Most of Kiev’s residents were asleep when the power cut happened. As the clock approached the stroke of midnight, anyone who was awake in Ukraine’s capital on the night of December 17th 2016 would have suddenly seen all of their lights and appliances wink out and the surrounding streets plunged into darkness. Those select few would also soon realise that this power cut wasn’t the result of any damage to the grid, but a cyberattack – the second such incident in under a year.
Identifying the perpetrators of this kind of attack usually requires a thorough investigation. In the case of the 2016 attack on Kiev’s power grid, however, the culprit was obvious. Two years previously, Ukraine was almost split in two as Russian-backed separatists in the east of the country declared the region’s independence, while Russia itself annexed Crimea. As relations between Moscow and Kiev went into deep freeze, Ukraine became a training ground for Russian hackers. In just one two-month period in 2016, the Ukrainian government attributed some 6,500 cyberattacks to Russia, targeting everything from businesses and broadcasters, to government agencies and railway operators.
Shortly after the second major attack on Kiev’s power grid, a team of US government officials arrived in Ukraine to conduct a post-mortem. While the group was keen to learn as much as they could about the hack to prevent something similar happening to American power systems, their arrival signalled an ever-closer partnership between Washington and Kiev on cybersecurity. In a series of initiatives known in IT parlance as ‘capacity building,’ a coalition of government agencies such as the State Department, USAID, the FBI and the Department of Homeland Security began intensively training their Ukrainian counterparts in cybersecurity best practices, with the ultimate aim of limiting the damage wrought by such cyberattacks.
That relationship has persisted to this day, with the US and Ukraine planning to hold their fourth bilateral meeting on cybersecurity next month. It has also become an example for Washington’s future international cybersecurity policy. In response to the attack on SolarWinds in March, the Biden administration announced that its long-term response to Russian aggression online would consist of similar capacity building programs to ‘cooperate with allies and partners to counter malign cyber activities,’ with a particular focus on shoring up collective resiliency and attribution.
According to Yale scholar and cybersecurity expert Natalie Thompson, the announcement is evidence of capacity building’s growing importance as a tool of US foreign policy. “There’s lots of people interested in this” across the Biden administration, she explains, citing the recent creation of the Cybersecurity and Infrastructure Security Agency. “There is a desire to create different points of contact and do this.”
Even so, the US and its allies face significant obstacles in scaling up these capacity-building efforts, ranging from bureaucratic issues of funding to the challenge of working with regimes that, while allied, do not necessarily share the same outlook toward internet governance or freedom of speech. Overcoming these challenges, at home and abroad, will determine whether capacity building will just be a patchwork of bilateral exchanges or an international campaign for a more secure and democratic internet.
Policy priorities
According to Chris Painter, that’s always been the intention. President of the Global Forum on Cyber Expertise, Painter is a US government veteran, having consulted on cybersecurity since 2008 for the Department of Justice and then the National Security Council, before a stint as the State Department’s first-ever cyber diplomat.
“It was pretty clear that you had this weakest link issue,” he recalls, where friendly nations lacked both the capacity to thwart foreign cyberattacks or prevent hackers from using their territory as a safe haven. “Eastern Europe was one of the areas of focus” in the early 2010s, says Painter, during his time at DOJ. “Some of those countries were hotbeds for cybercriminals, and they didn’t have good cyber laws.”
Alongside the EU, the US successfully campaigned with countries in Eastern Europe to strengthen government institutions, develop new cyber laws and institute best practices for cybersecurity. As a result, not only has the danger of hackers burrowing into Western bank accounts from computers in the Balkans significantly diminished, but nations in the region are much better equipped to fend off foreign cyber-aggression.
Capacity building is therefore not only an altruistic priority in US foreign policy, but also a self-interested one. “It is not so dissimilar to having people vaccinated, or wearing masks,” explains Laura Bate, senior director at the U.S. Cyberspace Solarium Commission. “It’s one of these things that takes a whole community to really improve security for each individual actor, and the group as a whole.”
This extends beyond training allies to fend off cyberattacks. In recent years, the US has invested heavily in the ability to attribute attacks after they happen. “We have an educational facility that we share with the Germans called the George Marshall Centre, based in Garmisch-Partenkirchen,” says Bate. Here, policymakers from Europe and the world gather to share knowledge on how to trace a particular incident back to a specific group or nation-state, with the reasoning that such attribution efforts can be rendered more accurate and efficient if multiple allies are working on the problem at the same time.
Inevitably, there is a strategic angle to this pooling of expertise. “I think capacity building is one of those areas which largely shouldn’t be political,” says Painter. Many countries around the world need help shoring up their cybersecurity that only foreign assistance and a few non-governmental organisations, like the GFCE, can provide. At the same time, Painter acknowledges that there is a war of ideas being waged between the US and its rivals on the future of the internet – one in which capacity building can be its own weapon.
