Lessons Learned from Ukraine: Protecting Nations’ Digital Freedom from External Aggression
Hello, I’m Ylli Bajraktari, CEO of the Special Competitive Studies Project. In this edition of 2-2-2, the Foreign Policy Panel outlines a Digital Freedom Playbook and lessons learned from Ukraine.
In this edition of 2-2-2, members of the Foreign Policy Panel - Associate Director Lauren Naniche, Director Jafer Ahmad, and Senior Director Joe Wang - discuss lessons learned for digital freedom from Russia's invasion of Ukraine.
SCSP has regularly covered the sweeping tech implications of Russia’s invasion of Ukraine since February 2022. In February, we covered the demtech implications for Ukraine. In April, we discussed the future of conflict in the digital age and what lessons the People’s Republic of China (PRC) may take away from Ukraine. In September, SCSP Chair Eric Schmidt shared insights from his trip to Ukraine about the “first networked war,” and the SCSP Summit featured Ukrainian Deputy Prime Minister for Digital Transformation Mykhailo Fedorov as a keynote speaker.
This edition pulls from SCSP’s recent release of a “Digital Freedom Playbook,” which offers key lessons learned from Ukraine for how nations facing external aggression could prepare to defend their digital ecosystems and preserve the core digital elements of democratic life. We welcome readers to review the “Playbook” in its entirety for a more extensive analysis of threats to digital freedom and additional recommendations for pushing back against digital repression.
Russia’s invasion of Ukraine has reframed the urgency and importance of many parts of the digital freedom agenda.
As much as the invasion has reshaped the landscape of European security, this “first networked war” has clarified the centrality of Internet connectivity to a nation’s sovereignty; reminded the world of the potential of a tech-enabled democracy to provide basic government services; and demonstrated the central role of information and communications technology (ICT) companies in protecting against cyberthreats, providing platforms for digital services, and countering dangerous Russian-backed disinformation and cyber attacks. All of these are vital dimensions of how Ukraine is prevailing in a conflict against a vastly larger adversary and sustaining its democratic way of life. Conversely, the ability of ICT platforms to continue connecting people inside Russia and the outside world — with the support of digital freedom advocates — is providing an essential two-way information lifeline that is avoiding an even worse-case scenario of Russia becoming a nuclear superpower hermit state.
How Ukraine and democratic governments, ICT companies, and civil society organizations (CSOs) have reacted and adapted to protect Ukraine’s digital infrastructure and maintain digital connectivity, services, and ecosystems, consistent with digital freedom principles, offers important lessons for how other nations under threat can prepare and how the world can respond to future cases of external aggression. Equally important, the convergence of interests of democratic governments, private sector firms, and digital freedom advocates to support Ukraine against the Russian invasion offers an important model to reinforce the multi-stakeholder approach to address the spectrum of digital freedom threats.
We have distilled these lessons into key recommendations, which can help prepare for major contingencies in the future, such as the prospect for the PRC to take aggressive action against Taiwan, or Russian aggression against other bordering nations. Even beyond the precipice of conflict, Ukraine’s experience also offers valuable lessons learned for digital freedom broadly.
Having an emergency plan to back up the nation’s data was a key element of how Ukraine preserved the continuity of its government and public institutions. Up to a week prior to the Russian invasion, Ukrainian government services were running entirely on servers located within government buildings. On February 17, Ukraine’s Parliament amended its data protection law to permit government data to be transferred to the cloud, allowing critical government data to be moved into data centers located outside of the nation. The government, working with private companies, executed a huge logistical feat of backing up critical data and moving it outside of Ukraine. By preserving the integrity of that data, the Ukrainian government preserved its ability to operate and deliver basic services after the Russian invasion, even if Russia had destroyed the nerve centers of the government in Kyiv. As Ukrainian Deputy Prime Minister for Digital Transformation Mykhailo Fedorov said, “you can’t destroy cloud with a missile.”
Enable secure backup of government and other critical data (e.g. financial data) outside of the area of conflict. This may require modifying existing national data protection and localization laws. ICT companies should also work with governments under threat to provide secure storage hardware to deliver data out of a threatened territory.
Democratic governments should seriously weigh the downsides of data sovereignty requirements, especially when it comes to cooperation on cloud services. If a law similar to the currently debated proposals for digital sovereignty requirements in the EU’s Cybersecurity Certification Scheme for Cloud Services (EUCS) had been in place in Ukraine prior to invasion, it would have prevented cloud service providers headquartered outside of Ukraine from being able to provide services that enabled the digital continuity of Ukraine's government. The U.S. Government should negotiate a way ahead with the EU to find a solution that enables U.S.-EU cooperation on cloud services.
Nations and governments under threat should consider establishing “data embassies” outside their territory as a precautionary measure. A data embassy is a creative concept to create a set of servers (or rely on existing servers) to store a nation’s data in another nation’s territory, while preserving sovereign immunities and protections over that data — analogous to protections afforded to physical embassies. Such a mechanism would require establishing an international agreement and legal provisions, similar to those for the establishment of a physical embassy, to ensure appropriate access and security arrangements among involved government and private sector actors. The idea is not so far-fetched. Estonia, foreseeing the Russian threat, finalized such an agreement with Luxembourg in 2017. Creating new alliance institutions – perhaps a “digital Vienna Convention” – can speed up the creation and management of data embassies across alliance members.
