When Russia invaded Ukraine last week, the United States responded by instituting significant economic sanctions against Russia, providing Ukraine with hundreds of millions of dollars in military aid and humanitarian assistance, and closing US airspace to Russian aircraft.
Russia is well known for its state-sponsored cyberwarfare capacity, and Vladimir Putin has threatened countries who try to impede him with consequences “never seen in history.” Will Putin resort to cyberwarfare in response to sanctions, and what would that mean for the United States? Professor Michael Robinson from AU’s Department of Mathematics and Statistics, an expert on cybersecurity, answered our questions about this unfolding situation.
Q. What effects could Russia's cyberattacks have on Ukraine's defense?
A. Cyberattacks are generally thought to be either a precursor or an alternative to the use of physical weapons. Historically, Russia has also deployed cyberattacks for their psychological impact. In the midst of an armed conflict, critical physical infrastructure is usually the first target. At least two distinct malware attacks against the Ukrainian government occurred this past January and February, both before the military invasion occurred. The systems attacked were those providing essentials such as electricity and communications.
Therefore, cyberattacks have definitely played a role in the conflict thus far, though it's not clear yet how much of an impact they have had. The two attacks mentioned above were both rapidly patched. Military systems are also usually somewhat isolated. This helps to mitigate their vulnerability. However, I would judge that the risk of cyberattacks may continue after the armed conflict ends.
Q. Should Americans expect attacks on our key infrastructure, like our banking system and utilities?
A. This is a definite risk if the conflict escalates, especially in response to the sanctions we are imposing on Russia. Cyberattacks on US computers are already happening as a result of the conflict: the two cyberattacks mentioned above were both discovered because they flagged warning systems at Microsoft in the United States. Because cyberattacks are hard to attribute, though, they are an ideal tool for Russia to exact a penalty without being seen as a provocation to a wider war.
Q. How prepared are we?
A. It is easier to destroy than to create; attackers have the advantage. Defending against cyber vulnerabilities requires considerable investment, which many organizations have not done. Recall that fuel shortages were touched off last fall by a ransomware attack, even though the attack itself was quickly resolved. We should be concerned.
Q. What is our worst-case scenario for cyberattacks in the United States?
A. It is possible that critical infrastructure, such as electricity, fuel, water, or finance could be disrupted. Most of these systems do have "off-grid" backups that bring them back up in short order, probably with reduced capacity. As we saw with the fuel shortages, the public's response can last much longer than the actual damage to the systems themselves.
Q. Are individual citizens at risk, and how can they prepare?
A. Have a plan in place to defend against the physical ramifications of a cyberattack. Standard disaster preparation is important in case the attack has physical ramifications. Having extra food staples and water are always a good idea, and would help.
It seems unlikely that individuals are at any more cyber risk than usual. The cyberattacks we have seen in the invasion of Ukraine thus far were deployed by the usual means — email attachments and sketchy file shares, mostly. The vigilance of individuals remains our best defense. I strongly recommend that everyone heed the basic advice: keep your software updated, use strong passwords, and think before you click! A good resource of practical tips is at the Cybersecurity & Infrastructure Security Agency website.