As cyber warfare becomes increasingly integrated into geopolitical conflicts, Ukraine’s experience offers critical lessons for other states to develop a cybersecurity framework that better protects national infrastructure and strengthens global cybersecurity governance. This article critically examines the legal and policy dimensions of Russian cyberattacks targeting Ukraine’s mobile network as part of its critical infrastructure. By using the NotPetya (2017) and SolarWinds (2020-2021) cyberattacks as case studies, it analyzes how the strategic use of cyber operations destabilizes national infrastructure, weakens international cybersecurity governance, and exploits existing legal and security gaps in addressing cyber aggression.
The increasing digitization of national infrastructure has fundamentally changed the landscape of security threats. While traditional security concerns often focused on territorial integrity and military defence, modern warfare includes cyberattacks, which can paralyze entire sectors without a single physical invasion. Ukraine’s mobile network, as part of its critical infrastructure, has become a target for cyberattacks aimed at disrupting communication, surveillance, and public services.
Unlike conventional military conflicts, cyberattacks can be executed covertly, making attribution and accountability difficult. International law struggles to keep pace with the rapid evolution of cyber warfare. Existing legal frameworks, including the UN Charter, the Tallinn Manual 2.0, and various cybersecurity treaties, attempt to address these challenges, but enforcement remains a significant issue.
Since 2014, Ukraine has faced a series of cyberattacks targeting its government institutions, financial sector, and infrastructure. Key examples are the NotPetya attack in 2017 and the SolarWinds hack in 2020. The growing sophistication of cyberattacks necessitates an urgent review of legal frameworks, both at the national and international levels, and calls for recognizing that cybersecurity must be a core component of national security.
Legal Frameworks Governing Cybersecurity and Critical Infrastructure
International law, including the UN Charter, prohibits the use of force and recognizes the right to self-defence, yet it remains unclear how these principles apply to cyber operations. Article 2(4) of the UN Charter prohibits the threat or use of force against the territorial integrity or political independence of any state. However, cyberattacks, even those causing significant disruption, do not always fall within the traditional definition of armed force, making legal responses uncertain (Schmitt, Tallinn Manual 2.0, 2017). Moreover, as they do not always cause direct physical damage, it is difficult to classify any one of them as an “armed attack” under Article 51, which provides for the right to self-defence.
The Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare, developed by legal experts at NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), attempts to clarify how international law applies to cyber operations. It outlines principles such as sovereignty, non-intervention, and the prohibition of force. Rule 6 of the Tallinn Manual states that a cyber operation violates sovereignty if it causes physical damage, loss of functionality, or serious disruption to the targeted state’s infrastructure. Under this rule, cyberattacks on Ukraine’s mobile networks could be considered violations of sovereignty.
Another critical issue is the principle of due diligence, which requires states to prevent the use of their territory for activities that cause significant harm to other states. In the Tallinn Manual 2.0, due diligence is codified in Rule 4, while Rule 6 refers specifically to violations of sovereignty. The distinction is important to ensure conceptual clarity between the obligation to prevent harmful cyber operations from one’s territory and the prohibition of sovereignty breaches. It establishes that a state has an obligation to ensure that cyber operations originating from its territory do not cause damage to other states. Russia’s alleged role in orchestrating cyberattacks against Ukraine, either directly through state agencies or indirectly through cybercriminal groups operating within its jurisdiction, raises serious questions about its compliance with this obligation. The Corfu Channel Case (1949) established that a state can be held responsible if it knowingly allows harmful activities to be conducted from its territory.
Furthermore, the International Court of Justice confirmed in Nicaragua v. United States (1986) that indirect interference in another state’s affairs, including covert operations, constitutes a violation of the principle of non-intervention. Cyber operations that disable communication networks, disrupt financial systems, or compromise military infrastructure can be seen as analogous to such prohibited interventions.
However, in practice, enforcing due diligence in cyberspace is challenging, as cyberattacks often involve proxy actors and sophisticated methods to obscure attribution. Unlike conventional military aggression, cyber operations are designed to be deniable. The NotPetya attack, for example, was initially disguised as ransomware, while SolarWinds relied on a supply-chain compromise that infiltrated multiple state and private networks. Although the United States and its allies attributed these operations to Russian intelligence services (GRU and SVR), meeting the evidentiary threshold required under international law to prove direct state responsibility remains extremely challenging.
