Following Russia’s invasion of Ukraine, it makes sense to ask: Should America be concerned about cyberattacks right now? There are mixed opinions.
By analyzing previous events, we can gain insight into how potential Russian attacks could look. According to Glenn Gerstell, former General Counsel of the United States National Security Agency from 2015 to 2020, “we know what Russia is capable of based on what they’ve done in the past.” Gerstell added that “Russia has used Ukraine as a bit of a punching bag in the cyber arena.”
In the wake of a Russian attack in 2015 that knocked out Ukraine’s electrical grid, Ukraine has stepped up its digital defenses. However, in 2017, NotPetya, a Russian cyberattack against Ukraine that spread worldwide, still caused billions in damage. There was also the 2021 Solar Winds attack, which targeted American companies like Microsoft and Intel, as well as various American federal agencies, such as the Pentagon, the Department of Homeland Security, and the National Nuclear Security Administration, leaving them vulnerable.
Following the imposition of sanctions on Russia by America, many believe that retaliation will follow.
Let’s take a closer look.
What types of attacks did Russia deliver in the past?
The first thing to keep in mind is the time period.
“It’s important not to fall into a Cold War mindset and think about cyberattacks like an episode of Stranger Things, where spies are popping out of the sewers,” says privacy researcher Sean O’Brien, who leads Yale’s Privacy Lab. According to O’Brien, attributing cyberattacks to a whole country or even a specific group within that country is complex. Plus, adversaries can pretend to be someone else in ways specifically designed to obfuscate their nationalities.
Yet, we do know that historically, Russia has tested some of its most destabilizing cyberattacks on Ukraine, Chris InglisThe,, and has shown they have access to water and power systems. There are a variety of strategies they use to disrupt systems, including DDoS attacks, where they send huge amounts of traffic to a website and overwhelm it with requests. They also use wiper attacks to wipe out all the data from a network, and they hack Ukrainian national security sites for the purpose of getting intelligence about that country.
In January 2022, Microsoft revealed that the Ukrainian government had been attacked with malware. There have also been several hacks in the recent past that may or may not have been Russian-related. On the first day after the invasion, hackers released proprietary data from US microchip manufacturer Nvidia onto the internet, leading some to suspect that Russia was responsible for the attack.
In February 2022, hackers gained access to 21 major energy companies in the United States, including Chevron and Kinder Morgan. The discovery of this operation took place on the eve of the Russian attack on Ukraine, causing further debate about its origin.
In a Bloomberg interview, Jason Leigh, a special agent with the FBI Houston’s cyber task force, said he expects that Russian hacking invasions “may escalate” in volume or frequency of attacks and in how they are conducted.
How worried should people be about Russian cyberattacks now?
In the immediate aftermath of the Ukrainian invasion, many believed cyberattacks would follow, and the US Department of Homeland Security warned businesses to be on alert for Russian cyberattacks. As of now, nothing has happened—at least not publicly.
In an interview with Chris Vickery, data breach hunter Vickery said if the Russians had the power to enforce their will through cyber means, the US would be under attack already. In his estimation, if Russia had the capability of being invincible online cyber warriors, they would have already taken action.
Former National Security Agency official Gerstell disagrees with this notion. He says precision cyberattacks, such as those that disrupt electric grids and refineries, take time to plan. “The bottom line is that America is still vulnerable,” he says. “We’ve got everything from the retail sector to other big pieces of critical infrastructure that are in varying states of vulnerability. Putin has the capability to deal with them. Currently, all that’s missing in that equation is the strategic decision to exploit that vulnerability.”
Adding to Gerstell’s thoughts, Putin may not have expected such a strong reaction from America, which has imposed sanctions on Russia that have devalued the ruble.
A few American companies are also providing free cybersecurity services to both Americans and Ukrainians, like cybersecurity intelligence company GreyNoise, which automatically included full access to its services in all Ukrainian email accounts. In a recent announcement, Tesla said that they will continue to pay Ukrainian employees if they need to help the military for up to three months. Elon Musk, Tesla’s CEO, sent Starlink equipment to Ukraine to enable voice calls and Internet access if the Internet was otherwise unavailable. However, some have accused Musk of putting Ukraine at risk with the equipment.
In the present, Putin has a lot to lose and little to gain from launching a cyber attack, Gerstell says, but if he feels cornered, his course of action may change.
What can we do to protect ourselves?
According to Vickery, a self-described data breach hunter, you should enable multi-factor authentication and back up your stuff. Companies must keep track of their contractors and subcontractors, as well as lockdown IP addresses that do not belong to their systems. “If every government did all those things, we would be very, very well off,” he says.
The Deputy National Security Advisor for Cyber and Emerging Technology in the Biden Administration, Anne Neuberger, offered her advice on a New York Times podcast. “For data that’s most important to you, your bank records, your health records, keep a backup copy that’s disconnected from the internet so that in case something happens, you have that available,” she said.
Gerstell recommends backing up data, making sure your antivirus software is updated, checking your computer logs more frequently, and patching everything you can patch. “In the long run, you can really change the architecture of the systems that you have to be far less vulnerable, and that probably means moving to something called zero trust architecture,” he says, explaining that zero trust architecture is a strategic approach that continually validates every stage of online interaction.
Is there an international law establishing cyber policies?
Certainly, founded in 2001, the Budapest Convention on Cybercrime was the first international treaty that attempted to coordinate cybercrime responses between nations. It has outlined a series of voluntary policies for cyber use, which include not attacking crucial online infrastructure. The UN Group of Governmental Experts‘ goal is to establish “responsible state behavior in cyberspace in the context of international security.”
It’s a common complaint in the United States that there is no cohesive response to handling cybercrime across the state governments and federal government, leaving individual departments to make crucial decisions without sharing intelligence. The first National Cyber Director, Chris Inglis, wrote that America needs a centralized response that “meaningfully alters the relationship between the public and private sectors.”
Where do we go from here?
It’s time to play catch-up, experts say. “For 20 years, we’ve been enjoying the benefits of unimaginable innovation on the internet,” Gerstell says. “We’ve been so focused on this dizzying array of wonderful benefits and functionality that we haven’t been spending a fraction of our energy and time on the defensive side, and it is now catching up with us.”
What’s the good news? Fixing the nation’s cybersecurity problem isn’t exactly a mystery. Although we know how to make networks safe, it is difficult, expensive, and time-consuming. “But we can do it,” says Gerstell. “So that’s the challenge.”
How should cyber-insurers respond?
The cyber-risk environment today is quite fluid and can change quickly over the course
of this year. However, cyber-insurers can certainly anticipate some broad trends. As mentioned earlier, the base loss event frequency is likely to go up to some degree in the second half of 2022.
We do not expect the magnitudes of the losses to change significantly. Given the risk of attacks on critical infrastructure by state actors, portfolios should be reviewed for their exposure to related sectors. The Conti source leak requires a re-examination of how security scans and inside telemetry could be used to provide better insight into relevant attack indicators.
We are reminded again of the danger that cyber-insurance is quite different than traditional lines of business following the recent log4j vulnerability and Russia-Ukraine crisis. As geopolitical issues and threat actors are constantly evolving, cyber insurers have to be prepared to react quickly to such changes. Despite the fact that traditional approaches to cyber-risk modeling are too coarse and tend to be static, it remains a critical component. At Measured, both the risk modeling technology and agile workflows allow us to quickly respond and adapt our models and policy parameters to abrupt changes such as the one caused by this crisis. The Measured team is monitoring the Russia-Ukraine conflict closely and continuously evaluating its impact on Cyber-Insurance.
For more information, please contact us at [email protected].