The Burisma Hack … Cyberwar or Not?

Just to complicate things further, we learned from a New York Times article that Russian military cyber-forces hacked into Ukrainian gas company, Burisma, apparently in an attempt to find incriminating evidence against prior Board member, Hunter Biden, so as to discredit his father, Joe Biden, in the latter’s run for U.S. president. The article, dated January 13, 2020 (and updated on January 15), is by Nicole Perlroth and Matthew Rosenberg and has the title “Russians Hacked Ukrainian Gas Company at Center of Impeachment.” It is available at

Let’s ignore for a moment whether or not the article is accurate and just focus on how such an act, if true, might be categorized. We all are familiar with the somewhat questionable (in my opinion) claim that “The enemy of my enemy is my friend.”  But what if supposed friends commit acts against you? And what if an enemy attacks a friend to get at you without any apparent damage to the friend? I examine some of these issues in my article “When Victims and Defenders Behave Like Cybercriminals” in the January-February 2020 issue of the ISACA Journal. You can read an excerpt of the article at

As an exercise, you might find it interesting to look at the following four situations and try to come up with counterexamples—there are many:

  • An enemy of my enemy is my friend
  • A friend of my enemy is my enemy
  • A friend of my friend is my friend
  • An enemy of my friend is my enemy

You might not agree with all of the above, but to the extent that you do agree, can you name who fits into each category, and who does not?

It gets more difficult when entities or countries are cooperative at one level and competitive or adversarial in another area. Are these so-called “frenemies”? Think of China, for example. China cooperates (to some degree) with the U.S. on trade but competes for influence on the World stage. And now, with the coronavirus epidemic, the rules change again. After all, by helping China contain the virus, we are ultimately helping ourselves. And, despite some claiming differently, the negative impact on supply chains could be far more reaching that currently supposed.

Now back to cyberwar. To support the idea that we are still struggling with the definition of cyberwar and the corresponding rules of engagement, you should read the January 12, 2020 article “Congress struggles on rules for cyber warfare with Iran” by Maggie Miller and Laura Kelly at

In the article, Senator Richard Blumenthal is quoted as saying: “I think that the question of what is an act of war in the cyber domain is a serious policy question that needs to be addressed, and Congress so far has failed to address it.”

He’s right, in my opinion. More than 18 years ago, I testified before a U.S. House Subcommittee on cybersecurity and recommended that Congress address several issues, among which was dealing with terrorism and attacks by nation states. You can dig through the various testimonies that day and find mine at

You should also see what the late Howard Schmidt and others had to say that day. We put a number of cybersecurity issues before the Subcommittee, many of which appear to have been ignored. The Subcommittee members seemed to be mostly focused on identity theft and account hijacking, which were (and continue to be) leading concerns of their constituents. In my opinion, it was a lost opportunity to address the “serious policy question[s]” that prevailed at the time and still haunt us today. Perhaps our testimonies weren’t convincing enough or the Subcommittee members did not have the technological background to grasp what we were saying, or they were not willing to take on so enormous and controversial an issue, which has only exploded in size and intensity since. Whatever the reasons, we remain confronted with old and new issues that are orders of magnitude greater than they were 18 years ago.

We see decades flying by, and still the world governments have not even come up with a binding generally-accepted definition of cyberwarfare. Without such a definition, and corresponding rules of engagement, it is well nigh impossible to agree upon suitable responses to cyberattacks on our political systems, critical infrastructure, and individuals’ privacy and security.

Senator Blumenthal is correct. We need to come up with policy on cyberwar quickly and not keep kicking the can down the road—or we’ll be dealing with even greater consequences.

Post a Comment

Your email is never published nor shared. Required fields are marked *