A combined resilience frame – considering both technical and sociopolitical internet resilience – highlights underappreciated aspects of Russia’s war on Ukraine.
Russia’s war on Ukraine has occupied far more global media and policy attention than Afghanistan, at least since the withdrawal of US troops from the latter – with two consequences for this research paper. First, attendees at the Chatham House event and subsequent interviewees spoke far more about Ukraine than Afghanistan or any other conflict, demonstrating Ukraine’s presence on the top tier of cyber policy issues. Second, far more research and analysis is available in the public domain on Ukraine than Afghanistan, including high-profile incidents relating to cyber resilience. For these reasons, this chapter is organized differently to that on Afghanistan.
The section on global resilience focuses largely on the impact of international actors on the Russian internet, while the section on local resilience examines the impact of Russia’s invasion on Ukrainian networks and people. It is crucial to underline the fact that any impact on Russian networks ultimately stems from the invasion itself, and that the devastation experienced by Ukraine is much greater than the limited impact on internet connectivity in Russia – which was already constrained by repressive domestic internet policies.
This chapter draws on interviews throughout to examine how a combined resilience frame helps to highlight underappreciated aspects of Russia’s war on Ukraine, especially from the point of view of private sector actors, whose roles and responsibilities shift, disrupt and change.
Ukraine’s internet resilience pre-war
Prior to 2022, Ukraine had developed a large technology sector, with close links to both Russia and Europe. Many US and European companies outsourced IT services to Ukraine, and Ukraine enjoyed a high level of technical and computer engineering education among young graduates. Ukraine also had an unusually complex and decentralized internet architecture, with a relatively high number of autonomous systems – which are the building blocks of the global internet – to population size compared to Western Europe. Frédérick Douzet et al. trace this structure to the uncoordinated development of the internet in the former Soviet states, where many small ISPs emerged independently, as opposed to the more centralized pattern common in Western European countries that results from internet adoption by national telecoms companies. A high number of autonomous systems is usually associated with increased resilience, as failure in one lessens the impact on others. However, given that many of the autonomous systems in Ukraine only serve small, separate regions, this conclusion is less warranted. Failure of those systems would still result in an internet outage, but in a smaller geographical area.
The 2014 occupation reshaped Ukraine’s internet connectivity, with Russia building two new cables to Crimea in an attempt to integrate that territory firmly into its national networks.
Russia’s full-scale invasion of Ukraine in February 2022 was preceded by eight years of partial occupation from 2014. In that year, Russia annexed Crimea and engaged in a relatively low-intensity conflict in the eastern Donbas region, which then became partly occupied by separatists and covert Russian troops. The annexation of Crimea and conflict in Donbas are crucial to understanding the lead-up to, and outcome of, the 2022 invasion.
The 2014 annexation and separatist seizure of territory were also decisive for Ukraine’s internet connectivity. Prior to 2014, Ukrainian internet connections were broadly split between Russia and Europe, with traffic in both directions approximately equal. But Douzet et al. show that the 2014 occupation reshaped Ukraine’s internet connectivity, with Russia building two new cables to Crimea in an attempt to integrate that territory firmly into its national networks. Local ISPs were re-registered as Russian, while the Russian national telecoms company Rostelcom made a major investment in a local branch to expand connectivity. Conversely, Ukraine placed sanctions on those ISPs that continued to supply Crimea, leading to further divergence. Similar effects occurred in Donbas, although the divergence was less pronounced. Local ISPs deepened their Russian connections and reduced their Ukrainian ones, amid pressure from both sides. A trace-route test conducted by Douzet et al. identified a packet travelling from Dnipro in eastern Ukraine to Moscow via Germany, Poland and Belarus, rather than directly across the Ukraine–Russia border.
This separation has important implications for internet resilience, as the number of routes available to internet packets increases the ability for communications to continue in case of disruption. But conversely, the length of the route taken by packets also increases the likelihood of disruption, as well as latency and consequent economic cost. In both cases, decisions are made by private sector actors such as ISPs responding to government regulation or intervention, as well as geopolitical factors and ideological leanings. These decisions are then actioned through commercial agreements in technical routing protocols, as well as being enforced by changes in the physical infrastructure available to specific regions. In this way, the 2014 occupation of Crimea and Donbas not only foreshadowed a much larger rerouting of internet traffic after February 2022, but highlighted the complexity of factors that feed into private sector decisions on where and how to provide internet access. Private sector actors are far from purely commercial entities, as they need to respond to, and integrate, geopolitical and personal relationships into strategies for infrastructure provision.
