What the threat of cyber warfare means for Americans
Russia has launched a full-scale invasion of Ukraine, sending troops over the border and bombing towns across the country. Already, dozens of Ukrainian soldiers have been killed in the assault, and millions more in the region are now in mortal danger. Countries around the world are also likely to feel some effects, via physical disruptions to agricultural and energy supplies and digital disruptions caused by Russian cyberattacks. The latter, in particular, could easily end up reaching the United States.
It’s impossible to predict with certainty if and when such attacks might occur, says Michael Daniel, who served as cybersecurity adviser to President Barack Obama and is now president and CEO of the Cyber Threat Alliance, an organization non-profit. The Cybersecurity and Infrastructure Security Agency has already given advice to companies and other organizations on how to avoid digital invasions and how to react if hackers manage to breach their defences. But Americans receive very little government guidance on what they can or should do to prepare.
The Russian government is not likely, at this time, to target American digital infrastructure, Daniel told me. “That would be a big escalation.” But US computers could still be compromised by collateral damage from Russian attacks on Ukrainian systems, as they have been in the past. In 2017, for example, Russian military intelligence hackers sent malware known as NotPetya into Ukrainian computer networks. As the infection spread, a small US hospital system lost the use of every Windows machine in its arsenal, and dozens, if not hundreds, of other hospitals were crippled when a service widely used transcription tool for electronic medical records has broken down. Any company doing business in Ukraine and any person or company doing business with this society – could be vulnerable to this kind of collateral damage, Daniel said. “No one really fully understands how the internet interconnects and works together at some sort of macro level, so being able to map out all the possible permutations of how something might impact is essentially impossible in advance.”
Herbert Lin, senior fellow at Stanford’s Center for International Security and Cooperation, told me that direct attacks are still on the table. As for patriotic hacking, he said, “the Russians have elevated it to art.” If the United States continues to escalate sanctions and Russia decides to retaliate with cyberattacks, Putin could target the technology that supports American infrastructure. US banks have beefed up their cyber defenses, but “they have never had to withstand an all-out cyberattack by a nation as powerful in cyberspace as the Russians,” Lin said. Municipal electricity and water authorities would likely be more vulnerable, he said, because many of them don’t have the extra money to spend on cybersecurity. And if Russia chooses to allow domestic cybercriminals to operate without consequences, as has been the case in the past, they might simply prey on foreign companies and systems that appear to be the easiest and most lucrative targets. . None of these are particularly likely scenario, Lin pointed out, but any of them is possible.
The experts I spoke with were split on what you or I should do in preparation for possible attacks. “I don’t think ordinary Americans need to take any physical action like buying gas or getting money out of the bank,” Jessica Beyer, co-lead of the Cybersecurity Initiative of the University of Washington, in an email. Files stored digitally aren’t at great risk, she said, because “major cloud computing companies have robust security in place.” CISA, for its part, told me that while “there is currently no specific and credible cyber threat to the United States,” Americans should keep their devices up-to-date, choose strong passwords and use multi-factor authentication. Daniel agreed and pointed out that the current risk profile does not call for much more action. “What we don’t want to do,” he said pointedly, is create “bank runs and gasoline shortages through self-induced panic.”
Lin said people might be wise to engage in modest preparedness behavior, like having extra cash on hand, packing emergency kits and keeping a few gallons of water per person, but again, he said, these are things people should always do, if they have the money. He also said that essential services such as electricity and water in urban areas could be more tempting targets than those in rural areas, and that the closer a person is to organizations important to national security, the more she will have to be vigilant. “I wouldn’t want to be the partner of an American general right now,” he said.
Information warfare is perhaps the most likely way Americans will feel the effects of any Russian cyberattack. “The only way they could surprise me in what they’re doing right now is if they weren’t using it as a tool,” Daniel said. Russia’s main target of disinformation would be the Russians, he said, because the government will want to justify the invasion to its citizens. But his tactics could also spread west, he said, creating, for example, fake US government websites, which could sow confusion.
The heightened digital threat from Russia could last as long as the crisis in Ukraine, if not longer. “There are things that could happen in cyberspace that impact the physical world that could take weeks, months, years to recover from,” Daniel said. Imagine, for example, attackers destroying transformers and other physical parts of the power grid. American manufacturers can only make new transformers so quickly. In the worst case, we could put things back in place for a long time.