While some states, including the United States, have imposed economic sanctions in response to cyberattacks, these measures are largely political rather than legal in nature. The European Union’s Cyber Diplomacy Toolbox includes sanctions against individuals and entities involved in malicious cyber activities, but enforcement remains inconsistent. There have been calls to establish an international legal framework specifically for cyber warfare, akin to the Geneva Conventions for traditional armed conflict, but progress has been slow due to conflicting national interests and concerns over sovereignty.
NATO has recognized the growing threat of cyber warfare and has included cyberattacks as a potential trigger for Article 5, which provides for collective defence. However, the threshold for invoking Article 5 in response to a cyberattack remains uncertain. The 2021 NATO Summit reaffirmed that a cyberattack could be considered an armed attack if it causes significant disruption, but no specific criteria have been established. Ukraine, as a NATO Enhanced Opportunities Partner, has strengthened its cyber defence cooperation with the alliance, but it remains outside the collective security guarantees provided to NATO members.
The European Union has also taken steps to enhance cybersecurity resilience, with the EU Cybersecurity Act and the NIS Directive setting standards for critical infrastructure protection. However, these measures primarily focus on cyber defence rather than legal accountability for cyber aggression. The EU has supported Ukraine in its efforts to counter cyber threats, including assistance from the European Union Agency for Cybersecurity (ENISA) and coordinated cyber exercises, but legal mechanisms for responding to state-backed cyberattacks remain underdeveloped.
As Ukraine has experienced persistent cyberattacks aimed at undermining its national security, there is a strong argument that these operations constitute unlawful interference by hostile state actors. Ukraine’s domestic legal framework seeks to address cybersecurity challenges, but it remains fragmented and underdeveloped. Article 17 of the Constitution of Ukraine establishes the protection of sovereignty, territorial integrity, and information security as key state functions (Constitution of Ukraine 1996). Yet core legislation, such as the Law “On Information” (Law No. 2657-XII, 1992), does not provide a precise definition of cybersecurity, leaving significant regulatory gaps. The Law “On the Fundamentals of National Security of Ukraine” (Law No. 964-IV, 2003) identifies cybercrime and cyberterrorism as threats, while the Strategy of National Security of Ukraine (2020) and the Doctrine of Informational Security of Ukraine (2017) recognize the dual dimension of ideological and infrastructural threats. The Strategy of Cybersecurity of Ukraine (2021) remains the primary normative act in this sphere, outlining the protection of state information resources, critical infrastructure, and counteraction against cybercrime.
However, these laws and strategies face practical enforcement challenges due to gaps in Ukraine’s legal system, which still lacks a comprehensive attribution mechanism, clear domestic procedures for international cooperation, and effective instruments to hold perpetrators accountable. While Ukraine collaborates with NATO, the EU, and the Budapest Convention on Cybercrime, gaps in mutual legal assistance treaties (MLATs) make cross-border cybercrime investigations difficult.
NotPetya (2017) and SolarWinds (2020–2021) Attacks
The NotPetya attack, which began in June 2017, initially targeted Ukrainian businesses and government agencies but quickly spread worldwide, affecting multinational corporations, banks, and even healthcare institutions. The malware was distributed through a software update to M.E.Doc, a Ukrainian tax accounting program widely used by businesses. Once activated, it spread uncontrollably, encrypting systems and rendering them inoperable.
Although it initially appeared to be ransomware, NotPetya was in fact a form of wiper malware, meaning it permanently destroyed data rather than offering a recovery option. The attack caused an estimated $10 billion in damages, making it one of the most expensive cyberattacks in history (Perlroth, Scott, and Frenkel 2017).
Forensic investigations conducted by leading cybersecurity firms, including Symantec, ESET, and FireEye, attributed the attack to the Sandworm hacking group, a unit within Russia’s military intelligence agency (GRU) (Symantec 2017; FireEye 2017; Greenberg 2019). This group had previously been linked to the attacks on Ukraine’s power grid in 2015 and 2016.
