The United States is ramping up sanctions against Russia over its invasion of Ukraine, and Moscow has promised retaliation. There is every chance that we will see increased cyber attacks, but cyber hype about scope and scale — think “Die Hard 4” — is completely unwarranted. Right now, the Kremlin won’t risk showing its hand; the most dangerous Russian footholds in U.S. networks require immense resources and time to build, and maximum destructive power comes from using them during a direct conflict with the United States. Moscow won’t burn its best capabilities and anger the United States. More importantly, exaggerating the threat distracts us from hardening against much more likely Russian assaults that are short of cyber war.
One key threat is the potential spillover from Russian cyber operations in Ukraine. Russian malware has a track record of spreading past Ukrainian targets to U.S. networks. For example, the BlackEnergy Trojan malware deployed against the Ukrainian power grid in 2015 also appeared on the U.S. grid. In 2017, Russia unleashed the so-called NotPetya malware, which self-replicated and spread rapidly outside Ukraine to more than 150 countries. It left a trail of crippled corporate and government networks that resulted in over $10 billion worth in damages. This dynamic is unfolding now with HermeticWiper, a new malware that efficiently destroys computer data and has spread to Latvian and Lithuanian networks.
Disruption to U.S. supply chains is a second threat. The SolarWinds compromise made clear the payoffs of hacking businesses that provide services to U.S. companies and public agencies. Instead of attacking them individually, Russians infiltrated Fortune 500 companies and U.S. government agencies by breaking into SolarWinds networks and corrupting the company’s widely used software product. Ukrainian businesses with U.S. partnerships or contracts thus offer natural targets for implanting cyber capabilities for future use. Russia can also disrupt physical supply chains, and the U.S. chip industry is particularly vulnerable. The U.S. sources roughly 90 percent of semiconductor-grade neon from Ukraine, and approximately 35 percent of palladium — used for sensors and memory — comes from Russia. When coupled with measures to cut off Russian from the U.S. tech sector, supply chains should brace for impact.
Finally, Russian cyber activity can target critical infrastructure with low-cost, low-sophistication methods that are indistinguishable from criminal activity. This includes overwhelming servers with traffic requests, denying network access, holding computers and networks hostage, and stealing or deleting data. The U.S. banking sector is a likely target, particularly now that the West has decided to block Russia from the SWIFT system for international monetary transfers. Persistent cyber attacks against financial institutions can prevent customer website access, use malware to compromise customer accounts or employee credentials, and hold funds hostage via ransomware. Each scenario increases the likelihood of personal and corporate losses and delays the fulfillment of service level agreements with customers, i.e., agreed upon timeframes for money transfers and other business processes.
It is true that Russia long has used Ukraine as a testing ground for future cyber operations against the United States. The striking technical similarities between the NotPetya and SolarWinds incidents demonstrate that Russian cyber operators learn from experience. That has implications for long-term cyber competition, but will Russian operations in Ukraine usher in a new era of cyberwarfare against the U.S.? In a word, no. Evidence indicates that Russian war aims in cyberspace will remain limited to disrupting Ukrainian military networks and public infrastructure.
Instead of preparing for cyber-doomsday scenarios, the U.S. private and public sectors should be hardening targets against actual threats. This means having a game plan for when networks go dark, rebooting quickly, and using failure to better evaluate future risks. The U.S. is in a good position to counterstrike and take threats down at the source with the increasingly integrated partnership between U.S. Cyber Command and the National Security Agency. The bigger challenge is for businesses to dust off and update continuity plans to account for scenarios such as ransomware attacks. Organizations, particularly those comprising critical infrastructure, need to know how to communicate with local, state and federal authorities in the event of a serious cyber attack.
It’s thrilling to imagine apocalyptic scenarios where evil Russian hackers take out the American grid, down airplanes, and take our economy offline. One day that could happen. But it’s not happening now, and the right response is not complacency. It’s the hard work of cyber defense at the local, national, public and private levels. It might not make for a great movie, but you’ll be happier and safer in the long run.
Jason Blessing, Ph.D., is a Jeane Kirkpatrick Visiting Research Fellow with the foreign and defense policy department at the American Enterprise Institute. His research focuses on cybersecurity as well as transatlantic relations. Follow him on twitter @JasonABlessing.