Ukraine’s ability to defend itself against cyber threats since Russia’s full-scale invasion in 2022 is offering valuable lessons for NATO and its allies, according to a new policy brief by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The research highlights several key policy implications, including the need to develop pre-crisis partnership frameworks, formalise the role of non-state actors in cyber defence, and address the digital sovereignty implications of deep dependencies on foreign technology companies.
Titled “Ukraine’s Cyber Defence Evolution: The Role of Non-State Actors and Public-Private Partnerships,” the report is based on interviews and surveys with 39 respondents from 21 Ukrainian organisations across government, military, private sector, and civil society organisations.
The findings show that Ukraine’s cyber resilience is built on four interconnected pillars: the government’s innovative approach, expanded roles for private sector actors, intensive international partnerships, and integration with multinational technology companies. While vital for survival, these arrangements have created strategic dependencies that may impact sovereign decision-making and raise questions about their long-term sustainability.
The brief reveals that more than 85% of surveyed Ukrainian organisations rely heavily on US-based technology providers, creating a vulnerability where operational continuity could depend on the political and financial alignment of foreign entities.
At the same time, the research underscores the importance of informal personal networks have frequently proven more effective than formal coordination channels during a crisis, providing the agility that rigid structures lack.
„The informal networks and ad hoc arrangements that kept Ukraine’s continuity of its critical services are impressive, but they also reveal structural gaps that NATO and allies must address swiftly,“ said one of the paper’s authors, Erik Kursetgjerde.
The authors also note that Ukraine entered the war without a fully developed public-private partnership (PPP) model, as acknowledged in the country’s Cybersecurity Strategy—a gap that the conflict has forced rapid and largely ad hoc improvisations to address, resulting in a resilient but fragmented ecosystem.
Based on these findings, the policy brief outlines three key recommendations for NATO and allied countries:
- developing pre-crisis partnership frameworks;
- formalising the role of non-state actors in cyber defence;
- collectively addressing the digital sovereignty implications of deep dependencies on foreign technology companies.
The research was conducted by CCDCOE researchers in collaboration with Ukrainian experts. The full policy brief is available on NATO CCDCOE Library.
This publication is a product of the NATO Cooperative Cyber Defence Centre of Excellence. The views and opinions expressed in this publication are those of the authors and do not necessarily reflect the policy or position of the NATO CCDCOE, NATO or any government.