“We need to demonstrate that there is a benefit to being part of the community of nations that believes responsible behaviour in cyberspace is important,” says Bate. “In order to incentivise that, there needs to be benefits. And being able to be part of a community of knowledgeable contributors is one of those.”
Strategically minded capacity building can manifest itself in different ways. For example, US capacity building in Africa with organisations like the African Union and SADC has always been motivated by Washington’s desire to embed an open, secure and democratic model for internet governance at what remains a formative stage in the continent’s digitisation. Then there are more aggressive programs, such as ‘hunt forward’ missions that aim to access adversaries’ networks and gather intelligence.
Only a handful of these operations have been publicised, including two between US Cyber Command and the Montenegrin military. Even so, recent budgetary requests indicate that hunt forward missions are becoming an increasingly important component of US cyber policy.
Putting cybersecurity capacity building into practice
For Thompson, hunt forward should be kept separate from US capacity-building efforts. The latter’s aim is “strengthening the ability of governments to prevent, withstand and respond to cyberattacks that affect their own infrastructure," she says, not helping allied nations conduct covert military cyber operations. Doing so would threaten the appeal of US capacity building efforts around the world, compared to those of its adversaries.
After all, says Painter, rivals that engage in similar activities tend to have an explicit quid pro quo in mind. “The difference between US capacity and Russian capacity building is that we don’t say, ‘If you do this, you have to do X,’” he explains. From Washington’s point of view, it remains “a side-benefit for US capacity building if countries agree with our worldview,” she says.
There are plenty of like-minded allies to support US capacity-building efforts. The EU, for example, has played a pivotal role in shoring up the cyber-defences of multiple nations in Eastern Europe, while the UK has recently committed to similar initiatives in Africa and the Indo-Pacific region. Other capacity-building partnerships, meanwhile, are being led and implemented by Japan, Singapore, Germany, Israel and Australia.
Ironically, says Bate, the main obstacles toward scaling up capacity building are not foreign but domestic. Outside pockets of expertise scattered across government departments, understanding of capacity building and its benefits remains limited in Washington. “In some quarters, capacity building is still seen as effectively foreign aid,” says Bate. “It’s one of these warm, fuzzy things we do to ‘help folks'.”
In some quarters, capacity building is still seen as effectively foreign aid. It’s one of these warm, fuzzy things we do to ‘help folks’.
Laura Bate, US Cyberspace Solarium Commission
Even so, Bate believes that the conversation is beginning to shift. “Is it as far along as I personally would like? I think the answer is no. But…I think that the DC conversation recognises the potential benefit of [having] norms of responsible state behaviour in cyberspace.”
Bureaucratic obstacles, however, still need to be overcome. Although multiple capacity-building partnerships are being run out of the US government, they are scattered across agencies and departments. “There’s talk now of turning the Office of the Cyber Coordinator into a full-fledged bureau, but very little agreement on where it would sit and what the actual responsibilities would be for it,” says Bate. “And the fact that we haven’t really empowered that office effectively means that there are practical limitations on what they can do to coordinate some of this capacity building.”
Further complications exist in how capacity building is funded across the US government. “In general, it’s very piecemeal,” says Bate. “It’s not like there’s one big pool of money that we use to do cyberspace policy. It’s a bunch of different opportunities in different funds.” Each of these pots of money – originally appropriated to fund law enforcement, development, or foreign economic support – has some provision for capacity building, but also its own set of rules on how the money can be spent.
“For example, the economic support fund doesn’t permit funding to go to military or paramilitary sources, which can include a lot of law enforcement intelligence,” says Bate. “The problem is, we don’t get to pick whether foreign governments have established their cybersecurity bureau within a civilian agency, a military agency, or a law enforcement agency.”
Still, there is increasing recognition of these problems across Washington, with some proposals on how to solve them. “The House of Representatives recently passed the Cyber Diplomacy Act, which would create a Bureau of International Cyberspace Policy within the State Department,” says Thompson. Additionally, she adds, the Cybersecurity and Infrastructure Security Agency's announcement in February of a new strategy for international engagement includes a newfound emphasis on capacity building abroad. These kinds of innovations, she adds, could help coordinate the kind of cybersecurity capacity-building projects that the Biden administration has been angling for since SolarWinds.
It will take time to see improvements, not an unusual concept in the world of capacity building. In the case of Ukraine, the time and investment has proved worthwhile, with the country steadily climbing the ranks of international cybersecurity rankings. Its example as a recipient of US capacity building initiatives should be taken as more than just one ally assisting another, argues Bate. “It’s not so much about the politics of the US versus Russia,” she says. “Really, it’s about what we want the future of the internet to look like, and making sure that we are proactively working to build that.”