The 2022 Russian invasion of Ukraine prompted the Ukrainian government to create a volunteer "IT Army¹" and challenged online supporters worldwide to participate in a pro-Ukraine campaign using the means at their disposal - including information operations², OSINT analysis³, and offensive cyber operations⁴. Hacktivist use of these techniques with the goal of achieving smaller political goals is an established phenomenon and comes with a mixed history of success. Ukraine’s active solicitation of volunteer support and the scale of volunteer involvement in the context of the largest armed conflict seen in Europe since the Second World War suggests the possibility of states attempting to leverage crowdsourcing as a force multiplier in future conflicts.

We’re calling this phenomenon "Crowdsourcing conflict," and it is the theme we invite you all to consider at this year’s AvengerCon!

Recruiting volunteers worldwide enabled Ukraine to create a massive and loosely organized cyber collective that has conducted information operations², effects operations³, and provided OSINT analysis⁴ to support their cause. The IT Army’s broad base of volunteer support also serves as a demonstration of popular opposition to Russia’s invasion.

However, Ukraine’s online volunteer army also comes with risks and limitations. How can volunteers be vetted and coordinated, especially in wartime? What if civilian infrastructure or the wrong targets get attacked? Should these volunteers be considered combatants? Does volunteer cyber activity or public OSINT research risk doing more harm than good by ruining intelligence sources or by notifying the adversary of OPSEC failures⁵? And how can we objectively assess the effectiveness or volume of volunteer activities in a news environment saturated by an active information operations battle, that promotes flashy stories over measured analysis, and that is bound to miss the activities of stealthy and subtle actors?

How could Ukraine (or another nation or non-state actor) more effectively employ crowdsourced online support in a conflict? How could a nation prevent or defend against crowdsourced efforts targeting them? And how could a nation better leverage crowdsourced methodologies to improve their overall cybersecurity defensive posture?

At this year’s AvengerCon, we invite the community to explore the capabilities, limitations, and consequences of crowdsourcing conflict, how it can enable (or place at risk) the security of our Nation, and influence conflicts of the present and future.

References

1. https://foreignpolicy.com/2022/04/11/russia-cyberwarfare-us-ukraine-volunteer-hackers-it-army/

   Ukrainian officials launched an volunteer "IT Army" days after the 24 February start of the invasion and provided tasking directions using a Telegram channel to conduct distributed denial of service (DDoS) and other cyberattacks against specific Russian governmental and corporate targets and succeeded at temporarily rendering many of their targets unavailable. The Ukrainian "IT Army" continues to operate to this day, conducting both DDoS attacks and other operations under its brand. ↩

2. https://www.wsj.com/articles/ukraines-internet-army-of-nafo-fellas-fights-russian-trolls-and-rewards-donors-with-dogs-11664271002 ↩

3. https://www.bellingcat.com/news/2022/03/17/hospitals-bombed-and-apartments-destroyed-mapping-incidents-of-civilian-harm-in-ukraine/ ↩

4. https://www.washingtonpost.com/world/europe/belarus-hack-cyber-partisans-lukashenko/2021/09/14/5ad56006-fabd-11eb-911c-524bc8b68f17_story.html, https://risky.biz/RB634/, https://arstechnica.com/information-technology/2022/01/hactivists-say-they-hacked-belarus-rail-system-to-stop-russian-military-buildup/

   The Belarusian Cyber Partisans, previously known for activities protesting the Lukashenko regime including a massive leak of Belarusian KGB files infected the Belarus’s state-run railroad system with ransomware to disrupt the deployment of Russian forces prior the invasion. ↩

5. https://risky.biz/BTN6/, https://risky.biz/RBTALKS2/

   For a more detailed discussion of these risks and limitations, please review these podcast episodes. ↩