As Putin’s bombs fall on civilian targets, ancient cities, weapons depos, and a nuclear plant – another war is being waged, an invisible war, cyberattacks on Ukrainian targets. These attacks go beyond Ukraine.
At the front end of this conflict, now weeks, Russia deployed malware against Ukrainian targets, military institutions, and personnel. For reasons still not clear, they chose not to debilitate civilian institutions – perhaps thinking victory would be swift and rebuilding for a “puppet” government, hard and long.
That said, a few things are clear. Cyber-savvy American companies, such as Microsoft, Google, and Mandiant, have picked up (from the start) attempts by Russia to hit Ukrainian military targets. These attacks were – like Russia’s physical attacks – seemingly inept, yet in some cases successful.
Historically, Russia has been viewed as a cyberattack leader, seasoned and generally effective at disruption when that was the aim. Here, Russian hackers appear to have had minimal success shutting down Ukrainian systems, giving the country time to pivot and improve cyber defenses.
Moreover, with US companies sharing information and affirmatively coordinating defensive actions with the White House, Pentagon, National Security Agency, and US Cyber Command, what is happening in the cyber-battlespace is known more quickly.
These companies – unconstrained as governments are – have been coordinating with Ukrainian counterparts, offering warnings as possible. The ability to see into the murk of cyberwar – made possible by US technology – may also protect NATO countries, such as Poland and the Baltics.
Making things more complex, cyberwar does not just affect information access, accuracy, and use – all vital. It escapes the vacuum, affecting the physical world. Preparations – cyber-defenses – are being hardened across NATO, even as Russia hits Ukraine. Even so, the battlespace is confusing. See, e.g., Ukraine War Tests the Power of Tech Giants.
As one public account noted, “the intelligence is flowing in many directions.” In some ways, this “fast reaction force,” a combination of focused cyber-experts in corporate America, US Government, and NATO – is utterly new. The coordination appears led by private ingenuity, agility, and willingness to help governments.
If any good comes of this conflict, it could be a new private-public alliance to protect America, NATO, and innocent non-NATO countries from unprovoked cyber-aggression.
One official noted in the New York Times, “I’ve never seen it work quite this way, or nearly this fast …We are doing in hours now what, even a few years ago, would have taken weeks or months.” See, As Tanks Rolled Into Ukraine, So Did Malware. Then Microsoft Entered the War.
More immediately, Russia’s threat is growing, as this aggressor nation confronts unforeseen obstacles in cyber and physical battlespaces. To date, Russia’s Ukraine-focused cyberattacks – which faltered – are “more muted than expected.”
That may soon change. Russia could hit Europe hard with cyber-attacks, especially if sanctions are unified, aimed at Russian oil exports, and fully joined by Europe. If that happens, cyber-defenses must be strong, as these attacks could affect the physical world. That would certainly be the aim, to hobble Europe’s economy as NATO does Russia’s.
Damage could flow to the US, with Facebook, Twitter, and YouTube all acknowledging adverse Russian activity already. Other sectors could be hit.
Most sobering, private sources suggest that Russia may attempt to hit US defense contractors – nobbling their ability to perform – not so much to stage aggressive action but to demoralize, distract, deter, and disrupt.
The significance of all this is simple and not so. Russia has tools in “the invisible world,” including cyberspace. They have historically been good at deploying them and shown they can be a formidable cyber-adversary, intruder, disruptor, and nuisance.
Technically, NATO countries are only offering defensive weapons to Ukraine, but cyberwar is different. Some actions are clearly offensive, others clearly defensive, others ambiguous, dual-use, or subject to misinterpretation. Compounding the problem, a blur of state and non-state “patriotic” and obstructive actors is afoot. See, e.g., Volunteer Hackers Converge on Ukraine Conflict With No One in Charge.
The hope is that all efforts to contain Russia’s physical and cyber-attacks are successful and defensive only. But if Russia began hitting US defense contractors, potentially jeopardizing the US or NATO force structure or capabilities, stakes would rise.
So far, cyber limits are being respected. Cyberattacks with an impact on US defense contractors are not common; hopefully, they will not be. But Russia is using a highly flawed, obviously perilous war-fighting manual – and cyberwar manual. If they get too squirrelly, the West will need to be ready. The “invisible war” also matters.
