Persistent partnerships in cyberspace
From Ukraine to the Indo-Pacific, cooperation safeguards the digital domain
FORUM Staff
When Japan Ground Self-Defense Force Lt. Gen. Hiroe Jiro went to Ukraine in 2020, the nation’s sophisticated cyber defenses came as a surprise. It was six years after Russia seized Crimea and invaded eastern Ukraine, launching a yearslong cyber onslaught along the way. Russian-affiliated cyberattacks targeted Ukraine’s Central Election Commission, took down power grids and unleashed malware. Disruptive software wiped out computer systems in Ukrainian financial, energy and government institutions as it spread across the globe.
Hiroe, the commanding general of Japan’s Training, Evaluation, Research and Development Command, had expected devastation. “I was surprised to see that the Ukrainian forces had already established complete cyber measures,” he said. “The government entity and the military came up with regulations … and then divided their entire country into small regions so that they can control each of the networks and the systems. It seemed very, very good.”
The explanation Hiroe’s Ukrainian counterparts gave for their accomplishments: partnership. Ukraine developed its advanced cyber defense systems and bolstered its cyber resilience with the help of international partners, including European countries and the United States, Hiroe told an audience at the Land Forces Pacific (LANPAC) Symposium & Exposition in Hawaii in May 2023.
A NATO Trust Fund on Cyber Defense for Ukraine, for example, provided support in developing technical capabilities and creating laboratories to investigate cybersecurity incidents. The U.S.-Ukraine Bilateral Cyber Dialogue began in 2017, linking Ukraine with U.S. Defense, Energy and Treasury departments to strengthen national response planning, infrastructure security and information sharing. Hiroe said Ukraine also credited assistance from U.S. industries in hardening networks. “It seemed that the Ukrainian forces could strike back [from] what they suffered in 2014,” Hiroe said. “That’s thanks to the NATO countries and the U.S. industries.”
Defending forward
The U.S. Cyber Command (USCYBERCOM) deploys teams worldwide on Hunt Forward operations, defensive missions undertaken at the request of partner nations to detect malicious cyber activity on host nation networks. The goal is to make Allies and Partners a more difficult target for malign actors, according to U.S. Army Lt. Gen. William Hartman, USCYBERCOM’s deputy commander and former commander of the Cyber National Mission Force (CNMF), whose specially trained personnel secure and defend the U.S. Department of Defense information network against cyberattacks. “We are building strategic partnerships with like-minded nations around the world,” he said during a LANPAC discussion on cyber and information warfare. “At the end of the day, it’s going to make both the United States and Allies and Partners better able to defend themselves.”
Hunt Forward teams have deployed on at least 47 missions in more than 20 countries in recent years, working with partner nations to detect and defend against threats. “When we gain information in foreign space, we immediately share that with whoever we can in order to ensure that the broadest number of organizations are protected,” Hartman said.
A January 2022 Hunt Forward operation in Ukraine included 40 personnel and was the CNMF’s third deployment to the country. At the time, Russian soldiers were massing on the Ukrainian border in preparation for an unprovoked invasion that would come the following month. The U.S. team worked with Ukrainian counterparts to uncover Russia’s stealthier attempts at attack. “The team is on the ground in mid-January as we start to see a number of destructive Russian wiper attacks aimed at Ukrainian networks,” Hartman said, referring to a cyberattack that destroys data stored on a network. “The team is immediately able to support the Ukrainian partner on network remediation. … We’re able to collect indicators of compromise. We’re able to collect malicious software that the Russians had used in Ukraine.” The next step is to share that information with government and private industry, a move that protects critical civilian infrastructure and defense systems.
“A threat to the Ukrainians from Russia is a threat to all of us,” Hartman said. “A threat anywhere … from China is generally a threat to all of us. So, the ability to share is fundamentally important.”
Cyber force efforts continued after Russian forces invaded Ukraine. As private industry, foreign governments and other partners flooded the nation with offers of cybersecurity assistance, the U.S. analyzed and passed on the most relevant information about digital vulnerabilities that Ukraine needed to address.
“It is all about partnerships,” Hartman said. “We have shared over 5,000 indicators of compromise, either from Ukraine to us or from us back to Ukraine, in order to do everything we can to ensure that the United States, our partners and allies are protected against what the Russians are doing in Ukraine but also to ensure that the Ukrainians’ networks are as difficult as possible for the Russians to continue to attack and exploit.”
The CNMF has in recent years been invited to conduct Hunt Forward operations in Albania, partnering with the country’s National Agency for Information Society; Estonia in partnership with local cyber personnel; Latvia, working with Canada and Latvia’s Security Incident Response Institution; Lithuania, alongside the nation’s cyber forces; and in the U.S. Southern Command’s area of responsibility, which covers dozens of countries in Latin America and the Caribbean.
