The war between Russia and Ukraine has been widely anticipated to play out online, in addition to on the ground.
Moscow’s cyberwar capabilities have long been cause for concern. Russia has a record of coordinating cyber-attacks on the US, Ukraine and other adversaries. And the country has established itself in recent years as an international hub for cybercrime.
Russia’s past has raised fears of a large scale cyberwar effort targeting Ukraine and its allies, including the US. While the Biden administration has reportedly played out potential responses to cyber warfare, some experts have argued that the US is not well prepared for a significant cyber-attack.
We spoke with Glenn S Gerstell, a senior adviser at the Center for Strategic and International Studies and the former general counsel of the National Security Agency, about the likelihood of serious cyber warfare – and whether the US is prepared to respond.
“If we had approached this correctly 20 years ago, we would be largely invulnerable to cyber-attacks,” he said. “But unfortunately that is not the case.”
What kinds of attacks have we seen thus far in the conflict, and what are we still on the lookout for?
We’re seeing a relentless series of attacks against Ukrainian websites, especially those that are government-linked and government-controlled. That’s part of a pattern we have seen for the past eight years in which Russia has regarded Ukraine as its sort of cyber punching bag.
What we have not yet seen are completely destructive attacks on the infrastructure in Ukraine, such as the ones we saw in 2015 and 2016 when Russia seemingly shut down the electric grid.
Why is a Russian cyber-attack against Ukraine or its allies so widely anticipated?
Russia has used its very formidable cyber skills against the US and other countries in the past – we have seen what it can do in the form of SolarWinds, the Colonial Pipeline hack and scores of ransomware attacks in every industry in the United States.
So we know they are a sophisticated cyber adversary, we know they have a motive to do so – they’d like to throw sand in our gears to disrupt things here and achieve a strategic advantage in the conflict.
But whether Vladimir Putin would take the risk of actively engaging in destructive cyber warfare is another matter.
What would happen if Russia were to attack the US and how likely is such an attack?
I do not see Russia turning off the lights in the United States, for a number of reasons: many people in the US have taken the position that a cyber-attack with real-world destructive effects is the same as a missile attack or bomb, and therefore would be viewed as an act of war.
In that case, there is no upside for Putin, because he knows it would trigger a very unclear set of escalations and retaliations. It’s not going to achieve a strategic objective, and may end up very badly, making Russia net worse off.
Does the US have a set response to a cyber act of war, like it would for a physical act of war?
The US could respond in a number of ways: with a stealth cyber-attack on Russian agencies or a more visible cyber-attack the US openly admits to carrying out.
We could also carry out a military action, in response to a cyber-attack and do something physical. There is, of course also a range of economic sanctions the US could take against Russia, it could remove diplomats – the response is quite fluid.
How prepared is the US to respond to a cyber-attack from Russia?
We’re prepared to respond in the sense that our military has an extraordinary offensive capability to respond on a cyber level – but we are not ready to defend as a country.
The private sector is not prepared for attacks. It has relied on buggy software to protect itself, and cyberthreats are growing faster than our ability to adapt to them. We need to impose some kind of mandatory solution, because the pure market solution isn’t viable.
The US has been reactive and side-stepped cyber responsibility by simply grafting it on to existing government agencies, making each agency responsible for its own area.
Everything from hospitals to bridges to roads and tunnels are relevant to national security, so we need government action to address it with a centralized solution – our national wellbeing depends on it.
Could you explain a bit further how non-governmental entities are vulnerable to hacks, and what effects that could have?
The Biden administration is doing its best to shore up the private sector’s cyberdefenses, but it’s vulnerable – from banks to hospitals, from giant public companies to smaller privately owned ones.
Whether Putin would take the risk of a seriously destructive attack on hospitals or water systems or chemical plants is the big question. Logic would tell you that it’s not worth the risk of our retaliation and has little upside for him. But if he’s cornered or feels he doesn’t have much more to lose, who knows?
Where does the international community stand on cyber-attacks?
When a bomb lands on a sovereign territory, it causes real-world injuries and damage, and we typically know exactly where it launched from and how to respond.
But with cyber-attacks, this is not the case. The internet is not constrained by sovereign boundaries. Sometimes hacks are destructive while other times an adversary simply enters a network and violates privacy, stealing secrets and data without causing physical harm.
There is, however, a rough consensus that if a cyber act produces a real world harm such as injuring people or causing physical damage, it would be treated as an equivalent to a physical attack by a bomb or missile. This is to say it could be viewed it could be viewed as an act of war and trigger under international law the right to retaliate physically.
Why haven’t we seen such a giant destructive hack yet, and could that change?
We surely cannot rule it out, but I think we have not experienced it yet for a number of reasons: partly because Ukrainians have been more successful when defending and securing their network, or that Russia has made a strategic decision not to destroy the economy of a country that they hoped to soon occupy.
In terms of attacks on the US, Putin knows if he were to authorize a destructive hack he would be met with a very strong response. It raises the stakes of our military retaliation, which is not good for him. He is likely making a strategic calculation that nobody can really understand unless you are in Putin’s mind.
However, it is entirely possible that if we get to a situation where Putin is cornered or feels that he’s going to not succeed, he might act irrationally.
The calculus may change as Russia reasons that they are already bombing civilians, they are already are infuriating the international community. Why not turn off the electric grid? We cannot rule that out.