How the conflict in Ukraine threatens US cybersecurity

The TechCrunch Global Affairs Project examines the increasingly intertwined relationship between the tech sector and global politics.

As Russian troops stand poised to yet again invade Ukraine, much attention has been focused in recent days on how to avoid escalation of the conflict. Recent (and likely ongoing) escalations in cyberattacks on Ukraine suggest that this conflict will be unfortunately severe in the digital domain. And unlike a ground invasion, the U.S. government has warned that the digital conflict zone may expand to include the United States, as well. Years of Russian cyber probing and “preparing the environment” could well culminate in significant and potentially destructive attacks against private-sector American interests in the coming weeks and months.

If this level of vulnerability feels intolerable, good — it should. But how did we get here? And what are the moves needed to avoid disaster? To start, it’s critical to understand how President Vladimir Putin has experimented with 21st Century technical methods to contribute to achieving his longstanding vision for Russia.

Past as cyber prologue

Russia’s motives are conventional enough. In April 2005, Putin called the fall of the Soviet Union “the greatest geopolitical catastrophe of the century” and “a genuine tragedy…for the Russian people.” This core belief has guided many of Russia’s actions since. Today, the drums of war are unfortunately beating loudly in Europe, as Putin seeks to forcibly return more of Russia’s periphery back under formal control and push back on perceived Western encroachment.

Read more from the TechCrunch Global Affairs Project

While there are a number of factors driving why Russia has chosen now as the time to increase its aggression against Ukraine — and assert itself in Europe more broadly — its asymmetric capabilities in areas like cyber certainly give it a broader set of tools to shape the outcomes in its favor.

Russia’s geopolitical position — with a waning population base and woeful economic situation — drives its leadership to find ways to reassert itself on the global stage. Russian leaders know they can’t compete conventionally, so they turn to more easily accessible and, as it turns out, immensely powerful and effective asymmetric tools. Their disinformation campaigns have done much to contribute to the pre-existing societal fissures here in the United States, exacerbating our fracturing politics in keeping with standard Russian intelligence practices. Indeed Russian leadership likely sees an opportunity with the West as distracted by the COVID pandemic and internal turmoil that it sometimes helps sow.

But Putin’s long embrace of asymmetrical methods means Russia has been preparing for this moment for years. There is a familiarity to these activities: old means and tools from the Soviet era that have taken on a new face through the manipulation of twenty-first-century digital tools and vulnerabilities. And in recent years, it has used Ukraine, Libya, the Central African Republic, Syria, and other contested spaces as “testing grounds” for its information operations and damaging cyber capabilities.

The bear gets prickly

Today, Russian actors have deployed a vast array of techniques for “active measures” to confuse, sow doubt, and delegitimize basic democratic institutions. The mercenaries and clandestine agents Russia is deploying into Ukraine have honed their skills in hybrid battlespaces abroad, using a mix of deception and kinetic action, deftly mixed with deniable influence operations and offensive cyber actions.

In cyberspace, Russia has graduated from its then-unprecedented 2007 cyberattack on Estonia and later NotPetya-style cyber attacks, which targeted Ukrainian utilities, ministries, banks, and journalists, which spilled over into one of the most costly cyberattacks in history to date. Russian intelligence services have been found hacking into U.S. critical infrastructure systems for some time now as well—yet, to date, without significant kinetic or deleterious impact or actions (unlike in Ukraine and elsewhere as detailed in books like Andy Greenberg’s Sandworm). They’ve tested the reactions of the United States and its Allies, learned what they can get away with, and are pressing ever further as NATO countries debate what to do about Ukraine.

In sum, Russia has done its reconnaissance and likely pre-placed tools it may want to use against countries like the United States on a rainy day. That day may soon arrive.

When war in Europe hits American networks

As Russia ramps up its aggression against Ukraine, the United States has threatened a “devastating” economic response as part of the escalatory ladder (how nations methodically raise the stakes in the hopes of deterring an adversary in a conflict) toward an ever-increasingly more dangerous and likely violent resolution. What often goes unsaid is that Russian cyber capabilities are attempts at their own form of deterrence. Those preparatory activities Russia has engaged in over the years, as noted above, would allow those cyber eggs to hatch — and the consequences to come home to roost here in America.

The U.S. government has explicitly and broadly warned that Russia may attack American private industry in response to those potentially severe U.S. sanctions. It is highly unlikely, knowing the sophistication of Russian actors in this space, that these attacks would be brazen, or even immediate. While they can be sloppy and imprecise at times (see NotPetya), their capabilities will likely allow them to meddle with our critical infrastructure and private industry via supply-chain attacks and other indirect and difficult-to-attribute means. In the interim, companies and service providers could face significant damage and deleterious downtime. If the past has been a nuisance, the near term portends potentially much greater negative economic impact as Putin and his oligarchs continue to press their longstanding agenda.

Hope remains that Russia will not continue to ramp up its aggression, and will indeed find off-ramps, avoiding these various scenarios. We should all hope that none of this will ever unfold. It is prudent however, indeed overdue at this point, that industry ensure that it takes the appropriate steps to protect itself from what we must now consider a potentially highly likely attack – doubling down on multi-factor authentication, segmenting networks, maintaining backups, gaming out crisis response plans, and closing off access to only those with real need. What is happening with Ukraine seems a world apart, but with a few clicks, the impact may end up right here at home.

Read more from the TechCrunch Global Affairs Project