The team also conducts Hunt Forward missions with Indo-Pacific allies, according to a 2021 report, “U.S. and Allied Cyber Security Cooperation in the Indo-Pacific,” from the Center for Global Security Research (CGSR) at Lawrence Livermore National Laboratory, a research and development institution in California that applies science and technology to national security. U.S. agencies adopt a flexible approach when granted access to partner networks based on the allies’ tolerance for publicly displaying cyber cooperation, the report noted.
The region’s principal cyber threats emanate from the People’s Republic of China (PRC), followed by North Korea, Russia and Iran, experts say. The CGSR cites PRC-sponsored cyber activities involving disinformation campaigns; election interference; intellectual property theft; and attempts at political manipulation throughout the Indo-Pacific. Economic interdependence and the threat of retribution leave some nations reluctant to publicly document the PRC’s malicious cyber actions or to implement hawkish cybersecurity policies. Indo-Pacific allies, however, “do not have the luxury of time,” the CGSR warned. “The consequences of waiting for diplomatic cybersecurity solutions outweigh the benefits of finding common ground in the short term.” An achievable goal, the report noted, is for Allies and Partners to reach a level of cybersecurity cooperation that conveys to adversaries, “to beat any one of us, you have to beat all of us.”
At LANPAC, Lt. Gen. Maria Barrett, commanding general of the U.S. Army Cyber Command, highlighted the connection between cyber and information warfare — and the role international cooperation can play in combating weaponized information. Forces that work together to understand where foreign malign influence originates and how it takes hold are not only more resilient to information warfare but also are in a better position to counter malign campaigns, she said. “The partnerships that we develop have to be persistent and they have to be real … in order to deny and degrade threats to territorial sovereignty with what we’re doing.”
Advance integration
Ukraine is the world’s first major conflict involving large-scale cyber operations, according to James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies. Cyber defense that merges national, foreign, government and private entities enables Ukraine to monitor attacks, block malign actors and respond to vulnerabilities. “The lesson,” Lewis wrote in a 2022 review published by the U.S.-based think tank, “is to develop relationships and integrate partners through actions that go beyond meetings and seminars to include planning and exercises well in advance of any attack.”
USCYBERCOM’s annual Cyber Flag exercise offers one such opportunity. The Cyber Flag 23-1 drills, which were held in Virginia in late 2022 and focused on the Indo-Pacific, bring together Allies and Partners for realistic “hands-on-keyboard training” in detecting, identifying and mitigating the presence of adversaries on digital networks. Designed to bolster readiness and interoperability in cyber defense, Cyber Flag 23-1 included more than 250 professionals from Australia, France, Japan, New Zealand, Singapore, South Korea, the United Kingdom, and the U.S. Navy Fleet and Marine Forces cyber commands. In addition to a two-day symposium and a tabletop exercise, the event included briefings, coordination discussions and sessions on cyberspace in the Indo-Pacific, the first time that the series emphasized the region.
The Philippines and U.S.-sponsored exercise Balikatan launched its inaugural cyber defense exercise (CYDEX) in April 2023. Cyber professionals from the Armed Forces of the Philippines and the U.S. military used an interactive platform at Camp Aguinaldo outside Manila to defend a military network and civilian infrastructure from simulated malign actors in cyberspace. Among the challenges were understanding the procedures used by partners and merging approaches into a successful collective cyber defense. “Other nations engaging in this type of cyberwarfare capability, they can cripple people without firing a gun,” Philippine Navy Cmdr. Reynan Carrido told FORUM during Balikatan. “Cyber can be used as a form of warfare that can cripple the economy of another state. The scenarios within the [CYDEX] exist in the current world and need to be addressed.”
Other cybersecurity partnerships are maturing in the Indo-Pacific. Thailand’s military has joined with the U.S. for five years to offer cyber training during the multilateral exercise Cobra Gold. The March 2023 cyber exercise at Thailand’s Camp Red Horse also included participants from Australia, Indonesia, Japan, Malaysia, Singapore and South Korea. Recent drills have focused on protecting critical infrastructure networks. U.S. Air Force Lt. Col. Jason Silves, the exercise director, told FORUM the training drives decisions that can enhance efficiency. “Quite frankly, there are questions we need to ask and address now in exercises. … When conflict happens, we will have that mission,” he said.
Nations throughout the Indo-Pacific and beyond are also building shared frameworks for defending against cyberattacks. Australia, the U.K. and the U.S. have pledged to collectively protect critical communications and operations systems. Quad partners Australia, India, Japan and the U.S. have committed to collaboration and information sharing in the cyber domain. The four countries are developing a system to share immediate reports on cyberattacks and damage to critical infrastructure.
At LANPAC, cyber defense experts also stressed the importance of nations developing unified efforts before malicious actors target infrastructure or use cyber tools to weaponize false narratives. “If we are collectively going to be prepared to deal with the threat — not just in this theater but globally — it is going to take partnerships … among the talented people that come from all of our nations,” Hartman, the USCYBERCOM deputy commander, said. “The time to deal with the threat and work together is now.”