabilities. So, while the union cannot play a direct military role in the crisis, it need not limit itself to economic and diplomatic action.
If any additional proof was needed for the hybrid nature of the Russia-Ukraine crisis and the EU’s particular role in this conflict, it came on the evening of 21 February. Just moments after the Russian Security Council recognised the independence of Luhansk and Donetsk, the EU Foreign Affairs Council announced that the union would deploy its Cyber Rapid Response Team – a product of Permanent Structured Cooperation – for the first time, to help Ukraine fend off further Russian cyber-attacks. In light of Moscow’s recent move to send more troops into the two eastern Ukrainian regions, this may seem like a minor decision. But it marks an important moment in the crisis.
The EU demonstrated its economic power on 22 February by deploying new sanctions on Russia. But the union has other effective means to counter Russian hybrid aggression against Ukraine. And, as shown by the decision to deploy the Cyber Rapid Response Team, the union can act decisively to defend Ukraine’s cyberspace and secure its digital sovereignty.
This assistance for Ukraine in the cyber, counter-disinformation, and connectivity domains should not be a one-off gesture. It should instead serve as proof that the EU is a geo-tech player to be reckoned with: a ‘digital ally’ that enables like-minded countries to improve their capacity to withstand hybrid attacks. The Russia-Ukraine crisis has forced the EU to postpone its discussions on the development of an external digital policy. However, the EU’s efforts to help Ukraine respond to the digital component of Russia’s hybrid war should provide renewed motivation to complete this policy.
Since 2013, Ukraine has been ground zero for Russia’s disinformation operations and cyber-attacks. It is now under full-scale cyber-assault. According to the Ukrainian government, the country suffered roughly 288,000 cyber-attacks in the first ten months of 2021. The latest in this long series of operations took place on 15 February 2022. Amid Russia’s build-up of troops at the Ukrainian border, Ukraine’s Ministry of Defence website was hit with what appeared to be a basic distributed denial of service attack, which overwhelmed it with internet traffic. This came just a month after more than 70 Ukrainian government websites, including that of the Ministry of Foreign Affairs, were targeted by WhisperGate malware. The attack left an ominous warning on affected pages: “Ukrainian! All your personal data was uploaded to the public network … Be afraid and expect the worst.”
According to Ukraine’s intelligence services, the priority of the as-yet-unidentified cyber-attackers was not to retrieve information or to compromise systems. Rather, it was aimed at “destabilising and discrediting the authorities”. If the government cannot protect its own websites, Ukrainian citizens were supposed to think, how can it govern the country and defend its territory?
To further undermine the Ukrainian government’s authority, these cyber-attacks have been accompanied by a massive Russian disinformation campaign. Since 2015, the EU’s project to counter this threat has gathered and debunked 13,500 pro-Kremlin pieces of disinformation. Nearly 40 per cent of this disinformation has targeted Ukraine.
But neither these presumably Russian cyber-attacks nor the pro-Kremlin disinformation campaigns are confined to Ukrainian cyberspace. On Ukraine’s Constitution Day in 2017, the NotPetya malware infiltrated Ukrainian systems. It then rapidly spread across borders, paralysing corporations around the world and becoming the most destructive malware ever deployed. During the recent WhisperGate attack, some Western companies operating in Ukraine disconnected their systems from Ukrainian cyberspace to avoid similar damage to their networks. While these protective measures may be understandable, they ultimately serve Moscow’s interests in the conflict. Such digital disconnects hamper Ukraine’s economic development and integration into the EU – underscoring the Kremlin’s narrative that, when push comes to shove, the country cannot rely upon the West.
Similarly, Moscow’s vast disinformation campaigns reach far beyond Ukraine. The unambiguous goal of Russian disinformation targeted at EU and NATO member states is to deepen divisions between EU citizens and governments, and to undermine EU support for Ukraine.
Moscow’s cyber-attacks and disinformation campaigns should be seen as part of a hybrid war that blurs the traditional distinctions between types of conflict – and even between war and peace. In this form of warfare, digital attacks can either enable subsequent military attacks or, as Ivan Krastev has pointed out in the case of Ukraine, be part of a double game that could be more destructive than the military conflict itself. Russian military action could be primarily a precursor to the weaponisation of the information space and data flows (and their disruption). This could be the main mechanism through which the Kremlin seeks to achieve its main strategic goal, which is to undermine Ukrainian sovereignty from within.
