As the United States continues to rush sophisticated weaponry to Ukrainians to defend against the Russian invasion force and unprecedented Western sanctions slowly strangle the Russian economy, Moscow’s retaliation is likely a matter of when — not if.
Russian strategic doctrine even calls for escalation in order to deescalate conflicts, up to and potentially including the use of nuclear weapons. If history is any guide, the next rung up President Vladimir Putin’s ladder of escalation will probably be sophisticated and potentially devastating cyberattacks aimed at critical American infrastructure.
The Biden administration has already warned of “evolving intelligence” that the Russian government is exploring options for potential cyberattacks against the United States. The Kremlin’s playbook for such aggression is extensive and well-rehearsed, and Russia is not the only source of cyberattacks we need to be ready to defend against.
Just last year, Russian hackers shut down the Colonial Pipeline, which carries nearly half of the East Coast’s fuel supplies, causing long lines at gas stations up and down the Eastern seaboard. The ransomware attack was reportedly the work of a Russian criminal group loosely affiliated with Russian intelligence services.
In the massive SolarWinds cyberattack in 2020, hackers believed to be working for Russia’s Foreign Intelligence Service used malware to infect the computers of Fortune 500 companies and multiple U.S. government agencies. Private company systems were compromised, as were computers inside the Pentagon, the Department of Homeland Security, the State Department, the Treasury Department, the Department of Energy and even the National Nuclear Security Administration — part of a series of successful intrusions into private and government systems across America.
“The reality is we have seen Russia do some things in cyberspace that we thought were just nuts. That were so provocative, so escalatory that sometimes you look at that and say, ‘Who’s controlling these guys?’” Dmitri Alperovitch, a Russian-born American computer security expert and co-founder of the cyber security firm CrowdStrike, told “60 Minutes” reporter Bill Whitaker in a recent interview. “ You know when the U.S. launches an operation there’s going to be an army of lawyers approving every step of that operation, asking are you going to cause any civilian casualties, are you going to do anything that is disproportionate. They don’t have any of that in Russia, and that can lead us down a very dark path.”
American policymakers need to be concerned not only with defending government systems against attack, or how and when to use offensive counterattacks but the full range of private company and organization systems vulnerable to targeting by foreign cyber actors. As technology advances, especially with the rollout of 5G communications, autonomous vehicles and the internet-of-things, the attack surface is growing larger by the day and the number of defenders has to grow to match the threat.
Some observers find reassurance in the fact that Moscow has failed to mount a major cyberattack against the United States during the Ukraine crisis, but that relief is likely fleeting. Mounting a sophisticated cyberattack can take months to prepare and execute, and Putin obviously thought his “lightning” invasion would quickly decapitate the Ukrainian government. With a badly bloodied Russian military now bogged down in a war of attrition nearly two months later, and sanctions squeezing his economy a little more each day, Putin’s frustration is likely to grow, and with it the likelihood of escalation.
The good news is that the federal government has fully awoken to the threat. A number of the key recommendations of the 2020 Cyberspace Solarium Commission Report have been adopted in executive orders and legislation, including the establishment of a national cyber director, and a broadening of authorities for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). CISA Director Jen Easterly has recently launched a program called Shields Up to help agencies prepare for malicious cyberattacks. Those efforts include sharing intelligence on Russia’s malicious software and cyber tactics with the private sector and encouraging U.S. industry to reciprocate by sharing information with the government on suspected cyber intrusions.
What is now urgently needed is a national awareness campaign explaining the role of every American citizen in preparing for the coming cyberwar. Not everyone needs to be a cyber engineer, but we all need better awareness of simple security techniques and how to identify threats that can be unleashed simply by clicking the wrong link in an email.
Despite Washington’s well-earned reputation for hyper-partisanship and dysfunction, there has been significant bipartisan cooperation for improving the nation’s cyber security. The American Innovation Act, currently in the final stages of debate, includes several initiatives that will improve the science and engineering proficiency of the American workforce and secure semiconductor supply chains. Rep. Adam Kinzinger (R-Ill.) included in the bill the American Cybersecurity Literacy Act, which would launch a cybersecurity literacy campaign to increase knowledge and awareness of cybersecurity risks among the American public, including best practices for preventing cyberattacks, such as two-factor password authorizations. It is this area of national effort that needs urgent increased attention, and the effort must include presidential level messaging and high-school level education on cyber literacy.
The underlying message behind these initiatives would have been familiar to an American public that parked their cars and relied instead on public transport to help the War Production Board cope with a rubber shortage during World War II: Every American citizen has a role to play in defending the nation against those who would do us harm. In the age of cyberwarfare, that can mean simply hesitating before clicking on that unfamiliar link in your text or email inboxes.
With the stakes this high, we all have to grapple with the role we need to play as national cyber defenders.
Glenn Nye is the president and CEO of the Center for the Study of the Presidency & Congress (CSPC). James Kitfield is a CSPC senior fellow. Follow him on Twitter @JamesKitfield.