WASHINGTON — Vigilante hacking, the sort seen as Ukraine confronts another Russian invasion, is inadvisable and raises broader questions of ethics and consequences in the digital domain, according to the National Security Agency’s director of cybersecurity.
“I will tell you that the idea of the civil vigilantes joining in a nation-state attack is unwise, right? I really think it is,” the NSA’s Rob Joyce said May 4 at a Vanderbilt University security summit. “As you pointed out, it’s illegal. But it’s also unhelpful, because one of the things we talked about is we’re trying to get Russia to take account for the ransomware attacks and hacks that come out of Russia and emanate.”
Hundreds of thousands of volunteers from across the world have reportedly coalesced around Ukraine’s call for digital talent and cyber specialists, forming a so-called IT army outside typical government oversight.
“There will be tasks for everyone,” Mykhailo Fedorov, minister of digital transformation of Ukraine, tweeted Feb. 26, shortly after the Kremlin’s war machine rolled into the country. “We continue to fight on the cyber front.”
The crowdsourced efforts, the efficacy of which is difficult to gauge, blur the line between traditional cyber maneuvers executed by world powers and fringe advocacy in an increasingly digital ecosystem.
They could also complicate negotiations and deescalation at a time of serious peril.
“This certainly isn’t going to make the State Department discussions with Russia of ‘you need to hold your people accountable’ any easier,” Joyce said Wednesday.
Kevin Mandia, CEO of American cybersecurity firm Mandiant, at the same summit said random individuals swaying relationships between countries and dictating foreign policy could be dangerous.
“You can’t have the private sector influencing the doctrine between nations,” he said. “You don’t have us fighting on air, land and sea without being deputized or part of a force and with an agenda and a mission plan.”
The IT army is reminiscent of volunteers who physically traveled to Ukraine and took up arms, despite enormous risks and warnings from officials. But hacking from home — or at least not from the bombarded and besieged locales of Ukraine — offers a sense of safety the frontlines do not.
“In regards to the cyber domain, anybody can participate in it and do whatever the hell they want in it, whether they’re breaking the law or not,” Mandia said. “So, yeah, the genie’s out of the bottle in regards to cyber showing the intent of individuals that want to be in support of certain agendas.”
Asked March 2 about those who wish to join the fight in Eastern Europe, Secretary of State Antony Blinken said the Biden administration has made clear to Americans who may be thinking of traveling there not to go.
“For those who want to help Ukraine and help its people, there are many ways to do that, including by supporting and helping the many NGOs that are working to provide humanitarian assistance, providing resources themselves to groups that are trying to help Ukraine by being advocates for Ukraine and for peaceful resolution to this crisis that was created by Russia,” he said. “Those are the most effective ways that people who want to help can do so.”
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.