Legally, NotPetya raised significant questions regarding state responsibility and the use of force in cyberspace. Article 2(4) of the UN Charter prohibits the use of force against another state, but cyber operations do not always meet the threshold of an “armed attack” that would allow for self-defence under Article 51. The Tallinn Manual 2.0 suggests that cyber operations causing significant physical damage or serious disruption to critical infrastructure could qualify as armed attacks (Schmitt 2017). Some scholars, including Michael Schmitt and Harriet Moynihan, have argued that the scale and consequences of NotPetya could justify Ukraine’s invocation of the right to self-defence (Schmitt 2017; Moynihan 2019). However, the absence of a universally accepted legal framework for cyber warfare left Ukraine with limited options for legal recourse.
Unlike NotPetya, the SolarWinds attack, discovered in December 2020, was not destructive but aimed at covert intelligence gathering. It compromised U.S. federal agencies, NATO member states, and numerous private corporations. The attackers exploited a vulnerability in Orion, a widely used IT management software developed by SolarWinds, inserting malicious code into routine software updates. This supply-chain method enabled unauthorized access to government and corporate networks for several months before the breach was detected.
The SolarWinds case underscores a different legal dilemma. While NotPetya raised questions of force and armed attack, SolarWinds fell into the grey zone of cyber espionage. Traditional espionage is not explicitly prohibited under international law, yet cyber operations may be deemed unlawful if they violate sovereignty or the principle of non-intervention (Tallinn Manual 2.0, Rule 66). Attribution also remains a central challenge: although the United States and its allies attributed the attack to the Russian Foreign Intelligence Service (SVR), meeting the high evidentiary threshold required in international law to prove direct state responsibility is extremely difficult (Schmitt 2017).
Policy Recommendations and Legal Reforms
Given the severity of cyber threats targeting Ukraine’s mobile network and critical infrastructure, Ukraine’s cybersecurity legislation must evolve to reflect the reality of modern cyber warfare. Legal reforms should focus on defining cyberattacks as acts of aggression when perpetrated by state actors and introducing specific provisions for cyber retaliation under conditions of self-defence, in alignment with Article 51 of the UN Charter.
A critical step in improving Ukraine’s cybersecurity governance is the creation of a centralized National Cyber Defence Agency (NCDA) that would consolidate the responsibilities currently divided among multiple institutions, including the State Service of Special Communications and Information Protection, the Security Service of Ukraine (SBU), and Ukraine’s Computer Emergency Response Team (CERT-UA). A national cyber defence agency would serve as the primary entity responsible for investigating cyber incidents, attributing attacks, coordinating responses, and collaborating with international partners on cyber intelligence-sharing. It should be granted sufficient operational authority to coordinate cyber defence across governmental, military, and private sector institutions, ensuring a unified and rapid response to cyber threats.
Ukraine must also enhance its cyber incident response capabilities by mandating a national cyber incident reporting system for critical infrastructure operators, financial institutions, and telecommunications providers. This system should require all major cyber incidents to be reported to the national cybersecurity authority in real time, facilitating faster containment and mitigation efforts. In addition, cyber resilience strategies should incorporate mandatory cybersecurity risk assessments for government agencies and private sector entities operating within critical infrastructure sectors, ensuring that vulnerabilities are identified and addressed before they can be exploited by adversaries.
International cooperation plays a crucial role in Ukraine’s cybersecurity strategy. As a non-NATO member, Ukraine lacks formal collective security guarantees under Article 5 of the NATO Charter. Further integration into NATO’s cyber defence structures is necessary, particularly in the areas of cyber intelligence-sharing, joint cybersecurity exercises, and technical assistance for cyber incident response. Ukraine should actively advocate for the inclusion of cyberattacks within NATO’s operational planning frameworks, ensuring that major cyber incidents targeting Ukrainian critical infrastructure receive international attention and support. NATO’s Cyber Rapid Reaction Teams (CRRTs), which assist member states in responding to major cyber incidents, should be expanded to include Ukrainian participation (NATO 2021). Ukraine should also deepen its engagement with the European Union Agency for Cybersecurity (ENISA), working to align its cybersecurity strategies with EU-wide directives such as the NIS 2 Directive, which focuses on improving cybersecurity resilience across critical infrastructure sectors (ENISA 2022).
Beyond that, Ukraine should push for the development of a legally binding international treaty on cyber warfare, under the auspices of the United Nations or a dedicated international cyber governance body. While the Budapest Convention on Cybercrime provides an important framework for international legal cooperation against cybercrime, it does not adequately address state-sponsored cyber warfare, nor does it establish clear legal consequences for state actors engaging in cyber aggression. A new treaty should define legal thresholds for cyberattacks, establish state responsibility for cyber operations, and outline mechanisms for sanctions and countermeasures against state-sponsored cyber threats.
