U.S. officials are highly concerned the war in Ukraine could impact American cyber networks as the war enters its third week and Russian President Vladimir Putin grows more isolated.
The nation’s main federal cybersecurity agency told USA TODAY Tuesday it has been encouraging U.S. organizations to up their security.
“While there are not any specific, credible, cyber threats to the U.S., we encourage all organizations – regardless of size – to take steps now to improve their cybersecurity and safeguard their critical assets,” the Cybersecurity & Infrastructure Security Agency said in a statement.
The Biden administration sought $10 billion last week in emergency funding from Congress in defense aid, including to support Ukraine’s cyber defenses, as well as $28 million to bolster the FBI’s “investigative and operational response to cyber threats stemming from the Russia threat and war on Ukraine,” according to the supplemental funding request.
And U.S. intelligence officials told Congress in its annual threat assessment Tuesday that Russia is using cyber operations to attack those it sees working to undermine its interests or threaten the Russian government’s stability.
“Russia views cyber disruptions as a foreign policy lever to shape other countries’ decisions, as well as a deterrence and military tool,” said the annual threat report, which noted that Russia’s focus was particularly on targeting critical infrastructure upon which the United States depends.
U.S. officials said the most likely short-term cyber impact would be spillover of any cyberattack by Russia against Ukraine. That’s because cyber networks are invariably connected and attacks can easily spread to other nations.
In 2017, Russian “NotPetya” ransomware attacks against Ukraine ultimately took down the world’s largest container shipping company, banks, power plants and more, costing an estimated $10 billion in global damages.
Because there are no generally accepted international cyber warfare norms, it’s unclear whether a cyberattack against Ukraine that spreads to a NATO-ally, such as Poland or France, would trigger the alliance’s Article 5, which states that an attack against one NATO nation is an attack against all.
Part of the concern for U.S. officials is that Putin has likened sanctions against it to a “declaration of war” and implied that actions taken by Western nations may see a reciprocal response by Russia in other domains. It’s unclear how Putin may respond to Tuesday’s announcement by Biden that the United States will ban all imports of Russian oil, gas and energy.
It’s previously been thought that while Russia might have the capabilities, Putin would never really do anything to disrupt Western finances because the blowback to the Russian economy would be too great. But over the last two weeks, various U.S. companies across nearly all economic sectors have effectively self-sanctioned themselves from continuing to operate in Russian markets.
“The more that Russia is cut off from the global finance sector, from the energy markets, from even the internet itself, it no longer has anything to fear from blowback,” said Jason Healey, a former White House cyber protection director. “If we deal him out of the game why not just flip the table?”
Security firms vow to protect US infrastructure from attacks
On Monday, three U.S. cybersecurity firms – Cloudflare Inc., CrowdStrike Holdings Inc., and Ping Identity – announced they would be joining forces to provide free cyber defense services to certain sectors of critical U.S. infrastructure, including hospitals and water and power utilities.
Many U.S. analysts had expected Putin to lean heavily on cyber as a tool in the war against Ukraine. Since 2014, Russia has engaged in repeated cyberattacks against the country, even shutting off its electrical grid. But much like Russia’s invasion of Ukraine was criticized strategically, its cyber efforts to date have not matched what U.S. officials expected.
Unlike shooting a missile or rolling a tank into a Ukrainian village, cyber capabilities can take years to develop and operations take time to map out. Because so many in the Russian government itself were unaware of Putin’s plans to invade until it was imminent, it’s possible Russian cyber teams were similarly caught unprepared and are still building out these operations, analysts said.
U.S. Democratic Sen. Mark Warner of Virginia, who co-chairs the Senate Cybersecurity Caucus, said the United States should not presume that because Russia has been “inept with their military, doesn’t mean they’re inept in cyber” and are not a significant threat.
“We don’t know whether Russia will use their really exquisite tools from their government (cyber) entities, their spy services, or whether they will simply say to all their ransomware criminals, ‘have at it,’ ” Warner said, “because there’s at least some level of deniability there.”
He said Americans need to understand that no matter how good the United States is at cyber protection, any well-trained cyber attacker will eventually get through defenses. That’s why it’s important to be prepared and ensure systems are resilient – with proper security protocols and companies sharing information with the government to prevent the same attack techniques from being utilized again and again.
Robert M. Lee, founder and CEO of industrial cybersecurity firm Dragos Inc., said his worry is that Biden’s announcement blocking any Russian oil imports may lead Putin to launch a reciprocal attack against U.S. pipelines and liquefied natural gas sites. In 2014, after Western financial institutions sanctioned Russia over the Crimean invasion, the United States saw an increase in attacks by Russian cybercriminals targeting the U.S. financial sector, as well as a cyberattack against Western banks, including JPMorgan Chase & Co.
On Monday, U.S. Democratic Sen. Kirsten Gillibrand of New York told reporters New Yorkers faced an increased risk of cyberattacks from Russia due to the sanctions imposed by financial institutions because New York is considered the economic engine and financial center of the United States.
A potential cyberattack by Russia “has a symbolic signaling mechanism built into it, ‘an eye for an eye,'” said John Hultquist, vice president of intelligence analysis for Virginia-based cybersecurity firm Mandiant.
Attacks could worsen global supply chain issues
U.S. intelligence agencies have been sharing information back and forth with private industry partners, including the industrial cybersecurity firm Dragos Inc., and noted that Russian-based groups have been stepping up and trying to target more of U.S. infrastructure, especially organizations in gas, electric and manufacturing, Lee said.
The company has long investigated Russian cyberattacks on Ukraine, including against its power grid in 2015 and 2016. The 2015 attack resulted in power outages for more than 225,000 people by hitting three regional electronic power distribution companies within 30 minutes of each other.
In the United States, it’s most likely Russia would take smaller disruptions and use its misinformation and influence operations to scare the American public, Lee said.
“You could have a power outage for an hour in a local town or something,” Lee said. “But remember, we get through that kind of stuff all the time with hurricanes, tornadoes or anything else, so don’t freak out. That’s what they want you to do.”
Manufacturing, in particular, is believed to be a likely target of Russian cybercriminals who have long operated with the tacit approval of Putin, if not under direct order from the government.
Last May, a ransomware attack against Colonial Pipeline software that the United States attributed to Russian cybercriminals led to fuel shortages across the east and higher gas prices, as well as long lines of nervous motorists. Such ransomware targeting of the manufacturing industry could easily compound ongoing global supply chain issues due to the pandemic, Lee said.
Further stress to manufacturing systems because of ransomware “could be disastrous,” Lee said. “I could absolutely see shortages of food getting to grocery stores, it could be nearly impossible to get computers and laptops and telecommunications equipment in any kind of reasonable waiting period, massive increases in costs of goods or revenue at a time when we’re experiencing record inflation.”
Industrial environments – including manufacturing and refiners, for example – have seen connectivity explode over the last few years, especially amid the pandemic, which simply ups the attack surface for Russian hackers, Lee said.
“There are more access points into the crucial parts of our critical infrastructure than ever before,” Lee said. “You’re dealing with environments that have less security investments than any other part of that company, and you’re dealing with the fact that there’s more access into them now than ever before.”