As Russian missiles fly, President Vladimir Putin has warned that those countries that aid Ukraine will face consequences like they have never seen before.
The United States and its European allies, however, have stood firm with sanctions on the Russian financial system and on Putin and his closest advisors. They also imposed bans on technology exports to Russia. As Putin, his cronies and the Russian military itself begin to feel the effects of these sanctions, safe money bets on Russia expanding its cyberattacks to target the United States and Europe.
Moscow has repeatedly demonstrated that its hackers — which include military and intelligence cyber units as well as “independent” proxies — have the capability to inflict untold damages on the infrastructure and companies the global economy depends upon. This past year, Russian hackers shut down a pipeline carrying half of the East Coast’s fuel supplies and a company that processes 20 percent of American meat products. The U.S. government has warned that Russia has been persistently targeting numerous U.S. critical infrastructures over the past decade, so it is reasonable to expect that malware already exists in critical U.S. water, energy, aviation, nuclear and manufacturing systems. Even if the Kremlin merely gives Russian criminal gangs a wink and a nod, U.S. and other Western companies are likely to face a surge of attacks. And with few exceptions, the private sector is not prepared for cyber war.
While the largest financial institutions have cyber defense capabilities that rival some nation states, they cannot function for extended periods if the power goes down. Electricity providers weather storms of all sizes, but hurricanes are not strategic actors that understand circuits and relays. Hackers, however, understand electricity generation’s dependence on natural gas pipelines, rail-transported coal and on water supplies used as a cooling medium.
Establishing resilience against cyber threats is a three-legged stool. It consists of: Sufficient investments by the owners and operators of critical infrastructure to defend themselves; a collaborative defense effort between government and the private sector; and reinforcing deterrence with a credible threat and capability to punish attackers via military, cyber and economic means. The regular stream of headlines about successful cyber and ransomware attacks on U.S. companies confirms that grades for the first leg of the stool are mediocre at best, and many companies need to do more to defend themselves.
Grades for the third leg are better. In cyberspace, U.S. government operators could no doubt reciprocate attacks against Russian infrastructure, although these Russian systems are less integrated and thus less vulnerable to cascading impacts than American systems. Putin may also be counting on his people’s ample experience with critical infrastructure failures to limit the psychological impact of these attacks. If citizens are accustomed to power outages from poorly maintained systems, a power outage from a cyberattack may be less meaningful.
However, the leg that truly threatens to topple the stool of infrastructure resilience is the lack of collaborative defense. To its credit, the Biden administration has been making strides to improve public-private collaboration through the appointment of the first-ever National Cyber Director and the creation of a Joint Cyber Defense Collaborative with cybersecurity and information technology companies. Yet the deficit in cyber readiness remains enormous. Infrastructure resilience requires the U.S. government to provide real time indications and warnings to owners and operators of our critical infrastructure. It demands the establishment and testing of collective defense mechanisms. And it may also necessitate an ability for the federal government’s most capable cyber assets to seamlessly defend privately owned critical infrastructure sectors under attack.
None of this will happen quickly. It may be too late to prevent the worst blowback on U.S. critical infrastructure from the Russian invasion of Ukraine. But when this current crisis has passed, the country must not simply move on. Individual companies or industries that escape unscathed should not breathe a sigh of relief and continue business as usual. Our nation must address the shortfalls that make us vulnerable today. Infrastructure resilience requires long-term investments and commitment by both individual companies and the U.S. government as a partner to the private sector. We’ve already waited too long to make these investments. Putin may soon demonstrate why we can afford to wait no longer.
Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and previously served as the executive director of the congressionally mandated Cyberspace Solarium Commission. Annie Fixler is CCTI’s deputy director and research fellow at FDD. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.