Tim Clark MBCS talked with Charlie Bradbury, a public sector security strategy consultant with military experience. They discussed the war in Ukraine and its implications for future conflict and cyberwarfare.
During our discussions about the implications of the conflict, Charlie highlighted a number of lessons that armed forces around the world can learn from Ukraine, and we also discussed valuable takeaways that businesses should take note of as they plan ahead for risk management and disaster recovery.
The failure of Russia’s cyberwarfare
One of the first points of discussion was how the power of military cyberweapons is not truly evident until they are actually used in conflict. Ukraine had been hardening their digital infrastructure against potential cyber attacks since the 2014 annexation of the Crimean peninsula. This played a huge part in strengthening their defence against the rise in Russian attacks during the Donbas Invasion.
‘Russia sought to sow chaos and cause major disruption to television broadcasts, government services and businesses, leading to public panic’, began Bradbury. ‘A combination of hubris and poor preparation led to a disappointing outcome, with the most significant attack being the disruption of the KA-SAT satellite, operated by Viasat. This attack provided little tactical advantage to Russia, and viewed through this lens it was a failure.’
Managing Disinformation
Disinformation made poor progress through a population not only used to such Russian propaganda, but actively educated through government-driven initiatives. Strong leadership and clear messaging is key to combatting a disinformation campaign on the scale that Ukraine faces from Russia. Bradbury commented, ‘President Zelensky has played a crucial role in controlling the narrative around the war, tailoring his speeches to each audience and tackling disinformation head on.’
The Ukrainian Centre for Countering Disinformation could prove instrumental in tackling the problem by fortifying the independence of the Ukrainian press and attempting to tackle online trolls, AI generated content, propaganda and other fake news before it spreads. Digital literacy on this subject around the world will be essential to learning how to safeguard democracies from disinformation.
Open Source Intelligence
‘Open Source Intelligence (OSINT) has provided key information to help shape military strategy’, said Bradbury. ‘A community of volunteers has risen online to support Ukraine by filtering through publicly available information, providing insights that would be difficult to obtain with computer analysis alone. The most notable example of this occurred at the cusp of the invasion, where researchers were able to spot a formation of Russian tanks on the border, and used Google Maps traffic data to spot a traffic build-up which indicated the advance of the military convoy. Several organisations such as Bellingcat and Oryx have mapped war crimes, and some groups have gone further and used facial recognition to attempt to find those responsible for such atrocities as the Bucha massacre.’
Consumer grade military tech
In my previous article, I mentioned how Ukrainians have improved their strategy by using mass market consumer technology in place of traditional military-grade hardware. Bradbury pointed out that ‘lessons should be learned here for our own military procurement, where long cycles of research and development could be replaced by iterative lean processes that minimise waste.’
He continued: ‘Rapid commercialisation of supposedly military-grade technology, including communications, optics and drones has made this available to anyone who wishes to buy it. Cheaper drones had already proven effective in the second Nagorno-Karabakh War, where Azerbaijan used them for reconnaissance and more precise air strikes. Ukraine has learnt from this and taken advantage of donated drones, providing aerial intelligence for their frontline troops.’
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Another highly sought-after technology has been Elon Musk’s Starlink, whose satellite network brought internet connectivity back to Ukraine. Bradbury noted the huge impact this technology has had on the conflict, not only by keeping essential services online for the general public, but also through its tactical advantages. ‘Military communications via satellite are more difficult to triangulate, making it harder for Russian troops to pinpoint their Ukrainian counterparts. Additionally, the dispersed nature of the Starlink terminals makes it harder for Russian missiles to disrupt the internet in any significant capacity.’
We discussed that in spite of his philanthropic generosity, Musk has exposed the fragility of relying on donations from private individuals and corporations to provide wartime services. Bradbury commented, ‘SpaceX drew controversy when it limited Ukraine’s ability to use its service to control drones earlier this year, and has continuously said that service could only be provided for a limited time. Eventually, the Pentagon agreed to fund this essential service.’
The move to reliance on consumer-grade technology brings up an interesting opportunity to reinvent military procurement for the 21st century. Bradbury pointed out: ‘Agile management of procurement is desperately needed.’ He referred to Eric Reiss’ famous book, The Lean Startup, explaining that ‘management of procurement should become more agile, allowing fast cycles of testing and iteration to determine appropriate solutions. This might become essential for western allies if future wars rely less on a manoeuvrist approach and turn into further wars of attrition.’
Lessons learned
We closed our discussion by talking about some of the key security issues currently affecting the UK, particularly in small to medium-sized businesses and in the public sector. Bradbury highlighted the key role that human factors play in security: ‘Any organisation, whether it be a government entity fortifying public services, or a small technology startup, has a responsibility to take cybersecurity seriously. Following government guidance from the National Cyber Security Centre, particularly the Cyber Essentials framework, provides a fantastic head-start for small businesses to bolster their security posture.’
Other key takeaways from our discussion, based on the wider lessons learned from the war in Ukraine included:
- Check your online fingerprint: what information is publicly available about your company online that could be abused? ‘This is particularly important in a world of generative AI’, assures Bradbury, ‘where a podcast featuring a C-level executive could be used by a creative attacker to generate a voice model for a vishing attack.’
- Prepare for the unexpected: run drills to prepare for worst-case scenarios.
‘This can range from automatic stress testing or random failure tools in demo/production code environments, to running security audits involving penetration testing key software and digital infrastructure’, Bradbury explains. ‘There are other operational risks to think about as well, such as how to work without an internet connection, and whether your company could work without an office. The latter was tested for all organisations during the COVID-19 pandemic but many companies had a work-from- home policy prior to the lockdowns, serving as preparation for such an event.’ - Be agile: ‘Everyone prepares to fight the last war’, concludes Bradbury, highlighting the importance of learning lessons from past mistakes, but also in making key strategic bets on the future threats that may be faced in wars yet to come. ‘Everyday businesses are facing a rapidly changing cyber threat landscape, changing trends, macroeconomic uncertainties and even natural or man-made disasters. In our uncertain world, adapting to change is paramount.’