Right from the outset, let’s agree to keep in mind that the Russia/Ukraine cyberwar may never heat up. The important developments in the next few days and weeks will likely happen only in the real world of guns and bombs.
So set aside the cyberwar for a minute. Focus on the real world. There are a few ways the real world conflict may proceed.
The Russians might slink ignominiously from the field, tails between their legs, trying frantically to spin the narrative so Putin looks like anything other than a pathetic loser. There are some signs as I write this on Friday afternoon that the Russian military operation is getting ready to collapse. Cool. Maybe this ends soon.
That’s the best case scenario. For some reason it’s hard to feel optimistic in the modern world. Have you noticed? So think about how things might get worse in the real world conflict.
Thomas Friedman wrote a scary essay for the New York Times about Putin’s fallback plans if his army continues to be stalemated and Putin’s advanced syphilis (unconfirmed) makes him frustrated and angry.
Plan A was a quick Russian military victory. That didn’t happen.
Plan B is to create a massive refugee crisis within Ukraine and especially in neighboring NATO countries, to impose social and economic burdens that will cause NATO states to pressure Zelenskyy to cut a deal with Russia. That’s in progress as I write this.
If that doesn’t shake up NATO enough to force a deal with Russia, it’s a reasonable guess that Plan C would be to fracture the NATO alliance with air and rocket attacks across the Polish border, causing disagreement and dissent about the proper response.
And finally, if Putin is still in charge and increasingly batshit, Plan D would likely be chemical weapon attacks or deployment of nuclear bombs.
That’s the real world. It’s hard to imagine that cyberattacks will ever be so bad that they take over the headlines from the horror on the ground.
But we’re going to talk about cybersecurity because, unfortunately, the Russia/Ukraine cyberwar might figure in some of those nightmare scenarios. Here are some ways that might happen.
How could the cyberwar get worse?
Anne Neuberger, deputy national security adviser for cyber and emerging technology, discussed the possible escalation of the cyberwar in an interview with Kara Swisher this month.
The first level would be a full-out destructive cyberattack on Ukraine. Putin might decide to throw out the sense of caution that has kept these attacks from happening so far. Throw out any desire to have systems operational in case Russian wins the land war. Just use hackers to cyber-blow things up. Turn off the electricity, kill the banks, make planes fall from the sky, disable the hospitals.
The second way the war could escalate: Russia could deploy malware in Ukraine that spreads and causes damage to businesses and government agencies worldwide. Maybe Russia would intend to cause global havoc, maybe it’s an oopsie moment when a targeted attack goes further than planned.
We know that’s possible because it has already happened. The NotPetya malware was used in 2017 by the Russian government for an attack on Ukraine, but it rapidly spread around the world, causing an estimated $10 billion in damages. It’s been called the most devastating cyberattack in history.
The third way the war could escalate: Putin could snap and turn into Dr CyberStrangelove and launch destructive cyberattacks directly against targets in the US and Europe.
We’ve been in a global cyber-standoff for the last few years. It’s similar to the 1960s doctrine of mutually assured destruction: Russia does not launch crippling attacks on American networks because they’re afraid we’ll retaliate and do more damage to them. If Putin tells his hackers to do their worst to Europe and the US, it would be the cyber-equivalent of launching nuclear weapons. We might have bigger malware bombs to send back to Russia but the thing about mutually assured destruction is that in the end both sides get pretty destroyed.
So that’s not good.
President Biden warned last week that Russia is exploring the possibility of cyberattacks against the United States in retaliation for the sanctions that are tearing his country to pieces.
“It’s part of Russia’s playbook,” Mr. Biden said in the statement. “Today, my administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
The administration has no evidence of a specific, credible potential cyberattack against the United States, but rather “preparatory activity” targeting critical infrastructure, according to Anne Neuberger, Mr. Biden’s deputy national security adviser for cyber and emerging technology.
The president’s warning should be taken at face value. Maybe the intelligence agencies see ominous chatter and everyone needs to be on alert.