After Russian forces destroyed Internet services in Ukraine, the United States, France, and Poland partially funded the deployment of thousands of SpaceX Starlink terminals to Ukraine to allow Ukrainians to access the Starlink network. Ukraine has come to rely greatly, if not entirely, on those terminals for connectivity during the conflict. That effort came about serendipitously. It was not part of some larger or pre-designed plan to protect democracies under threat. In the future, the United States will need to help countries find connectivity solutions that do not depend solely on a single company and a patchwork of contracts, and/or pro bono assistance.
Democratic governments and ICT companies should continue to provide assistance around the world – prioritizing nations under threat – to support alternative means of maintaining Internet communications and connectivity. Ideally, such alternatives are in place before a conflict begins to help prevent or mitigate the effects of external attacks when they occur.
Alternative connectivity options include, but are not limited to, novel connection hardware such as high-speed internet via satellite constellation, hard-to-detect atmospheric laser communication terminals, and a software platform for orchestrating networks across land, sea, air, and space; a decentralized wireless telecom network with fifth-generation (5G) capabilities that enables users to share bandwidth from their personal Wi-Fi networks, at a range 200 times greater than standard Wi-Fi routers; and/or mobile mesh networks to extend connectivity or enable communications when cell, Wi-Fi, and satellite are unavailable. Other connectivity options include “traditional” tools such as virtual private networks (VPNs), personal VPN servers, and mesh networking applications.
Funding should also be provided for training and education (via CSOs) around how to use such technologies for maintaining connectivity.
Ukraine’s innovative solutions to maintain government activity during wartime serves as a real testbed of what a tech-enabled democracy can look like in the future. After the start of the Russian invasion, Ukraine quickly transformed its digital public service platform, Diia, into a comprehensive e-government platform to transfer its public services online. The platform uses government biometric authentication to access most public and banking services, including official ID documents such as passports, and taxes. It also facilitated centralized reporting of invading forces and casualties. Crisis created the opportunity in Ukraine, but the logic of e-governance could scale to all democracies to deliver better governance for their citizens.
Democratic governments should support the development and dissemination of e-government platforms, like that of Diia in Ukraine, or the e-governance model implemented in Estonia, to help transfer public services online for nations under threat.
A related measure is the transfer and continuity of educational services online. ICT companies should work with governments, universities, academic institutions in nations under threat to consider options for doing so.
ICT companies hold the cybersecurity expertise and bandwidth to support foreign governments and local organizations in detecting, monitoring, and countering cyberattacks, sharing intelligence, and detecting malware signatures. In the case of Ukraine, for instance, ICT companies have provided free protection against distributed denial-of-service (DDoS) attacks for news sites and humanitarian organizations targeted by Russia. A longer history of allied governments’ cybersecurity support for the Ukrainian government was also crucial in preparing the Ukrainians to defend against cyberattacks.
Strengthen multi-stakeholder collaboration on cybersecurity capabilities of government, media, and other critical websites and services to protect the flow of essential information. ICT companies should continue to support and provide critical cybersecurity capabilities for nations and related groups and individuals under threat.
Democratic governments should continue to prioritize funding, training, and direct support to government partners in nations under threat to strengthen those nations’ cybersecurity capabilities. Reliance on pro bono services from the private sector cannot be expected in all circumstances.
Democratic governments should coordinate with ICT companies on appropriate cyberdefense implementation guidelines to ensure that the active defenses that ICT companies deploy do not present an unanticipated potential of escalation.
Maintaining the integrity of the information domain is vital in an area of conflict. Russia led a complex disinformation campaign around its invasion of Ukraine using an array of tools, from fake and anonymous accounts, to state-backed media accounts like RT. In response, ICT companies put mechanisms in place to help fight the spread of Russian state-backed disinformation.
Label government and government-affiliated accounts as such, particularly state-run media.
Establish clear guidelines and policies for de-monetizing and de-amplifying potentially misleading content, such as pausing advertising in conflict areas to ensure that critical public safety information is elevated, that ads do not detract from the dissemination of critical information, and that misleading content (under platform rules) cannot be monetized.
Expand third-party fact-checking and content moderation capabilities in relevant local languages to support local fact-checking efforts.
Empower researchers and users to understand how state-backed disinformation propaganda operate, including by sharing information about prevalent tactics, techniques, and procedures.
Everyone, including ICT companies and CSOs, has mobilized to help defend Ukraine’s digital freedom. However successful, pro bono work by industry partners and crowdfunding efforts cannot be the basis of a U.S. strategy where core national interests are at stake. Democratic governments, in partnership with industry and civil society, need to lead in creating sustainable, preplanned, and adequately-funded strategies drawn from the lessons of today to keep the Internet on and democracies safe in an era of growing digital threats.
Now is also the time to start planning together for the next challenge. Taiwan has taken action to prepare for the possibility of PRC action, such as leveraging innovative tech-enabled solutions to counter disinformation and building out redundant connectivity. Just as we should expect the PRC to watch and learn from Russian military missteps on the ground in Ukraine, we should also expect the PRC to do the same in the digital space. We hope the lessons learned and best practices offered in the digital freedom playbook can be a basis for galvanizing further discussion among democratic governments, industry partners, and civil society organizations on additional practical actions they can take to advance digital freedom.