The war and global internet resilience
In February 2022, immediately after the full-scale Russian invasion, the Ukrainian deputy prime minister asked ICANN to revoke the security certificates of Russian top-level domains such as .ru, and to shut down two DNS servers in Moscow and St Petersburg. This request also involved asking the European internet registry (RIPE NCC), which allocates IP address space, to withdraw IP address rights from Russian internet registries and to block any DNS servers operated by those registries. This request would have effectively prevented Russian internet users from accessing the global internet, creating a precedent of politically motivated decisions on country-level internet access by the multi-stakeholder internet governance community. It would thereby have contributed to already growing fears of internet fragmentation, and suspicion of bias inherent in multi-stakeholder processes.
However, ICANN resisted the Ukrainian request on these grounds, drawing on both technical and sociopolitical arguments in support of the organization’s pivotal role in upholding a global, resilient internet. ICANN’s response noted the distributed technical characteristics of internet security, including the production of security certificates by third parties. Observers also questioned the feasibility of ‘revoking’ Russian TLDs (i.e. removing them from the DNS master root zone file), arguing that this measure would not in fact cut Russia off from the global internet as intended. Rather, its effect on which paths Russian traffic took, and how, were unpredictable. Such unpredictability arises because managers of a DNS resolver can independently configure their servers to direct traffic for particular domains (such as .ru) to other ‘authoritative’ servers, rather than to the root. ICANN’s response to Ukraine’s request – along with that of many of Ukraine’s supporters – also cited the importance of neutrality to the multi-stakeholder model of internet governance.
This was not the first time that ICANN had become entangled in Russia’s war on Ukraine. ICANN’s role as allocator of time zones for many software applications meant that its decision to locate Crimea in the Russian time zone after 2014, when Russia switched Crimea to Russian time, attracted some criticism. Some US registrars reportedly prevented Crimean registrants from accessing US domains. More generally, Russia does not recognize ICANN’s domain name dispute procedures, and has repeatedly sought to transfer ICANN’s responsibilities to the International Telecommunication Union (ITU) – most notably at the World Summit on the Information Society Forum in Dubai in 2012. This confrontation continued after the 2022 invasion of Ukraine, as Russia was unable to appoint preferred candidates to key ITU positions, including that of secretary-general, owing to opposition from various parties including ICANN. Following these controversies, and ICANN donations to Ukraine, Russia stopped its nominal payment to ICANN’s budget in October 2023.
ICANN’s decision to refuse the Ukrainian request regarding Russian domains must be seen in the light of this longer history of Russian unease at its role. ICANN was already sensitive to accusations of pro-Western and pro-Ukrainian bias. Technical inaccuracies in the Ukrainian request were therefore useful in ICANN’s attempt to establish a principled stance in favour of neutrality. ICANN also included malicious domain-monitoring services across multiple languages – including Russian – at the same time, to reinforce its position. Ultimately in this case, the desire for ICANN to uphold not just neutrality but global internet resilience outweighed the pressure to act in ways that could undermine global resilience. It is worth noting that ICANN’s decision did not receive strong public criticism from the Ukrainian government. This reticence on Ukraine’s part perhaps points to acceptance of the technical infeasibility of parts of its request, and potentially even to the desire among Ukraine’s allies to uphold the norm of a global, resilient internet.
The desire for ICANN to uphold not just neutrality but global internet resilience outweighed the pressure to act in ways that could undermine global resilience.
Even so, the multi-stakeholder nature of internet architecture meant that other parties were able to take independent action. Russia had already taken preventative actions to avoid foreign web-hosting services and use DNS servers located in Russia, in anticipation of requests such as that from the Ukrainian government. These actions were also part of a broader ongoing attempt to increase the Russian government’s ability to control and redirect domestic internet traffic. Despite ICANN’s dismissal of Ukraine’s request to revoke security certificates, in March 2022, Russia created a domestic certificate authority, which from its perspective, confers several advantages such as developing a government-controlled means to create certificates that then could be used either legitimately or maliciously and to avoid action by others to prevent certificate use. But in terms of Russian internet resilience, this development is double-edged: on one hand, it reduces Russia’s dependence on foreign companies. But on the other, it creates a point of failure (and therefore a clear target) in Russia’s domestic internet ecosystem.
