Russia has engaged in a sustained, malicious cyber campaign against Ukraine and its allies since the February 24 invasion – but its lack of success shows that it's possible to defend against cyberattacks, even against some of the most sophisticated and persistent attackers, says the UK's cybersecurity chief.
"Try as they might, Russian cyberattacks simply have not had the intended impact," said Lindy Cameron, CEO of the National Cyber Security Centre (NCSC) – the cyber arm of GCHQ – speaking at Chatham House in London.
"But if the Ukrainian cyber defence teaches us a wider lesson – for military theory and beyond – it is that, in cybersecurity, the defender has significant agency. In many ways you can choose how vulnerable you can be to attacks."
These weren't the first offensive cyberattacks linked to the Russian state that have targeted Ukraine; attacks previously caused power outages in the winters of 2015 and 2016. Then, in 2017, Russia launched the NotPetya wiper malware attack against Ukraine, but the impact spread further, causing billions of dollars of damage around the world.
Since the invasion, Cameron said, "what we have seen is a very significant conflict in cyberspace – probably the most sustained and intensive cyber campaign on record." But she also pointed to the lack of success of these campaigns, thanks to the efforts of Ukrainian cyber defenders and their allies.
"This activity has provided us with the clearest demonstration that a strong and effective cyber defence can be mounted, even against an adversary as well prepared and resourced as the Russian Federation."
Cameron argued that not only does this provide lessons for what countries and their governments can do to protect against cyberattacks, but there are also lessons for organisations on how to protect against incidents, be they nation-state backed campaigns, ransomware attacks or other malicious cyber operations.
"Central to this is a commitment to long-term resilience," said Cameron. "Building resilience means we don't necessarily need to know where or how the threat will manifest itself next. Instead, we know that most threats will be unable to breach our defences. And when they do, we can recover quickly and fully."
These recommendations, which Cameron reiterated at Chatham House, include verifying that all software is up to date with the latest security patches, checking that backups are working properly, and having an incident response plan in place – because cyberattacks continue to represent a major threat.
"There may be organisations that are beginning to think 'is this still necessary?' as in the UK we haven't experienced a major incident related to the war in Ukraine. My answer is an emphatic 'yes'," Cameron said.
"UK organisations – and their network defenders – should be prepared for this period of elevated alert to be with us for the long haul. Across the UK, we need to focus on building long-term resilience. Just as the Ukrainian defenders have done," she added.