Destabilizing speculation

What to know about the threat of Russian cyberattacks

In the wake of Russia’s invasion of Ukraine, it makes sense to ask: Should America be worried about cyberattacks right now? Experts have mixed opinions.

One way to assess what potential Russian attacks might look like is to analyze past events. “We know from what Russia has done in the past what they are capable of,” says Glenn Gerstell, former general counsel for the United States National Security Agency from 2015 to 2020. “And they have used Ukraine as a bit of their cyber punching bag, so to speak.

Since 2015, when a Russian attack destroyed Ukraine’s power grid, Ukraine has worked hard to strengthen its digital defenses. But in 2017, NotPetya, a Russian cyberattack on Ukraine that spread around the world, still caused billions in damage. There was also the 2021 Solar Winds attack, which targeted US companies like Microsoft and Intel, as well as various US federal agencies including the Pentagon, Department of Homeland Security and National Nuclear Security Administration, leaving them exposed.

Now that America is imposing sanctions on Russia, many fear a retaliatory attack. Here’s what you need to know about it.

What kind of attacks has Russia delivered in the past?

First, keep the period in mind. “It is important not to fall into the mindset of the Cold War and to consider cyberattacks as an episode of stranger things, where spies come out of the sewers,” says privacy researcher Sean O’Brien, who directs Yale’s Privacy Lab. According to O’Brien, it is difficult to attribute cyberattacks to an entire country, or even to a specific group within that country. Additionally, opponents can pretend to be someone else, in ways specifically designed to disguise their nationalities.

But we do know that historically Russia has tested some of its most destabilizing cyberattacks against Ukraine and shown it has access to water and electricity systems there. Some of the different strategies they use to destabilize systems include DDoS attacks, where an attacker sends large amounts of traffic to a website and essentially overwhelms it with more requests than it can handle. They also use wipe attacks, designed to erase all data from a given network, and hack Ukrainian national security sites in an attempt to obtain intelligence about that country.

[Related: Cybersecurity experts say $2 billion is too little, too late]

In January 2022, Microsoft disclosed that there had been a malware attack against the Ukrainian government. There have also been a series of recent hacks which may or may not be Russian. During the first week of the invasion, hackers leaked proprietary data from US microchip dynamo Nvidia online, leading some to question whether the attack was linked to Russia. In February, hackers gained access to 21 major US energy companies, including Chevron and Kinder Morgan. This operation was discovered on the eve of Russia’s attack on Ukraine, again sparking speculation about its source.

Jason Leigh, a special agent with the FBI Houston cyber task force, told Bloomberg that he expects Russian hacking invasions “could escalate in terms of volume or number of attacks and ways in which they attack”.

Should people be worried about Russian cyberattacks right now?

When the invasion of Ukraine first happened, some felt cyberattacks were inevitable, and the US Department of Homeland Security warned businesses to be alert to Russian cyberattacks. But so far, nothing has happened, as far as we know.

Data breach hunter Chris Vickery says if the Russians had the power to enforce their will through computer means, America would have already been attacked. “If Russia had the ability to be invincible online cyberwarriors, it would have done something already,” he says.

Gerstell, formerly of the US National Security Agency, disagrees with this notion, pointing out that precision cyberattacks, of the kind used to destroy power grids and oil refineries , take time to plan. “The bottom line is that America is still vulnerable,” he says. “We have everything from the retail sector to other large pieces of critical infrastructure that are in various states of vulnerability. Putin has the ability. And all that’s missing from that equation right now is the strategic decision to exploit that vulnerability.

Gerstell adds that Putin may not have expected such a strong response from America, with sanctions that have devalued the rouble.

Some US companies are also offering free cybersecurity services to Americans and Ukrainians, such as cybersecurity intelligence firm GreyNoise, which has automatically upgraded all Ukrainian email accounts to include full access to its products. Tesla announced that it would continue to pay Ukrainian employees if they had to return home to help the military for up to three months. Tesla CEO Elon Musk sent Starlink equipment to Ukraine, which could enable voice calls and internet access if the internet was otherwise unavailable, although some have pointed out that these satellites could put the country at additional risk.

Currently, Putin has a lot to lose and little to gain by launching a cyberattack, Gerstell says, but if he feels cornered, it could potentially change his course of action.

How can we protect ourselves?

If you haven’t already, enable multi-factor authentication and back up your data, says Vickery, a self-proclaimed data breach hunter. Companies need to know who their contractors and contractors are and lock down IP addresses that are not in their systems. “If governments nationwide did all of these things, we would be in very, very good shape,” he says.

Anne Neuberger, who serves as deputy national security adviser for cybersecurity and emerging technologies in the Biden administration, offered her advice on a New York Times Podcast. “For the data most important to you, your bank statements, your health records, keep a backup copy disconnected from the internet so that if something goes wrong, you have it available,” she said. .

Gerstell’s recommendation includes backing up data, ensuring anti-virus programs are up to date, checking computer logs more frequently, and fixing anything you are able to fix. “Long term, you could really change the architecture of systems that you need to be much less vulnerable, and that probably means moving to something called zero-trust architecture,” he says, explaining that zero-trust architecture is one approach. strategy that continually validates every step of the online interaction.

Are there international laws establishing cyber policies?

Yes. The Budapest Convention on Cybercrime, which was established in 2001, was the first international treaty to try to coordinate responses to cybercrime between nations. The goal of the UN Group of Governmental Experts is to establish “responsible state behavior in cyberspace in the context of international security”. They have defined a set of voluntary policies for the use of cybersecurity, which include not attacking crucial online infrastructure.

In the United States, a common complaint is the lack of consistency in the handling of cybercrime between state and federal governments, leaving different departments to make critical decisions without sharing strategic intelligence. Chris Inglis, the first national director of cybersecurity, echoed those complaints, writing that America needs a centralizing response that “significantly alters the relationship between the public and private sectors.”

What shall we do now?

We need to start catching up, experts say. “For 20 years, we’ve enjoyed the benefits of innovation unimaginable on the Internet,” says Gerstell. “We focused so much on this heady, dizzying array of wondrous, wondrous benefits and features that we didn’t spend a fraction of the energy and time on the defensive and it’s catching up now.”

The good news? Solving the country’s cybersecurity problem isn’t exactly a mystery. We know how to secure networks, but it’s difficult, expensive, and time-consuming. “But we could do it,” Gerstell says. “So that’s the challenge.”