The US can’t sit back and wait for Russia to wreak cyber havoc

The threat of major cyberattacks against the United States may be higher now than ever before. Although Russian cyber operations in Ukraine have not been a major factor on the battlefield, President Biden has just disclosed “evolving intelligence that the Russian government is exploring options for potential cyberattacks” against U.S. targets.   

Russia — America’s most capable and reckless cyber adversary — could do significant damage if Putin gives the go-ahead. Research I co-authored suggests that large-scale cyber incidents of all kinds are getting even more harmful and easier to cause due to the changing nature of cyberspace and our deepening dependence on it. As U.S. government agencies and companies go on heightened cyber alert in response to Russian threats, they must also help to lead a long-term, broad-based campaign for cyber resilience. Otherwise, cyber catastrophe in one form or another may become all but inevitable.  

Although intelligence agencies have not yet learned of any “specific or credible [Russian] cyber threats to the U.S. homeland,” the risk is clear. The Department of Homeland Security assessed in January that Moscow, normally very reluctant to launch disruptive or destructive cyberattacks against the United States, would consider doing so “if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.” That condition has been met in spades. The White House boasts that “unprecedented” sanctions have made Russia “a global economic and financial pariah,” “sap[ping] its growth potential” and “weaken[ing] its military for years to come.” Meanwhile, some Republican and Democratic members of Congress have floated the destabilization of Putin’s regime as a possible U.S. goal. Putin himself has described the sanctions as “akin to a declaration of war but thank God it has not come to that.”  

Putin’s equivocal comment suggests he would think twice before ordering a major cyberattack on the United States that could invite further escalation. But the logic of deterrence presupposes a careful, calculating Russia, and that premise seems shakier than ever. Putin has already ordered a war of choice that many analysts view as a historic blunder, and he seems to have greatly underestimated both the Ukrainian resistance and the global economic response. Moreover, previous Russian government and criminal cyber operations have blown past or skirted around redlines set by U.S. presidents and caused indiscriminate damage that spilled from one country to the next — perhaps beyond what even the hackers intended. At this volatile moment, it makes sense to consider the most dangerous scenarios even if they seem unlikely.  

The worst case would be a so-called systemic cyber event whose harms spread across society, costing billions of dollars and potentially threatening public health, safety, or national security. Insurance companies and risk modelers have become increasingly worried about such nightmare scenarios. While the internet has always had occasional mass disruptions and compromises — remember the ILOVEYOU virus from 2000? — their frequency and severity have risen in recent years.  

In 2021 alone, we saw a remarkable spate of historically large cyber incidents. Some were hacks, like the Russian-origin ransomware attacks on Colonial Pipeline (millions of drivers impacted) and Kaseya (up to 1,500 companies affected), as well as the Chinese government compromise of Microsoft Exchange servers (30,000 organizations victimized). The latter, a “mere” intelligence gathering operation, could readily have caused mass damage if Beijing had wanted to do so. Other major events were accidental, like the global outage of Facebook services (3 billion users locked out). The notorious Log4j vulnerability (hundreds of millions of devices affected) was in a class by itself. We also know that severe weather events can disrupt cloud services and physical attacks can destroy critical telecommunications nodes.  

Some of these incidents were short-lived and all were largely manageable. But together, they reveal latent fragility in cyberspace. Society has become ever-more dependent on digital technology for daily life. Computer networks interlink and interact with physical systems in increasingly complex, opaque ways — obscuring dependencies and failure points, such as shared reliance on a handful of key software or hardware products. Cyberspace is now akin to a dense, poorly managed forest that periodically catches fire. Most fires remain localized and can be readily extinguished. But on a hot, dry, windy day, the right spark — whether from arson, a barbecue, or lightning — can ignite a blazing inferno that spreads wildly.  

What can we do? The most urgent task is to mitigate the near-term risk of Russian cyberattacks. The Cybersecurity & Infrastructure Security Agency recommends a range of steps for organizations, such as updating software and exercising incident response plans. But these steps are like fireproofing individual homes and reviewing family evacuation routes: prudent measures that nevertheless cannot stop a raging wildfire. Systemic risk demands long-term, system-level solutions.  

We must start by finding the sources of concentrated risk — for example, by making software and hardware supply chains more transparent to spot single points of failure. Once found, systemic risks must be addressed. There could be incentives for IT diversification, while digital entities deemed “too big to fail” should face heightened security and resilience requirements and get tailored government support. Finally, any systemic risks that cannot be eliminated must be managed. We should train thousands more incident responders in advance of a crisis, and do more to help grow and stabilize cyber insurance markets. While important work is already happening, there must be far greater coordination across industries, the public-private divide, and internationally.  

We don’t yet know whether Putin will light the match that starts a cyber conflagration in the United States. But with kindling lying everywhere, why wait for a spark? It’s time to clear the forest, to build a safer cyberspace.  

Jon Bateman is a fellow in the cyber policy initiative in the technology and international affairs program at the Carnegie Endowment for International Peace. He is a former senior analyst with the Defense Intelligence Agency.