RBC,
Cyber threats from foreign adversaries, not just Russia but also China, North Korea end even Iran, Nigeria and some former Soviet states have been a fact of life going all the way back to the 1990s. Do not think for a second that the so-called “independent actors”, all supposedly non-state affiliated individuals or groups classified as rogue entities by our media are somehow acting without the permission and full knowledge of the host countries they operate from. Leveraging third-party entities, in certain cases, lets our major adversaries claim a certain level of deniability, should any of the individuals actually be caught. The level of sophistication in cyber-attacks has only increased over the decades, with a real ramp up occurring in the mid 2000s to present.
As for our official government response to cyber-attacks during that period, they have run the gamut from active and strong to passive and simply reactive, after the fact responses. In general, the Democrat administrations don’t seem to place much emphasis on being proactive and authorizing our cyber warfare personnel to respond with at least “in kind” counter measures. My sense is Democrats are terrified of taking active measures to almost any sort of attack. Their default response seems to seek to appease rather than take a more forceful cyber response to stop additional attacks. The Republican administrations generally take the cyber threats far more seriously and generally take the handcuffs off our cyber warfare personnel more when they are in charge.
Overall, corporate leadership response to the threat of cyber also runs the gamut from viewing it as a high priority and funding it as such to viewing it as something that they give cursory attention to, as it doesn’t directly add to the quarterly bottom line which is how senior executives are compensated. The type of industry also impacts how the corporate leadership prioritizes cyber security. Obviously, defense contractors place a much higher emphasis on allocating the required resources to safeguard their IP than say your typical water treatment plant or power utility company. The problem is a cyber-attack to shut down parts of our electrical grid or water to millions of people can have far reaching consequences.
We don’t need to throw more money at the problem, which is the default response from the federal government in most situations. Rather we simply need to incentivize corporate America to realize pinching pennies on their own Internet security may result in senior corporate leadership of those companies facing extremely large personal and corporate fines and potential imprisonment, if they fail to meet minimum security standards for 21st century Internet threats. Nothing motivates corporate America like seeing one of their own being led away in a perp walk and facing potentially millions in fines.
RBC,
Cyber threats from foreign adversaries, not just Russia but also China, North Korea end even Iran, Nigeria and some former Soviet states have been a fact of life going all the way back to the 1990s. Do not think for a second that the so-called “independent actors”, all supposedly non-state affiliated individuals or groups classified as rogue entities by our media are somehow acting without the permission and full knowledge of the host countries they operate from. Leveraging third-party entities, in certain cases, lets our major adversaries claim a certain level of deniability, should any of the individuals actually be caught. The level of sophistication in cyber-attacks has only increased over the decades, with a real ramp up occurring in the mid 2000s to present.
As for our official government response to cyber-attacks during that period, they have run the gamut from active and strong to passive and simply reactive, after the fact responses. In general, the Democrat administrations don’t seem to place much emphasis on being proactive and authorizing our cyber warfare personnel to respond with at least “in kind” counter measures. My sense is Democrats are terrified of taking active measures to almost any sort of attack. Their default response seems to seek to appease rather than take a more forceful cyber response to stop additional attacks. The Republican administrations generally take the cyber threats far more seriously and generally take the handcuffs off our cyber warfare personnel more when they are in charge.
Overall, corporate leadership response to the threat of cyber also runs the gamut from viewing it as a high priority and funding it as such to viewing it as something that they give cursory attention to, as it doesn’t directly add to the quarterly bottom line which is how senior executives are compensated. The type of industry also impacts how the corporate leadership prioritizes cyber security. Obviously, defense contractors place a much higher emphasis on allocating the required resources to safeguard their IP than say your typical water treatment plant or power utility company. The problem is a cyber-attack to shut down parts of our electrical grid or water to millions of people can have far reaching consequences.
We don’t need to throw more money at the problem, which is the default response from the federal government in most situations. Rather we simply need to incentivize corporate America to realize pinching pennies on their own Internet security may result in senior corporate leadership of those companies facing extremely large personal and corporate fines and potential imprisonment, if they fail to meet minimum security standards for 21st century Internet threats. Nothing motivates corporate America like seeing one of their own being led away in a perp walk and facing potentially millions in fines.