But that’s not all! And that’s good news. Biden’s warning actually has a bigger context that is really swell.
What are we doing to prepare for cyberattacks?
It’s not easy to see an inflection point while it’s happening – a series of events that send history on a new path. President Biden and his team are trying to use this tense moment to change the world’s approach to cyberattacks. If they are successful, 2022 may be seen as an inflection point that makes the world safer and reduces the risk of cyber-armageddon.
Hyperbole? Maybe.
Here are some of the things that the Biden administration is working on right now, today, taking advantage of everyone’s focus on the Russian/Ukraine conflict.
Create a sense of urgency in the private sector. President Biden’s warning did not identify specific threats. It was intended to get companies to focus on security and defense to make future attacks more difficult.
Encourage a partnership between all interested parties – private companies (Microsoft, Google, security companies, other tech companies) and government agencies. The goal is to facilitate the free flow of information about attacks and defenses. Like most modern tech, cybersecurity has been built on walled gardens. The walls are starting to come down. The agencies and private companies have been working together on a wide range of tech solutions to help Ukraine. The US Cybersecurity & Infrastructure Security Agency (CISA) is pushing its Shields Up initiative, which requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity.
Harden systems. From a New York Times report. “The White House last week briefed more than 100 companies in the United States on the best ways to defend against a cyberattack. The administration on Monday directed companies to “harden your cyber defenses immediately,” recommending measures such as enabling multifactor authentication, ensuring offline backups of data and educating employees on hacking methods.”
Pass laws to require cooperation and sharing information. From the Washington Post last week. “President Biden signed into law yesterday the most expansive cybersecurity requirements that the U.S. government has ever placed on the private sector. They require critical industry sectors, such as energy, finance and transportation, to report to the Cybersecurity and Infrastructure Security Agency (CISA) within three days of being hacked. A broader set of companies must report paying ransoms to hackers.”
Fast attribution. A global response to a cyberattack will always be easier to mobilize if the bad actors are identified. Attribution has frequently been slow in the past, sometimes because information was not shared to permit attribution and allow others to confirm the information. The US government is encouraging its agencies to do technical attribution quickly and share the work – and encourage partners, public and private, to do the same. That’s why the US government quickly called out that Russia was behind the DDOS activity against Ukrainian banks.
Create a global community devoted to stopping cyberattacks. US and European governments and private companies are all pitching in to help defend Ukraine against cyberattacks. The US government is actively working to declassify and share intelligence about Russian cyberwarfare. That has encouraged private sector support for Ukraine from Microsoft, which has responded to malware on Ukrainian networks; Google, which provided support against DDOS attacks; Elon Musk, who is providing Internet connectivity with the Starlink satellite system; and other security and tech companies.
This is also opening the possibility of long term global solutions. The world is starting to develop an international framework for cybercrime and rules governing cyber behavior. These are early days and the world moves slowly on this kind of agreement, but it’s more possible than it was a few months ago. Anne Neuberger describes it this way:
There are actually a few (global agreements about cybersecurity). I’ll mention a couple. One is very much in place and implemented, which is the Budapest Convention on Cybercrime that brings together countries and is actively viewed as effective in sharing information around cybercrime and working to address that. The second one is U.N. Group of Governmental Experts that outlines a broad set of voluntary international norms for peace time in cyberspace. Those include not attacking critical infrastructure, those include allowing computer emergency response teams to work effectively and cooperatively.
Vladimir Putin is batshit crazy, and he’s got his finger on scary weapons – a big army, lots of missiles, nuclear bombs, and cyberweapons wielded by hackers who might be able to do terrible damage.
The global community is pulling together. Governments all over the world are hardening their infrastructure, improving security at government agencies, setting up systems to reduce collateral damage, improving communication between countries as well as communication between government agencies and the private sector, and setting up methods to share information. Going forward, cybersecurity will be taken more seriously.
If we can survive Putin’s current reign of terror, then he may wind up making the world a safer place.