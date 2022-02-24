The United States must prepare by both continuing to bolster cyber defenses now and strengthening mandatory cybersecurity reporting and disclosure requirements for the future. The public, meanwhile, should anticipate the potential for further supply chain and service disruptions.

Policy makers and military leaders have long warned the public about the impacts of large-scale direct cyberattacks. But the last decade has demonstrated that the greater risk is in the unintended consequences, or cyber fallout, of such attacks. The world is more connected than ever, and this means that cyberattacks on Ukraine could rapidly spread abroad.

As Russia’s large-scale military attack against Ukraine unfolds, the world must also prepare itself for the cyberattacks — and the global cyber fallout — that will come with it.

Advertisement

Past instances of cyber fallout from Russian attacks on Ukraine have upset governments, businesses, and essential services like hospitals across the world. The fallout from the 2017 NotPetya ransomware attack, which Russian-affiliated groups targeted at Ukraine, was so large that some analysts estimate it reduced the country’s GDP by 0.5 percent — but the fallout was global: NotPetya is estimated by some analysts to have cost the world $10 billion in remediation costs and damages.

Get Weekend Reads from Ideas A weekly newsletter from the Boston Globe Ideas section, forged at the intersection of 'what if' and 'why not.' Enter Email Sign Up

In the United States, NotPetya affected everything from FedEx — which reported having to spend $400 million to fix issues caused by ransomware — to the operations of hospitals. One Pennsylvania hospital had to turn away new patients for several days due to its systems being infected. The hospital depended on IT services from a Ukrainian company, giving the ransomware access that disabled many of the hospital’s computers that ran the Windows operating system, thereby preventing data entry for patient intake and access to test results from equipment like MRIs among other systems.

Recent ransomware attacks conducted by Russia-affiliated criminal hacking groups have revealed the vulnerability of US supply chains to cyber disruption. In the spring of 2021, the Colonial Pipeline ransomware attack impacted the US supply of gasoline, and throughout 2021 multiple lesser known cyber attacks significantly disrupted everything from the national supply of cream cheese to ferry services.

Advertisement

We know that Russia is already engaged in a campaign to take down Ukrainian government websites. In January and February, Russian cyberattacks periodically disrupted Ukraine’s Internet access, government services, and their financial system. Shortly before President Vladimir Putin of Russia declared war on Ukraine, cybersecurity firms announced the discovery of malware similar to NotPetya on Ukrainian and European computers — revealing how cyber fallout is already beginning to spread. Russia’s new wave of cyberattacks has thus far been detected only against organizations affiliated with the Ukrainian government and financial institutions, but it’s only a matter of time before it spreads — it is estimated that over 100 of the world’s largest corporations depend on IT services from Ukrainian companies.

While the United States is unlikely to suffer the worst effects, the risk of widespread cyber fallout could not come at a worse time for the nation, which is already facing supply chain disruptions and overtaxed hospitals. Ransomware is a particular threat to logistics corporations which coordinate global shipping. One such US-based company, Expeditors, recently had to shut down operations because of an attack on its systems.

Advertisement

Thankfully, the Department of Homeland Security’s Critical Infrastructure Security Agency is taking the potential for cyber fallout seriously. Its director, Jen Easterly, has called on corporations and others to review and reinforce their cyber defense policies and procedures in case of cyber fallout similar to NotPetya.

While preparedness is a critical step, early detection and transparency are essential to prevent small issues from becoming major ones. To this end, the Critical Infrastructure Security Agency should encourage corporations to be more public with potential cybersecurity incidents so that cyber fallout can be detected early. The Securities and Exchange Commission should mandate cybersecurity reporting, and Congress must pass the Cyber Incident Reporting Act to increase the transparency of corporate cybersecurity policy and incidents.

The threat of cyber disruption and cyber fallout has only grown over the years, thereby demonstrating the need for permanent solutions.

As Russia’s invasion of Ukraine unfolds, the risk from cyber fallout will increase and continue to impact the world for weeks and months to come. In the face of this threat, the United States must pursue permanent solutions. Calling on businesses to be cautious is one thing, preparation is another.

Bryan Nakayama is a visiting lecturer in international relations and politics at Mount Holyoke College.