Attackers frequently use proxy groups, compromised networks, and obfuscation techniques to avoid detection and attribution. To counter this challenge, Ukraine must invest in advanced forensic capabilities and real-time threat intelligence-sharing mechanisms with NATO, the European Union, and private sector cybersecurity firms. A dedicated Cyber Threat Attribution Unit within Ukraine’s national cyber defence agency could enhance forensic analysis, coordinate cyber investigations, and provide verifiable evidence linking cyberattacks to specific actors.
Ukraine should advocate for the creation of a global cyber attribution framework, modelled after international arms control verification regimes. This initiative could be overseen by a neutral international body, similar to the International Atomic Energy Agency (IAEA). A standardized cyber attribution system would also help states coordinate legal and diplomatic responses to cyberattacks.
Securing Ukraine’s mobile network infrastructure and broader digital ecosystem requires stricter cybersecurity regulations for critical infrastructure operators. The SolarWinds attack demonstrated the vulnerabilities inherent in global IT supply chains, where attackers can compromise widely used software products to infiltrate multiple organizations at once. To prevent similar incidents, Ukraine must mandate rigorous cybersecurity standards for software vendors, telecommunications providers, and cloud service operators. This should include requirements for third-party security audits, software code integrity verification, and zero-trust security architecture across all critical government and private sector networks.
As Ukraine moves toward full-scale 5G deployment, cybersecurity concerns must be fully integrated into its national telecommunications strategy. Ukraine should align its 5G security policies with the EU’s 5G Cybersecurity Toolbox, ensuring that mobile network operators implement strict vendor risk assessments, supply chain security measures, and end-to-end encryption standards. Given the geopolitical risks associated with certain foreign technology providers, Ukraine must also conduct comprehensive national security reviews before approving 5G infrastructure contracts to prevent potential backdoor access and cyber espionage threats.
Investments in cybersecurity workforce development are critical. Ukraine should expand its cybersecurity education programs, establish dedicated cyber training academies, and offer incentives for young professionals to enter the field. Partnering with NATO and the EU on cybersecurity training initiatives would further enhance Ukraine’s capabilities, ensuring that its cybersecurity professionals are equipped with the latest tools and knowledge to counter cyber threats.
Cyber Deterrence and Strategic Cyber Defence Measures
Cyber deterrence is a challenging concept because, unlike traditional military deterrence, it lacks clear norms and universally accepted thresholds for retaliation. The Tallinn Manual 2.0 suggests that cyber operations that cause significant harm or disruption could justify countermeasures under international law (Schmitt 2017).
Cyber resilience is the first line of defence in a deterrence strategy. By increasing the cost and difficulty of executing cyberattacks, Ukraine can reduce the incentive for adversaries to target its networks. Strengthening cyber resilience involves the implementation of zero-trust architecture in critical infrastructure networks, ensuring that all access to sensitive systems is strictly controlled and continuously monitored. Multi-factor authentication (MFA) and end-to-end encryption should be mandatory for all government communications and telecommunications providers.
Beyond passive defences, Ukraine must also explore more proactive measures, including threat hunting operations and cyber deception techniques. The use of deception technologies, such as honeypots and decoy systems, can help detect attackers early in the intrusion process and gather intelligence on their tactics, techniques, and procedures (SANS Institute 2021). Integrating cyber threat intelligence into national defence strategies would also allow Ukraine to anticipate and counter cyber threats more effectively. Collaboration with private cybersecurity firms and international intelligence-sharing networks will be crucial in this regard, particularly in identifying emerging threats before they can cause significant damage (ENISA 2022).
Legal and diplomatic measures are also key components of an effective cyber deterrence strategy. Ukraine should actively document cyberattacks against its infrastructure, compile forensic evidence, and present cases of cyber aggression to international bodies such as the United Nations, NATO, and the European Union. The European Union’s Cyber Diplomacy Toolbox, which allows for coordinated sanctions against cyber attackers, should be leveraged to impose economic and diplomatic consequences on state-sponsored hacking groups (European Commission 2020).
