Ukraine’s government is drafting a new law to bring its volunteer hacker brigade, the IT Army, into the armed forces, aiming to put an end to uncertainty about its status in a legal gray area that has drawn pointed warnings from the Red Cross.
The IT Army of Ukraine has claimed responsibility for cyber attacks such as knocking offline the websites of Russian state media during President Vladimir Putin’s recent annual State of the Nation speech. But the hacktivist group, which has recruited foreign volunteers who need only a computer or a smartphone to join the fight, has also drawn criticism for attacking Russian hospitals and other civilian targets.
The IT Army has been held up as an example for other countries. If the law passes, Ukraine would join a handful of other Western nations, led by Finland and Estonia, that have a full-scale reserve cyber force to augment their regular military, although several more countries have reserve military units with cyber capabilities.
“The law on the creation and functioning of cyber forces within the Ministry of Defense of Ukraine should be adopted as soon as possible,” Nataliya Tkachuk, Secretary of Ukraine’s National Coordination Center for Cybersecurity, told Newsweek in written responses to detailed questions. The center is part of President Volodymyr Zelenskiy’s National Security and Defense Council.
Tkachuk added the new law would “become the basis for building the state’s cyber defense capabilities, engaging cyber volunteers in these activities, and creating a cyber reserve”—a force of civilian cyber experts, trained by the military, who could be mobilized to the nation’s defense during times of increased cyber threat or conflict.
Tkachuk didn’t answer follow-up questions, but based on her description of the law, it appears that Ukraine’s cyber reserve would effectively replace or absorb the loosely organized volunteers of the IT Army with a much more formal force, the core of which would be former conscripts, identified as technically adept during their post-high school compulsory military service and given special training with technical skills.
The IT Army itself embraces its proposed dissolution. In a statement emailed in response to Newsweek questions, the group said its interests would be represented in the drafting process by the Ministry of Digital Transformation. “We fully trust the efforts of the working group to legalize a massive fight in the cyber sector and welcome the moment when it will stop being the gray zone. We … believe that the integration of the IT Army into the cyber reserve will help in building a more effective defense against cyber threats.”
The precise contours of the legal framework that Kyiv adopts will reverberate far beyond today’s battlefield. The war Ukraine is fighting has become a laboratory for the conflicts of the 21st century. The country’s success in fending off Russia’s vaunted hackers has made their embrace of both volunteer hacktivists and a close partnership with western tech giants a model other democracies are looking at. Even in the US, some are arguing that the US Cyber Command would benefit from the additional surge capacity a cyber reserve force would represent.
Tkachuk declined to give a timeline for completing a draft of the new law, but the process has been complicated by bureaucratic wrangling, said one foreign aid contractor working in Ukraine, who asked for anonymity because the person is not authorized to speak to the press. “There is friction between agencies,” the contractor told Newsweek, “It’s not a secret.”
The contractor said that the new law would build on the public-private partnerships Ukraine had developed with both its domestic tech sector and foreign companies including giant US providers such as Microsoft, Amazon and Google. “We have incredible experience, we have know-how that no one else has because no one else has been through this,” the contractor said.
One decision that appears to have emerged at this early stage is for Ukraine to adopt the Estonian model for its cyber reserve—creating a cadre whose technical aptitude is identified during compulsory post high school military service, and who then get additional training. The skills they learn will equip them to both defend the country during their service and provide value to employers once they are done.
Estonia is a NATO member state that had a vibrant tech sector long before it found itself on the frontline of Russia’s new hybrid wars in Europe. In 2007, the country was hit by a series of massive cyber attacks and information operations as part of a dispute with Russia about the relocation of a Soviet-era WWII war memorial. Ever since, the country has sought to make itself a model for smaller Western democracies leveraging advanced technology and skills to boost both its online defenses and the national economy.
Estonia’s volunteer hackers are organized into a Cyber Defense Unit, part of the nation’s century-old Estonian Defense League. “This is exactly the model we would like to see in Ukraine,” Tkachuk said. “We would like to see conscripts not only defend the country using their IT skills, but also acquire up-to-date and necessary knowledge in the field of cybersecurity and defense during their service.”
Once their military service is finished, she added, cyber reservists with their advanced skills “will become a personnel pool for all security and defense sector entities in the field of cybersecurity.”
In the US, a number of leading cyber executives have expressed interest in the possibility of a cyber reserve.
“There are a lot of cybersecurity leaders who want to volunteer and serve. They want to do something for the country without leaving current careers and roles full-time,” Marcus Fowler, CEO of cybersecurity vendor Darktrace Federal, told Newsweek.
Fowler, a former senior CIA official who served in the Marine Corps, said the “perfect place to start” is with cyber leaders who, like him, had served in the military, law enforcement or intelligence agencies. “Many of [them] would still have active security clearances,” he said. “There are practical issues, obviously, but the spirit and expertise is there.”
For Ukraine, adopting the Estonian model of a cyber reserve would also lay to rest questions about the legal status of Ukraine’s IT Army, according to a NATO legal analysis.
The Cyber Defense Unit is an integral part of the Estonian Defense League, an NGO that is effectively the country’s military reserve. Its members are volunteers who take an oath of service, who are bound to obey orders while on duty, and who, in wartime, are integrated with the regular defense forces, according to the legal analysis from the NATO Cooperative Cyber Defense Center of Excellence ( CCDCOE) in Tallinn.
As such, the analysis states, they clearly qualify as combatants in a declared war, because they are “a volunteer corps forming part of the armed forces.”
By contrast, one of the major concerns about volunteer hacktivist groups such as the IT Army and its Russian counterparts is that they blur the line between combatants and civilians by encouraging civilians to take part in attacks.
Ukraine’s government is drafting a new law to bring its volunteer hacker brigade, the IT Army, into the armed forces, aiming to put an end to uncertainty about its status in a legal gray area that has drawn pointed warnings from the Red Cross.