In response to the 2022 invasion, US internet provider Cogent unilaterally decided to terminate service to Russian ISPs. Lumen, the top transit provider for Russia, partially disconnected shortly afterwards. As one interviewee noted: ‘[T]here’s a real conflict for back-bone internet providers. I do believe that a lot of these companies genuinely believe in the provision of free, open, interoperable internet as a benchmark principle.’ But the desire and pressure to counter the Russian invasion was similarly strong – as were security and personnel concerns. Nevertheless, the Internet Society assessed that actions to deny service to Russian ISPs reduced the overall resilience of the global internet.
Finally, a separate risk comes from unintentional disruption or intentional sabotage of undersea communications cables. In October 2023, two cables connecting Estonia, Finland and Sweden were damaged, with initial attribution by these states focusing on a Hong-Kong registered ship operated by a Russian company that was located above the two cables when they were cut, along with a Russian state-owned cargo ship. It is unclear whether the damage was deliberate or accidental – although former Russian president Dimitry Medvedev had hinted at the possibility of deliberate sabotage of undersea internet cables in June 2023. Other observers have speculated that damage to cables next to the Shetland Islands in October 2022 could also have been due to Russian activity.
These incidents highlight the potential for Russia’s war on Ukraine to impact global internet connections beyond governance and protocol-level decisions. Technical internet resilience is at risk during conflict at the physical layer of international cable traffic, because removing or disrupting subsea cables (especially when co-located) increase traffic through other suboceanic or subsea cables, increasing the likelihood of outages and making them harder to repair.
Local internet resilience since February 2022
The main cause of internet disruption in Ukraine since February 2022 has been Russian military action, including air strikes, drone strikes and artillery. These attacks have destroyed towns and cities across Ukraine and killed thousands of people. In some cases, destruction to telecoms infrastructure was the primary aim of Russian attacks, rather than a side effect – and telecoms infrastructure has also been targeted by Russian cyberattacks. The EU estimated that, by July 2022, 20 per cent of Ukraine’s telecoms infrastructure had been destroyed, rising to 25 per cent in August 2023, with the World Bank estimating the total cost of damage by February 2023 at $1.6 billion.
The 2022 invasion also changed Ukraine’s local internet architecture through less violent physical and logical reconstitution. In April and May 2022, the subsidiary of Rostelcom providing internet services to Crimea also began to receive traffic from local telecoms providers in Kherson, which had recently suffered an internet outage. Ukrainian officials argued that this was due to the disconnection and reconnection of fibre-optic cables, and independent analysis suggests this continued into 2023 for some Kherson-based ISPs. Separate investigations highlighted the increased route length for packets travelling from Kyiv to Kherson and Donbas, aligning with the findings pre-2022 discussed earlier – and likely in order to direct traffic through Russian territory to enable surveillance. Similarly, Kyiv-based servers were able to connect to Russian servers, but only for transit, not as a packet destination. More broadly, Ukraine-wide data indicate that many Ukrainian autonomous systems stopped functioning after the onset of conflict, indicating an overall drop in internet connectivity across the country. Some areas under heavy bombardment from Russian forces – such as Mariupol – either disappeared altogether or reduced their footprint significantly. Importantly, disruptions to internet connectivity connected to the war are nearly all inflicted on Ukraine by Russia, with only isolated incidents of Ukrainian cyber militias like the IT Army conducting DDOS operations on ISPs in occupied regions. Such logical rerouting and connectivity disruptions enable the Russian military to weaponize the control of internet traffic patterns to aid their war aims of population surveillance and information control.
On one hand, greater connectivity restores meaningful use to local populations. On the other hand, internet connectivity is now a crucial element of state sovereignty.
It is worth highlighting the contradictory elements of sociopolitical internet resilience involved in the rerouting of internet traffic through and around Ukraine during the conflict. On one hand, greater connectivity restores meaningful use to local populations: the owner of a Kherson telecom provider who switched to Russian-controlled connections justified that decision as a way to get individual end users back online. On the other hand, internet connectivity is now a crucial element of state sovereignty. Controlling the information space in addition to physical internet infrastructure gives a state the powers of surveillance and censorship, ensuring that connected populations are exposed to the state’s choice of media and information, and that information extracted from communications networks can be used for that state’s advantage. Reports have emerged of people in occupied towns receiving blank SIM cards to connect to Russian telecoms networks – thereby restoring their online presence, but at the cost of increased surveillance and censorship. Finally, in some cases, disconnection itself may have been intended an act of resilience. One analysis speculated that data indicating the severing of connections between Donbas and Russia may have been a way to reduce the likelihood of hostile cyber operations being conducted from Russia.
