A month into Russia’s war on Ukraine, there’s still little evidence of an all-out cyberattack against the computer systems that run critical Ukrainian targets, like electric power plants. But now the US government has warned that Russia might aim such attacks at the United States, in retaliation for economic sanctions imposed against Russia.
“The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming,” said President Joe Biden in a speech on Monday. And in a separate statement released by the White House, Biden warned US companies to ramp up their network security practices “based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.”
But given that corporate data networks already are under constant attack from online criminal gangs and foreign intelligence agencies, could we be sure that Russia was behind any new cyber assault? Even if we were sure, what should companies and government agencies do about it?
Confirming that an attack came from Russia would be difficult, but not impossible. Joel Brenner, former head of counterintelligence for the US director of national intelligence, said that US cyber spies have penetrated Russian hacker networks, and often have a fair idea of what they’re up to.
“We’re probably in their command and control, listening to people,” said Brenner, a senior research fellow at the Massachusetts Institute of Technology’s Center for International Studies. This could provide advance warning of a major Russian cyberattack, he said. “We might hear them preparing to do it.” In addition, said Brenner, Russia is one of only a few nations with the cyber capability to do serious harm to the US, so there’d be few other likely suspects.
What might such an attack look like? “Conflict in Ukraine presents perhaps the most acute cyber risk U.S. and western corporations have ever faced,” according to a February article in the Harvard Business Review, which predicted that Russia would reply to western economic sanctions with aggressive cyberattacks on US and European targets.
One of the article’s coauthors, Lauren Zabierek, said that Russia has had ample opportunities to penetrate US corporate computer networks with malware that could be activated at any time.
“Perhaps they’ve done some long-term strategic reconnaissance,” said Zabierek, executive director of the cyber project at Harvard University’s Belfer Center for Science and International Affairs. “If they have identified certain targets and placed malware in them … they could do something disruptive or at worst destructive.”
Zabierek noted that state-sponsored Russian hackers have done plenty of damage in recent years. A team believed to be associated with Russia’s military intelligence agency has been blamed for a 2015 attack that shut down the electricity in much of Kyiv. And the same group has been blamed for NotPetya, a 2017 malware attack that was initially aimed at Ukrainian targets but later spread worldwide, afflicting major corporations like FedEx, Merck, and Maersk and causing billions in damages.
Some attacks from Russian soil are launched not by the government, but by criminal gangs that are tolerated by the Kremlin. Last year’s ransomware attack on the Colonial Pipeline, which caused fuel shortages throughout the southeastern US, has been linked to a gang of Russian cyber outlaws called DarkSide. It’s possible that the Russian government could strike at the US by encouraging such groups of criminal hackers to launch more such attacks.
But Zabierek said Russia would be hesitant to inflict severe damage on US infrastructure, for fear of prompting a harsh response from the Biden administration. Last June during a meeting with Vladimir Putin, Biden warned that the US would undertake its own offensive cyber warfare operations against Russia if that country attacked key US infrastructure systems, such as electricity, food and water supplies, telecommunications, shipping, or health care.
“I don’t know if it’s in Putin’s best interest to do something that would cross that threshold,” Zabierek said.
US companies have been put on notice by the Biden administration to overhaul their security practices in expectation of coming attacks. The administration has conducted classified briefings with specific companies that operate vital parts of the nation’s economic infrastructure. And this week’s White House statement included recommended security enhancements for businesses of all sorts. For instance, companies are urged to use multifactor sign-in systems for workers logging onto their networks, to keep secure, up-to-date backups of all files, and to encrypt all stored data.
In all, these are standard security practices that every organization with computers should be following already, but often do not.
If the US suffers a major cyberattack, how would the Biden administration respond? Sam Curry, chief security officer of Boston data security firm Cybereason, said the US should say exactly what it will do if Russia launches a major infrastructure attack. “The policy should be determined and made public now,” Curry said. “It can’t be a deterrent if you don’t let people know this is what the consequences are.”
Those consequences might even include military strikes. Biden raised the possibility in a speech last July, warning that “a real shooting war” could break out “as a consequence of a cyber breach.”
Brenner said that severe attacks on the US electrical grid or a forced shutdown of the nation’s seaports could spawn a political crisis. “If those things happened, the president would be under a lot of pressure to do something dramatic,” Brenner said. “We will want to be very careful about that.”
He said that a carefully targeted cyber counterattack would be one approach — perhaps hacking the electrical grid in a major Russian city, but not that of Moscow, because the US will want to maintain communications with the Kremlin and work out a resolution of the crisis. But he added that the US should reserve the right to respond with further economic sanctions, or with military force.
Brenner also said that whatever the risks to the US, Russia and Putin are at far greater risk if a cyber war breaks out between the two nations.
“He runs the risk of a regime collapse,” said Brenner. “We don’t.”