This form of hybrid warfare creates an important opportunity for one player that, so far, has been side-lined in the conflict: the EU. No doubt, the cyberspace capacities of the United States and NATO will be crucial in supporting Ukraine throughout the crisis, but the EU has invested heavily in securing Ukraine’s digital sphere since 2013 and should now intensify these efforts.
EU support for Ukraine
In 2015 the European External Action Service (EEAS) created the East StratCom Task Force “to address Russia’s ongoing disinformation campaigns”. Through its flagship project EUvsDisinfo, East StratCom exposes and analyses Russian disinformation targeted at eastern Europe. Beyond this, East StratCom supports the Ukrainian government in its strategic communications against disinformation, cooperates with Ukrainian civil society organisations to debunk fake news online, and helps Ukraine – and other countries, including EU member states – protect their electoral campaigns from foreign interference. East StratCom has long suffered a dearth of substantive political support. The organisation now appears to be receiving the necessary attention but, if the EU is to fend off Moscow’s long-running operations, it must now translate this attention into increased funding and greater ambition. This includes extending to Ukraine and other interested parties the EU’s Rapid Alert System on Disinformation, which was set up following the European Commission’s 2018 communication on disinformation.
Since 2020, the EU has supported Ukraine’s digital transformation by way of its largest bilateral digital programme for any partner country. The EU4DigitalUA project addresses key components of the country’s cyber-struggle against Russia, including the enhancement of cyber-security and the provision of secure digital infrastructure. In parallel, as part of the implementation process of the EU-Ukraine Association Agreement, the European Commission is helping the country improve its digital legislation. So far, Ukraine’s priorities in this effort have been to strengthen telecommunications laws and improve network security. Legislation on electronic communications that resembles EU standards became law in Ukraine on 1 January 2022. And, on 11 February, Ukraine’s president signed an accompanying telecommunications law to further prepare the country for integration into the EU’s digital single market. Moreover, Ukraine is in the process of implementing an EU directive that will improve the cyber-security of its critical infrastructure.
Regulatory alignment with the EU and enhanced cyber-security are fundamental to attracting new investment in Ukraine. This will spur digital economic growth and increase the country’s resilience against Russian economic and cyber-destabilisation tactics. Faced with the current crisis, the EU should intensify its efforts to support the Ukrainian authorities in their drive to implement new digital legislation.
The development of Ukraine’s public sector cyber-security capacity should be central to EU efforts in these areas. Indeed, the first EU-Ukraine cyber-security dialogue, held in June 2021, addressed the importance of such capacity-building measures. But, importantly, the EU should also invest in Ukraine’s private sector and in public-private partnerships to build trust between public and private stakeholders. If companies that are targeted by cyber-attacks do not systematically share information on them with authorities, there will be no way to develop an effective national system to detect threats and coordinate defence mechanisms. And, unless Ukraine matches the cyber-security expertise in its private sector with similar expertise in its public sector, even the best digital legislation will be a paper tiger. Until Ukraine builds up the cyber-capacities and trust it requires (which will take years), the EU will need to lend the country support from European cyber-security experts. This is why the decision to deploy the Cyber Rapid Response Team is crucial.
For the EU, Ukraine’s predicament should be the starting point of a lesson in how to build an effective external digital policy. Russian President Vladimir Putin’s military plans may be unclear, but his ambitions in the digital realm are anything but. And the EU knows what needs to be done. It should strengthen Ukraine’s cyber-security capacities; invest in secure digital infrastructure in Ukraine; and help the country improve its digital legislation and expand its fight against disinformation.
The EU has more power in the digital realm than is commonly assumed. Therefore, the union has a responsibility to enhance its foreign digital policy efforts in Ukraine and beyond. As outlined in its 2030 Digital Compass, the EU knows that it needs to engage in digital partnerships with like-minded countries and to take a more comprehensive approach to diplomatic outreach on digital issues. In July 2021, the Foreign Affairs Council gave Borrell and the European Commission a joint mandate to develop an ambitious external digital policy, aiming to provide the union with the tools it requires to help its partners protect their democracies and economies from state-backed cyber-threats.
Although the Russia-Ukraine crisis may appear to be a distraction from these goals, it provides a vital opportunity to demonstrate the value and significance of this policy. If the EU really wants to become a major geopolitical player, now is the time and cyberspace is the place.
The European Council on Foreign Relations does not take collective positions. ECFR publications only represent the views of their individual authors.