With Russia’s war on Ukraine showing few signs of ending anytime soon, Michele Landes of GLG’s Tech, Media, and Telecom team hosted Andy Grotto, Director of Program on Geopolitics, Technology, and Governance at Stanford University and the Former Senior Director for Cyber Policy at the National Security Council under President Obama and President Trump, to understand the cybersecurity risks and vulnerabilities to the U.S. and Ukraine’s neighbors in Europe.
There have been a lot of warnings and discussions about cyberattacks to the U.S. and Europe in the last 18 to 24 months from Russia. With the war now in its third week, why do you think we haven’t seen any major cyberattacks to date?
It’s true we haven’t seen a major destructive cyberattack yet, similar to Russia’s previous attacks against Ukraine’s electric grid in 2015 and 2016 and the NotPetya attack of 2017. The grid attacks temporarily knocked power out for hundreds of thousands of Ukrainians and the NotPetya attack ultimately caused upward of $10 billion in damage to companies large and small, whether Ukrainian or foreign.
But it’s not like Russian cyber threat actors have been quiet, either. For example, they have targeted Ukraine’s government for espionage and to disrupt government operations. And the fact that there aren’t any outward signs of a major cyber attack yet doesn’t necessarily mean that the Russians didn’t try — Ukraine’s defenses have come a long way since the 2015 and 2016 attacks, thanks to focus from Ukraine’s government and cybersecurity partnerships with the U.S. and other friendly governments.
With that possibility in mind, it’s also possible that the Russians have shown some restraint when it comes to major cyber attacks against Ukraine or its allies. We can only guess why at this point, but it’s worth putting some hypotheses on the table. Remember, offensive cyber operations are a tool, and they may not always be the best tool for achieving a given objective — there are risks and benefits to cyber operations. One risk is that once a cyber capability is used to generate some observable effect, defenders may learn how to protect against future attempted uses of that capability. In other words, the attacker risks permanently burning their capability by using it even just once. So the benefits of the attack better be worth it.
Another cost or risk is that the destructive effects of the attack cascade in unexpected ways, causing greater collateral damage than anticipated, including to victims that might otherwise be hesitant to get involved in the conflict. If the attacker believes that would-be allies are hesitant to get involved in the conflict, a cyber attack that hurts them too could lead them to intervene more forcefully than they might have done had they not been victimized.
On the benefits side of the equation, it seems pretty obvious at this point that Putin thought that he could roll into Ukraine and that Russian soldiers would be greeted as liberators, or at worst encounter token resistance. Under these circumstances, why burn cyber capabilities in the run-up or early stages of the invasion that could be more useful in the future (e.g., against the U.S.) or risk unintended collateral damage that could unite other countries in their opposition to you? It wouldn’t make much tactical sense.
Of course, the assumption that Ukraine would fall fast has proved completely wrong, but even now, in this intensely violent phase of the conflict, it’s hard to see what value cyber attacks against Ukraine’s infrastructure would have, compared with fungible, and perhaps more predictable, artillery and other kinetic weapons — especially when kinetic weapons have such potent ability to kill and terrorize civilian populations, which seems to be part of Putin’s war plan at this point.
Might Russia eventually carry out a destructive cyber attack?
Yes, if and when circumstances change. I think the Russians are holding offensive capabilities in reserve, and that if Putin and his generals saw tactical or strategic value in using them, they would not hesitate to use them.
If Russia were to carry out a destructive cyber attack, what would it look like?
Look to the recent past for clues — disruptive attacks against critical infrastructure, akin to the 2015 and 2016 attacks in Ukraine, would be high on the list. Attacks designed to disrupt economies and business are another possibility, similar to NotPetya. At this point, I think we’re more likely to see such attacks outside of Ukraine, and targeting allied countries — Europe, the United States, and possibly even East Asia allies that have supported sanctions, such as Japan, South Korea, and Taiwan.
The goals could be to inflict pain and punishment to deter future sanctions or to break unity around sanctions. It’s worth noting that Russia doesn’t necessarily need to actually execute a destructive attack to achieve these psychological objectives — signaling or demonstrating capability to carry out the destructive attack could potentially be enough. Finally, I’d be shocked if we didn’t see cyber operations aimed at affecting political processes in democratic countries — hack-and-leaks and other information operations.
In your eyes, what sectors are most vulnerable within the U.S. and Europe right now?
Let’s start with financial services. I wouldn’t discount Putin’s willingness to disrupt SWIFT or big banks, especially in response to the crushing financial sanctions on Russia, with a goal of holding the international financial system hostage.
That being said, the biggest American banks are focused on cybersecurity and are generally well prepared to power through an attack. But it would still be painful for them and possibly for the economy as well. Big banks in other countries are a more mixed bag, and the resilience of smaller banks in the United States against a nation-state adversary is, overall, lacking — mainly due to resource constraints. This is worrying because if undermining confidence in the integrity of the U.S. financial system is Putin’s goal, attacking smaller banks and manipulating transactions, changing account balances, and preventing customers from accessing their money could have a big psychological effect on markets and consumers.
When it comes to energy, the Colonial Pipeline ransomware incident from last summer, which interrupted fuel supplies on the U.S. East Coast, is a worrying data point on the sector’s resiliency. It too is potentially an attractive target now that the U.S. has banned Russian oil imports. It’s a politically potent target too, given American voters’ sensitivity to gas prices and their willingness to blame political leaders for it. If Putin wanted to undermine Biden’s reelection prospects, disrupting domestic fuel supplies might be an attractive gambit.
Cloud is another area of concern, primarily because it has become a utility of sorts for many businesses. The big cloud companies are good at security, but their customers — especially small and medium-sized businesses — may not be so good and may not know where their security responsibilities end and the cloud providers’ responsibilities begin, a weakness that threat actors may be able to exploit.
So, how do companies and individuals best prepare for cyber attacks?
The basics: multi-factor authentication (MFA), using password managers, and keeping systems up to date.
About Andy Grotto
Andy Grotto is Director of the Program on Geopolitics, Technology and Governance at Stanford University, Visiting Fellow at Stanford’s Hoover Institution, and Principal of Sagewood Global Strategies LLC. He previously served as Senior Director for Cyber Policy at the National Security Council under President Obama and under President Trump. Mr. Grotto played a central role in developing and overseeing the implementation of President Obama’s Cybersecurity National Action Plan, and he was the principal architect and drafter of the Trump administration’s executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” Previous positions held by Mr. Grotto include Professional Staff Member, Senate Select Committee at United States Congress; and Senior National Security Analyst at Center for American Progress. He also led the negotiation and drafting of the information sharing title of the Cybersecurity Act of 2012, which later served as the foundation for the Cybersecurity Information Sharing Act that President Obama signed in 2015.
This cybersecurity article is adapted from the GLG teleconference “Cybersecurity Risks — Russia/Ukraine Conflict.” If you would like to speak with cybersecurity experts like Andy Grotto, or any of our approximately 1 million Network Members, please contact us.