America needs to be planning now how it will respond
Russia has been the subject of much American press speculation this spring, as questions and suspicions swirl regarding its involvement in alleged hacks during the U.S. presidential election. While the details of these specific attacks remain unclear, what is clear is the danger posed by the superpower’s well-established hacking prowess. The question is not if Russia will conduct another major cyberattack on the U.S., but when.
As such, America needs to be planning now how it will respond. In 2015, cyberthreat firm FireEye alleged Russian nexus-hackers had caused power and energy outages across Ukraine, impacting thousands of citizens. No other country has been so publicly accused of conducting a cyber-to-conventional attack (a cyberattack with visible, physical consequences). Russia leadership has also publicly prioritized its information warfare and cyberweapons. “Information is now a species of weapon,” wrote Russian major general Ivan Vorobvev in 2013.
As proven by the alleged hacking activities this U.S. presidential election, the fear of information warfare is very real. However, the US must also remain vigilant about cyber-to-conventional attacks; many of our critical infrastructure networks are littered with vulnerabilities, and consumer technology is moving more and more citizens into the line of battle.
Because cybertools have become so accessible, it’s unlikely even a limitless defense budget could stop every attack. With this in mind, response must be the key priority. Based on my qualitative analysis of Russia’s previous military motives, strategies and tools, any Russian attempt to exploit US cybervulnerabilities will most likely target the US’s communications and IT critical infrastructure.
Intensifying the Fog of War
Russia is unlikely to target other industries for a number of reasons. Historically, it has avoided attacks that could trigger a full-scale military response, preferring to intensify the fog of war and cause maximum confusion. Within this strategy, Russia is unlikely to target such important U.S. sectors as chemical, nuclear, public health, energy, or defense industries. Russia is also unlikely to seriously attack the U.S. financial, agriculture, or manufacturing industries, which could anger U.S. allies and damage Russia’s growing role in the global economy.
But attacks on communications and IT infrastructure could take several forms.
Targeting alert systems would prevent U.S. monitoring systems from catching intrusions fast enough. This could in turn precede tactics with more immediate conventional consequences. As an example, conducting denial-of-service attacks against central IT networks could cripple government operations, disrupting service for thousands of phone customers or severing internet access for millions of consumers. If timed well, a communications attack during wartime could disrupt national emergency alert services. This includes 911 networks and emergency broadcast stations. During a national disaster, this would have devastating consequences.
Russia could also target physical parts of national infrastructure managed (and defended) by private companies, including fuel centers, power sources, and trucks that transport IT components. These industries also rely heavily on the internet of things, with vulnerabilities in cloud and mobile computing.
The U.S. is certainly aware of these risks. Following the 2013 National Infrastructure Protection Plan, national leaders assessed all critical infrastructure for vulnerabilities, and proposed defensive plans. As a result, industry departments have started performing a number of routine checks, including information sharing, monitoring, and backing up essential information.
However, budgetary gaps remain a huge problem. The Obama administration asked for only $19 billion (yet to be received) for its 2017 Cyber Security Budget. While the Trump administration has included huge proposed increases for cybersecurity investment in its 2017 budget (including $61 million for the FBI to combat criminal encryption tools), the private sector spent approximately $80 billion on cybersecurity five years ago. Of note, none of these federal government cybersecurity budgets were, or have been, approved.
Hacking the Hackers
As a result of these budget constraints and realities, it’s crucial the U.S. focus its efforts strategically. As a minimal option, the U.S. could respond to a Russian cyberattack by conducting simple cyberintrusions against Russian internet networks, government websites, and communications services, causing disruptions and damaging Russia’s security credibility. For example, using National Security Agency's TreasureMap tool, which tracks all global connections to the internet, the U.S. could also place malware in these networks for future intelligence gathering.
A more aggressive response would involve conducting operations against Russia’s own critical infrastructure networks. By inserting logic bombs into Russian networks (tools that self-destruct once within systems), the U.S. could potentially damage the Russian economy. These same tools can be leveraged to cause even more damage if used to target dams, air traffic control towers or other infrastructure. Such actions would send a grave message, but the risk of escalation would be higher as well.
The most aggressive response would involve directly attacking Russian military targets by shutting off power at a nuclear facility or an airfield. Many Russian industrial networks run on Windows XP, a very old system, while remaining connected to the internet. Not only are these systems extremely vulnerable to attack, the U.S. has already shown it has the ability to do so. In November 2016, the U.S. reportedly penetrated Russian military systems and left behind malware, to be activated in the case of Russian interference of U.S. elections.
The problem with these cyberattacks is that the potential for counter attacks is infinite. Russia attacks the U.S. communications grid. The U.S. does the same. And on it would go, potentially until a physical war was started.
In 2016, Christopher Painter, the U.S. State Department’s coordinator for cyber issues, said “cyber activities may in certain circumstances constitute an armed attack that triggers our inherent right to self-defense as recognized by Article 51 of the UN Charter.” This means the U.S. could legally respond to a Russian cyberattack with conventional military forces, in an effort to deter Russia from escalating further.
But ultimately, there’s a reason the Obama administration referred to the plethora of powerful U.S. and Russian cybercapabilities as a digital arms race. The cycle is perhaps best described as an endless series of advantages, with Russia and the U.S. continuing to make each other more and more uncomfortable. And now Trump’s administration will need to figure out just how uncomfortable he is willing to get.