What is the context of Russia’s war in Ukraine in terms of the cybersecurity landscape and how will this affect the future of information warfare? The Recursive dived into the topic with cybersecurity analyst Bilyana Lilly, whose extensive experience in the field includes working for the United Nations, Deloitte and the RAND Corporation among others.
Born and raised in Bulgaria, Lilly’s career in international relations, foreign policy and cybersecurity takes her from Geneva to Oxford, and then to her current location in Washington, DC, where she has been based since 2011.
Today, Lilly is a leading cybersecurity expert and advisor to C-suite executives, government, and military leaders on ransomware, cyber threat intelligence, artificial intelligence, disinformation, and Russian information warfare.
In an interview for The Recursive, Lilly reflects on the tough choices she had to make throughout her career, the experience she got from working with global cybersecurity companies and organizations, her thoughts on Russia’s war in Ukraine and what this means for the Balkan region in terms of the future of information warfare.
The Recursive: What has defined your career path so far and how did you end up at your current position?
Bilyana Lilly: I left Bulgaria when I was 19, and I really wanted to explore the world, and there were quite a few ideas on what to study next. But then, the moment that changed my life and made me focus on defense and International Relations was when I visited Kosovo.
It was a very random opportunity for a summer school, where I actually ended up doing a class in international humanitarian law with Saddam Hussein’s lawyer at the time, Curtis Doebbler, who was teaching us about the Geneva Conventions and all of its protocols.
While we were in Kosovo, we also visited some of the places that were destroyed by the Serbian army during the 1999 war. After the summer school I ended up staying in Kosovo for a few more weeks with a friend, a Bulgarian journalist who was writing about the Serbs that still lived in Kosovo.
And that’s when I learned that the conflict wasn’t that black and white, because there were a lot of Serbs that were still being harassed, and even to the point where their lives were in danger, because they still remain in Kosovo. And that’s when I learned that conflict is complex. And it affects multiple parties, it affects the entire population.
So it was back then when I realized that I wanted to dedicate my life to making sure that this doesn’t happen in the areas that I care about. I know that this basically sounds like Bilyana decides she wants to save the world, which sounds like a dream and those cliches never happen because it is really difficult to do.
But even if I could make a small contribution to this, it would mean a lot, because that is what I was passionate about. So that’s when I decided I wanted to do a Master’s in Geneva and I wanted to work with the United Nations. And I had the opportunity to do that for the Bulgarian permanent diplomatic mission there.
I was covering discussions about the weaponization of space, and other issues, I started focusing on nuclear disarmament and nuclear terrorism.
At that time, there were several reports published by their reputable institutions looking at what would happen if terrorists use nuclear weapons, and if so, which countries will be most likely the targets for that.
What made you start focusing on Russia and specifically Russian information warfare?
I started focusing on Russia, because it has one of the largest nuclear arsenals. And from there, I got connected to some of the Russian government officials and I had the opportunity to go to Russia several times and interview them. From there I decided that I wanted to focus on Russian foreign policy, our region, and understand it a little better.
After that I went to Oxford, did a second Master’s there and I decided to write about missile defense in my dissertation. One of my professors encouraged me to write a book – which I did and turned my thesis into my first book on missile defense.
Then I thought to myself, which are the centers that actually influence policy? And Washington, DC would always come to mind. So I moved to the US and since 2011 I’ve been here.
Few years later I witnessed what happened during the 2016 US elections, the Russian interference and how the US government responded.
It seemed so much in line with Russian foreign policy doctrine, it was just applied in cyberspace – and this field was so fascinating to me that ever since I’ve been focused on cybersecurity information, warfare disinformation.
During the past few years I worked for US think tank RAND Corporation and also for consulting company Deloitte. At the moment, I am taking a break because I am writing another book.
How did technology and cybersecurity in particular shape your career?
First I focused on missile defense and disarmament and intercontinental ballistic missiles, and I’ve always looked at the technology as a tool of statecraft.
I applied that same rationale also to cyber attacks, when I studied state sponsored cyber threat actors and the types of tactics, techniques and procedures that they use.
So technology is pretty much involved in every project that I do at the moment, every task that I take, it’s technology for me is another domain.
Specifically, it is the information space in cyberspace that’s another domain where countries and non-state actors can exercise influence.