Disconnection and surveillance extends to the media sphere, too. Reporters Without Borders also reports that the Kremlin seeks to extend ‘systematic control… over Ukrainian media in the illegally annexed territories’, noting the closure of independent media outlets (‘only media that toe the Kremlin line can operate in the occupied territories’) and disappearance and arrests of independent journalists. For people living in the occupied territories, accessing Ukrainian media sources is both a technical challenge and comes at great personal risk.
Setting aside the long-term cost of reconstruction, Russia’s bombardment of Ukraine created an immediate need for physical repairs to cables, data centres and telecoms towers. As a result, the three Ukrainian mobile companies were forced to set aside their usual commercial rivalry to share infrastructure and permit individuals to move between networks easily, as well as repurposing other parts of the radio spectrum for increased resilience (a technique also adopted by militaries to avoid jamming of frequencies by opponents). While repair teams are usually made up of employed or contracted engineers, reports have also emerged of volunteer networks carrying out such tasks in Ukraine.
The role of emergency repair in internet resilience was stressed repeatedly by interviewees. It highlights the complexity of private sector actors’ role – and responsibilities to various stakeholders – as service providers during conflict. As one interviewee noted, ‘there’s been an empowerment of civil society organizations to step in [to] voluntarily replace public services that go down [and] replace government functions if they’ve been interrupted,’ meaning these networks are ‘really resilient’. Another highlighted the ‘physical security risks’ to cable technicians, asking ‘who is responsible if someone fixing a cable on the ground is injured?’. Consequently, interviewees noted companies’ ‘duty of care to… staff on both sides of the conflict’, including ‘a real concern about protecting their people on the ground’, which could lead multinational companies to withdraw specialized staff. As one interviewee put it, ‘they can’t put their people in danger for the public good’.
These threats to local internet infrastructure have led to one of the most publicized aspects of the conflict: Elon Musk’s decision to provide Starlink to Ukraine (other than Crimea). Although this was originally a pro bono arrangement, as of June 2024 Starlink is contracted by the US Department of Defense. While access to Starlink increases the resilience of Ukraine’s internet communications, removing the necessity for ground infrastructure and replacing it with low-orbit satellites that are difficult to target, the overall impact of Starlink on the conflict should not be overestimated. Analysis suggests that no more than 0.3 per cent of Ukrainian internet traffic has ever travelled via Starlink satellites at any one time, meaning that even if that small percentage is crucial for frontline military activities, it does not represent a realistic option to increase the resilience of the Ukrainian internet overall. Interviewees went further than this, highlighting the ‘fragility of allowing a company like that [Starlink] to be a central node’ in internet provision. According to the same interviewee, such dependence on a single supplier ‘goes against decentralization and resilience’, as loyalties and preferences ‘could switch very quickly’. Furthermore, the Russia-attributed hack of satellite communications company Viasat at the start of the invasion suggests that Russia was aware of the potential for satellite communications to increase Ukrainian internet resilience, and actively worked to counter this possibility – although with limited success and an extensive collateral impact beyond Ukraine.
The Ukraine conflict is a live example of the interplay between technical and sociopolitical resilience – internet infrastructures contribute to the overall morale and war effort of Ukrainian society, while strong social relationships and political prioritization in turn help to defend those infrastructures.
The Ukraine conflict is a live example of the interplay between technical and sociopolitical resilience – internet infrastructures contribute to the overall morale and war effort of Ukrainian society, while strong social relationships and political prioritization in turn help to defend those infrastructures. But the conflict also highlights the interplay between global and local internet resilience, as decisions and actions taken at one level have direct effects on – and lead to responses at – the other level.
Private sector involvement in Ukraine’s cyber defence
Although cyber operations are not the main threat to internet resilience in Ukraine, the telecoms and satellite examples mentioned previously in this chapter demonstrate their potential to negatively affect internet resilience at both local and global levels. This aspect also reveals the shifting roles of private sector actors involved in providing resilience.
In both academic and industry treatments of Russia’s war on Ukraine to date, there has been significant discussion of the relevance of cyber operations to the overall conflict dynamics. Some observers argue that Russia’s expectations of their impact were overly high – and overstated by Western analysts. Others point to the novelty and cumulative impact of Russian tactics. Despite these differences in opinion, scholars and industry observers agree that the scale and success of Ukrainian cyber defence have been higher than expected, thanks in part to the role of Western private sector actors in providing both immediate capabilities and longer-term capacity-building before, during and after the 2022 invasion.