A more contentious aspect of cyber deterrence is the potential use of offensive cyber capabilities. The Tallinn Manual 2.0 states that countermeasures in cyberspace are permissible under international law if they are necessary, proportionate, and conducted in response to a prior unlawful cyber operation (Schmitt 2017). Offensive cyber operations could involve disrupting command-and-control networks used by adversary cyber units, targeting infrastructure used for launching cyberattacks, or exposing the identities of state-sponsored hacking groups.
The Ukrainian Armed Forces should develop doctrine and operational guidelines for cyber warfare. NATO’s Joint Cyber Operations doctrine provides a useful model for integrating cyber operations into national defence planning, and Ukraine should seek to align its cyber policies with NATO standards (NATO 2021). NATO’s Locked Shields cyber exercise, which tests the cyber defence capabilities of member states in simulated cyber conflict scenarios, provides an important model for Ukraine to adopt (CCDCOE 2021). Ukraine should also expand bilateral cyber defence agreements with key allies, including the United States, the United Kingdom, and Germany, ensuring that technical expertise, intelligence-sharing, and cyber defence coordination remain at the forefront of national security planning.
Moreover, Ukraine should consider implementing a national cybersecurity certification program for critical infrastructure operators, similar to the Cybersecurity Maturity Model Certification (CMMC) used in the United States, which mandates specific security controls for organizations working with sensitive government data (DoD 2020).
Finally, Ukraine must invest in cybersecurity education and workforce development. The growing complexity of cyber threats demands a highly skilled workforce capable of responding to new and emerging challenges. Ukraine should establish national cybersecurity training academies, offering specialized courses in ethical hacking, digital forensics, and threat intelligence analysis. Additionally, government incentives for private sector cybersecurity investments, such as tax breaks for companies that develop cybersecurity solutions, could stimulate innovation and strengthen Ukraine’s domestic cybersecurity industry (ENISA 2021).
Bibliography
Schmitt, Michael N., ed. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge: Cambridge University Press, 2017.
United Nations. Charter of the United Nations and Statute of the International Court of Justice. San Francisco: United Nations, 1945. https://www.un.org/en/about-us/un-charter
National Institute of Standards and Technology (NIST). Zero Trust Architecture (SP 800-207). U.S. Department of Commerce, 2020. https://doi.org/10.6028/NIST.SP.800-207
Department of Defense (DoD). Cybersecurity Maturity Model Certification (CMMC) Framework. U.S. Department of Defense, 2020. https://www.acq.osd.mil/cmmc/
SANS Institute. Deception Technology in Cybersecurity: Enhancing Threat Detection and Response. SANS White Paper, 2021.
European Union Agency for Cybersecurity (ENISA). Threat Landscape 2021: Insights on Emerging Cyber Threats. Brussels: European Union Publications Office, 2021.
European Union Agency for Cybersecurity (ENISA). NIS 2 Directive: Strengthening the EU’s Cybersecurity Regulations. Brussels: European Commission, 2022. https://www.enisa.europa.eu/
European Commission. EU Cyber Diplomacy Toolbox: Strengthening Collective Responses to Cyber Threats. Brussels: European Union External Action Service, 2020.
NATO. Cyber Defence Policy: Enhancing Collective Security in Cyberspace. NATO Public Diplomacy Division, 2021. https://www.nato.int/cps/en/natolive/topics_78170.htm
CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence). Locked Shields Cyber Defense Exercise Report. Tallinn, Estonia, 2021.
Ukraine State Service of Special Communications and Information Protection. Cybersecurity Strategy of Ukraine: Strengthening National Resilience. Kyiv, 2022.
Budapest Convention on Cybercrime. Convention on Cybercrime. Council of Europe, 2001. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185
Council of Europe. Convention on Cybercrime (ETS No. 185). European Treaty Series No. 185, 2001.
Tallinn Manual 2.0. International Law Applicable to Cyber Operations. NATO Cooperative Cyber Defence Centre of Excellence, 2017.
CERT-UA. Annual Cybersecurity Report 2022: Cyber Threats and Incidents in Ukraine. Kyiv: State Service of Special Communications and Information Protection of Ukraine, 2022.
Microsoft. Lessons from the SolarWinds Cyberattack: Enhancing Supply Chain Security. Redmond, WA: Microsoft Security Research Center, 2021.
International Court of Justice. Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States). ICJ Reports 1986.International Court of Justice. Corfu Channel Case (United Kingdom v. Albania). ICJ Reports 1949.