Russia has been the subject of much American press speculation this spring, as questions and suspicions swirl regarding its involvement in alleged hacks during the US presidential election. While the details of these specific attacks remain unclear, what is clear is the danger posed by the superpower’s well-established hacking prowess. The question is not if Russia will conduct another major cyberattack on the US, but when.
As such, America needs to be planning now how it will respond. In 2015, cyberthreat firm FireEye alleged that Russian nexus-hackers had caused power and energy outages across Ukraine, impacting thousands of citizens. No other country has been so publicly accused of conducting a cyber-to-conventional attack (a cyberattack with visible, physical consequences). Russia leadership has also publicly prioritized its information warfare and cyberweapons. “Information is now a species of weapon,” wrote Russian major general Ivan Vorobvev in 2013.
As proven by the alleged hacking activities this US presidential election, the fear of information warfare is very real. However, the US must also remain vigilant about cyber-to-conventional attacks; many of our critical infrastructure networks are littered with vulnerabilities, and consumer technology is moving more and more citizens into the line of battle.
Because cybertools have become so accessible, it’s unlikely that even a limitless defense budget could stop every attack. With this in mind, response must be the key priority. Based on my qualitative analysis of Russia’s previous military motives, strategies, and tools, any Russian attempt to exploit US cybervulnerabilities will most likely target the US’s communications and IT critical infrastructure.
Intensifying the fog of war
Russia is unlikely to target other industries for a number of reasons. Historically, it has avoided attacks that could trigger a full-scale military response, preferring to intensify the fog of war and cause maximum confusion. Within this strategy, Russia is unlikely to target such important US sectors as chemical, nuclear, public health, energy, or defense industries. Russia is also unlikely to seriously attack the US financial, agriculture, or manufacturing industries, which could anger US allies and damage Russia’s growing role in the global economy.
But attacks on communications and IT infrastructure could take several forms.
Targeting alert systems would prevent US monitoring systems from catching intrusions fast enough. This could in turn precede tactics with more immediate conventional consequences. As an example, conducting denial of service attacks (DDoS) against central IT networks could cripple government operations, disrupting service for thousands of phone customers or severing internet access for millions of consumers. If timed well, a communications attack during wartime could disrupt national emergency alert services. This includes 911 networks and emergency broadcast stations. During a national disaster, this would have devastating consequences.
Russia could also target physical parts of national infrastructure that are managed (and defended) by private companies, including fuel centers, power sources, and trucks that transport IT components. These industries also rely heavily on the Internet of Things (IoT), with vulnerabilities in cloud and mobile computing.
The US is certainly aware of these risks. Following the 2013 National Infrastructure Protection Plan, national leaders assessed all critical infrastructure for vulnerabilities, and proposed defensive plans. As a result, industry departments have started performing a number of routine checks, including information sharing, monitoring, and backing up essential information.
However, budgetary gaps remain a huge problem. The Obama administration asked for only $19 billion (yet to be received) for its 2017 Cyber Security Budget. While the Trump Administration has included huge proposed increases for cybersecurity investment in its 2017 budget (including $61 million for the FBI to combat criminal encryption tools), the private sector spent approximately $80 billion on cybersecurity five years ago. Of note, none of these federal government cybersecurity budgets were, or have been, approved.
Hacking the hackers
As a result of these budget constraints and realities, it’s crucial that the US focus its efforts strategically. As a minimal option, the US could respond to a Russian cyberattack by conducting simple cyberintrusions against Russian internet networks, government websites, and communications services, causing disruptions and damaging Russia’s security credibility. For example, using the NSA’s TreasureMap tool, which tracks all global connections to the internet, the US could also place malware in these networks for future intelligence gathering.
A more aggressive response would involve conducting operations against Russia’s own critical infrastructure networks. By inserting logic bombs into Russian networks (tools that self-destruct once within systems), the US could potentially damage the Russian economy. These same tools can be leveraged to cause even more damage if used to target dams, air traffic control towers or other infrastructure. Such actions would send a grave message, but the risk of escalation would be higher as well.
The most aggressive response would involve directly attacking Russian military targets by shutting off power at a nuclear facility or an airfield. Many Russian industrial networks run on Windows XP, a very old system, while remaining connected to the internet. Not only are these systems extremely vulnerable to attack, the US has already shown it has the ability to do so. In November 2016, the US reportedly penetrated Russian military systems and left behind malware, to be activated in the case of Russian interference of US elections.
The problem with these cyberattacks is that the potential for counter attacks is infinite. Russia attacks the US communications grid. The US does the same. And on it would go, potentially until a physical war was started.
In 2016, Christopher Painter, the US State Department’s coordinator for cyber issues, said that “cyber activities may in certain circumstances constitute an armed attack that triggers our inherent right to self-defense as recognized by Article 51 of the UN Charter.” This means that the US could legally respond to a Russian cyberattack with conventional military forces, in an effort to deter Russia from escalating further.
But ultimately, there’s a reason the Obama administration referred to the plethora of powerful US and Russian cybercapabilities as a digital arms race. The cycle is perhaps best described as an endless series of advantages, with Russia and the US continuing to make each other more and more uncomfortable. And now Trump’s administration will need to figure out just how uncomfortable he is willing to get.