Technology itself can be a weapon to counter that, but it can also be a weapon to erode systems and erode our minds, based on the way you look at it. So, technology is definitely a part of my daily life.
What are the main challenges in the field of cybersecurity right now?
Obviously, one is access to the information in the classes for the labor force or people that are newcomers to the community. But I think at this point, there’s so many organizations that are providing free training, and I think that this is wonderful.
I think that this is a challenge we are continuously fighting and are improving in that area. I will say something that I’ve noticed is that a lot of our experts that have been in the field for years and are well known, are not really good managers and good leaders of people. So I think this is where we could improve.
Because the people that have the technical skills don’t necessarily have the leadership skills, they don’t necessarily build their teams up the way I think teams should be built up in order to thrive, to be sustainable, and to be happy.
So I think there is a lot of room for improvement specifically in that area where we could teach some of the leaders in our field to be better leaders of people.
How has Russia’s war in Ukraine affected and changed the cybersecurity landscape?
So we can see that foreign private sector companies are now paying to fight the war and the number of companies that have actually committed resources, and openly pledged to commit even more resources to help Ukraine fight Russia in cyberspace.
This presents really huge risks for companies like Microsoft, Google, Starlink and so on, as they’re all involved in the war. And they essentially could be potential targets or they place themselves at risk of cyber attacks from Russia because of their involvement. So I think that this is quite unprecedented.
For me, it’s really an important phenomena, and I hope it’s a trend that we continue to see. Also, just the awareness that we’re raising around cyberspace with this war is another really interesting aspect.
Another thing would be the outpour of international support for Ukraine from volunteers, not only the private sector, but actual volunteers in the IT army. And in addition to that, with NAFO (North Atlantic Fellas Organization), the volunteers that are fighting disinformation with sarcasm and are basically trying to engage the international community in this narrative of the war.
I find those developments really interesting and I’m thinking hopefully we never have a situation like this. But I think that those different frames that we’ve created and the movements around them are really unique. And I really hope that if we face another situation like this, that then we will recreate them.
Do the Balkans have the necessary capacities to deter potential Russian threats?
I’m really hoping that the fact that we’re NATO also serves as a deterrent to Russia, because of Article 5 and our ability to collectively respond to an attack.
I think we definitely have to improve our coordination in Incident Response playbooks, and we need to have good defenses against DDoS attacks.
It also seems like the Russian government is using specifically disruptive malware as the wiper malware, and this goes to the level of operational resilience, in which I include having identified critical assets of different organizations, having backups where those critical assets are stored in immutable storage.
These would preferably data centers outside of the country, like all of those operational steps that a company can take, or an organization can take to make sure that it enhances its resilience against potential attack.
I think this should be considered and especially given the fact we’re so close to Russia, also places huge emphasis on our needs to improve our resilience. In my book I also looked at how the Russian government uses cyber attacks in different activities against Central Eastern Europe versus the ones in Western Europe, and this is clearly happening in the Balkans as well, where the Russian government is a lot more aggressive.
Here it uses a lot more hostile measures, more disruptive cyber attacks, but also assassinations, explosions, and attempted coup d’etat, such as the case with Montenegro. I don’t imagine they will be that blatant and obvious such as those in the US, so I do think that we are actually at a disadvantage because we’re so close.
And the Russians do think that they have some sort or privileged rights and act as they please in our region, or are more aggressive towards us. So I’m really hoping at some point, we show them that this is not the case – so hopefully we can react through our red lines, our own responses and so on.
What are your predictions and trends for cybersecurity in 2023, what should we be looking out for?
I really hope that we won’t stop paying attention to Ukraine, and I hope that we can maintain and increase our support for Ukrainian cyberspace. With regards to cyber threats, specifically from Russia and China, I do expect to see more aggressive cyber operations.
From the Russian side, I do expect more ransomware and even wiper malware attacks from Russian APTs and hackers that have pledged allegiance to the Russian government.
There was a very good report a few months ago that showed how Russian APTs were working with hacktivists, in coordination that were deploying wiper malware and disrupting the networks of the organizations.
And then hacktivists were coming in exfiltrating data and then releasing it within 24 hours. So there was a hacking leak, but also hacking destroy operation together with the hacking operation – so I would envision something similar being tried against Western countries as well.