If the ripples of Russian aggression against Ukraine haven’t reached US soil already, they may soon. As the United States backs Ukraine and its European NATO allies with military and other support, and threatens to impose crippling sanctions on Russia in the event of an invasion of its smaller neighbor, Russia is all but certain to hit back at America the way it knows best: with cyberattacks.
The Department of Homeland Security warned in a bulletin last month that Russia has a “range of offensive cyber tools that it could employ against US networks.”
At one extreme, that range includes malware that can bring down critical electrical and communications systems, with potentially deadly consequences. While there is a strong likelihood Russia will use targeted attacks on critical infrastructure and other systems inside of Ukraine in an effort to destabilize that nation ahead of an incursion, Putin is not likely to take that approach in the United States. Such a move would be seen as a declaration of a war Russia knows it can’t win.
But Russia will almost certainly turn to what has become a signature tool of cyber warfare when it comes to the United States: disinformation campaigns that take advantage of the anything-goes environment of social media and the polarized state of American politics to undercut American policy.
“The kind of opinion-shaping information warfare and misinformation that they are masters at has got to be attractive to them,” said James A. Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies. “So I’m sure they’re thinking of that. How do they put out false news? Will they disrupt American politics in a way that will buy them time and space when it comes to attacking Ukraine?”
How and when to respond to cyberattacks is an evolving challenge for the United States and other countries, since the line where a cyberattack crosses into an act of aggression under international law is hazy. America has its own cyberweapons, and no consensus on what rules should govern them either.
Legislation being written in response to the Ukraine crisis might help answer some of those questions. As lawmakers on the Senate Foreign Relations Committee rush to finalize a bill that would impose strict sanctions on Russia for any incursion into Ukraine, some, like Senator Richard Blumenthal, a Connecticut Democrat, want pre-invasion cyberattacks aimed at Ukraine to be included among the triggers — even if those attacks are already underway.
“I have strongly and consistently said we should be imposing sanctions beginning right now, in fact yesterday, because Putin understands only the force of economic or military action,” Blumenthal told Politico.
That’s a good start. But lawmakers must go further. Any sanctions bill must also spell out that Russia will pay a price for any US-focused digital disruption campaigns, whether they target pipelines, banks, or fake news aimed at sowing discord, disruption, and distrust.
Last year’s ransomware attack by a Russian-based hacker group — which, among other, things led to a six-day shutdown of a key 5,550-mile fuel pipeline — was a major wake-up call for US government officials and private sector leaders who control crucial parts of American infrastructure.
But malware might not be the weapon of choice if the Ukraine crisis escalates. After all, a similar attack by Russia would undercut its efforts to downplay any Ukrainian incursion and avoid crippling sanctions from the United States that could target Putin’s most important bases of power: Russian oligarchs and hackers backing Russia’s Federal Security Service.
Lawmakers must make clear that if Russia instead chooses massive disinformation campaigns, that too will be met with a US response. That’s not to say that American citizens don’t have the right to oppose American foreign policy; indeed they should be free to do so without being demonized as Russian stooges. But the government has a responsibility to deter covert manipulation efforts by the Russian government and expose them if they occur.
Whether language about cyberattacks makes it into the final legislation remains to be seen. The Foreign Relations Committee’s top Republican, Senator Jim Risch of Idaho, would only say that sanctioning cyberattacks against Ukraine has been a part of ongoing conversations.
There may be a split between Trump-loyalist Republicans, who would be willing to let Putin get away with attacking Ukraine and waging a US disinformation war, and GOP members who want to defend Ukraine.
But this is no place for partisan or intraparty division, particularly when that is exactly one of Putin’s aims in his ongoing efforts to destabilize Western nations and expand his own influence in Eastern Europe. Russia must know now that it can’t afford to pay the price for a cyberattack against Americans, regardless of the form that attack takes. Lawmakers must state that clearly in its sanctions bill, and fast. Nobody on Capitol Hill knows if and when Putin might invade Ukraine, but every indication is that he could launch an attack at almost any moment. The United States must be ready.
Correction: An earlier version of this editorial incorrectly linked a cyber attack last year against a fuel pipeline with the unrelated hack of the software company SolarWinds.
Editorials represent the views of the Boston Globe Editorial Board. Follow us @GlobeOpinion.