These efforts include rapid action by the Ukrainian government and its private sector partners to migrate government data to the cloud. The risks to data from physical invasion were shared by both stakeholders, as an interviewee explained: ‘We were very concerned that… Russia would take over… data centres. What happens if they have access to this? How do you make sure this is safeguarded technically?’ Other interviewees also framed mass cloud migration in terms of resilience, arguing that ‘Ukraine’s infrastructure was resilient because it had the capacity to store, secure, transfer people’s data effectively’, and that ‘the ability to [migrate data to the cloud] is incredibly important for resilience in a time of conflict’.
Interviews conducted for this paper highlighted a range of considerations at play in private sector contributions to Ukrainian cyber defence. Most obviously, interviewees expressed a clear normative motivation with wider Western political orientations, seeing assistance to Ukraine as ‘the right thing to do in important circumstances’. In the words of another interviewee, ‘their duty of care moved from customer to a full country and economy very rapidly’. This ‘ad hoc’ emergency response attitude changed the relationship not only between private companies and Ukraine, but also between the companies themselves. Interviewees viewed their interactions as ‘not competitive, as it would be competing to do things for free’, instead highlighting instances of ‘good collaboration’, especially in commercial threat intelligence and incident response. Such collaboration was also likely incentivized by the global cybersecurity advantages afforded to companies collecting threat intelligence in Ukraine, enabling them to identify and mitigate threats early that could affect their clients worldwide.
However, interviewees also voiced uncertainty about the longevity and generalization of this commitment. One claimed that ‘it’s not a viable financial model… [we] can’t spend [millions] on each conflict’, with another agreeing that this work incurs ‘massive financial costs’. In contrast, one interviewee argued ‘our principles wouldn’t stand up if we had different approaches in different contexts’, applied in Ukraine conflict [but] not elsewhere. Others were concerned about the time horizons for voluntary aid, noting that ‘everyone is going in to do good – but they also recognize that it’s not easy to hop into a conflict and then hop out again.’ More generally, concerns were raised over financial viability:
As well as these concerns, interviewees highlighted risks arising from further involvement in the conflict (a topic discussed more widely in work by the International Committee of the Red Cross on the ‘civilianization’ of armed conflict). Several interviewees for this paper asked themselves variations of the questions ‘when do you become a party to the conflict by virtue of providing services?’, and ‘who are legitimate targets under international law?’. One interviewee accepted that such issues were ‘the reality of being in a conflict zone’. Going further, one interviewee remembered how ‘companies have rushed in to provide services, [including] attempts to get Ukrainians involved in documenting war crimes, with potential consequences of exposing users to risk, breaking the law, potentially becoming complicit in war crime violations’.
Given these concerns, some interviewees took a far more limited view of the responsibility of private sector actors in conflict, one tied more closely to the commercial benefit for their involvement. Most starkly, an interviewee stated that ‘our responsibility is to our shareholders. It’s zero unless we’re being paid for it. We shouldn’t spend our money building resilience for the government… or do the government’s job for them’.
Despite these reservations, others considered that there were commercial reasons for intervention, as ‘there’s a reputational angle and a self-interest angle – we don’t want our services to be undermined’. Reputation and self-interest were seen as potentially positive influences on decision-making. For example, one interviewee saw contributing to Ukraine cyber defence as representing ‘[b]rand value for later. Costs today, profits tomorrow – that can be a good balance struck’.
However, the reputational aspects of contribution were not clear-cut. From one perspective, an interviewee explained that ‘for the general public … contributing to a war might be difficult for them to get their heads around.’ In contrast, other interviewees saw a public perception of their company as ‘providing critical digital services in conflict situations… [as] in our interest, it’s market-forming, we’re all about providing services – if you don’t do that, you won’t be in business for very long’.
These remarks and insights demonstrate that the private sector is far from a single entity with a single mind. Conflicting approaches co-exist among – and even within – large multinational companies. Responsibility for internet resilience is widely distributed. At operational and senior levels, private sector companies grappled with complex moral, legal and commercial questions to decide the extent of their involvement in Ukrainian cyber defence, and thereby Ukraine’s internet resilience overall. Ultimately, internet resilience in Ukraine turned on such considerations, but this aspect of the conflict has been underexplored in public and policy discourse.