As Western countries scramble a response to Russia’s invasion of Ukraine, offensive cyber operations rank high on a list of options that could make Vladimir Putin pay for his attack on a neighbor.
NATO countries boast capabilities that could wreak havoc on telecoms networks, financial infrastructure, power generation and military command systems.
Except that, in the event such operations are carried out, chances are the public would never know for sure who is behind them — or even exactly what has happened and what sort of damage has been inflicted.
Attention on possible cyber operations has grown as Putin’s armies pummel and encircle Ukraine’s capital city, Kyiv, and as American and European allies roll out sanctions that aim to stop Putin’s forces from overthrowing Ukraine’s government. But leaders have so far stopped short of cutting Russia out of the SWIFT international payments system, in an effort to keep some measures in their pocket for when the crisis escalated further.
As the West ponders further coercive measures, there is growing public discussion of state-backed cyberattacks as a response to Russian aggression. On Thursday, an NBC News report stated that U.S. President Joe Biden had been presented with options for cyberattacks against Russian critical infrastructure, including taking out internet access and power. The White House strongly pushed back against the NBC report, with a spokesperson for the National Security Council telling POLITICO that the report was “wildly off base.”
But Biden himself was clear Thursday afternoon that the U.S. would respond in kind if Russia took aim at U.S. critical infrastructure.
“If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond,” the U.S. president said in a speech at the White House. “For months, we’ve been working closely with the private sector to harden our cyber defenses, sharpen our response to Russian cyberattacks.”
James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies, said there was a “debate” within the White House over whether to deploy cyber operations against Russia, but that he did not believe the United States would take that route.
In the U.K., Secretary of State for Defense Ben Wallace on Tuesday told members of parliament his services had offensive cyber capability to strike back when Russia threatens the country’s cybersecurity. “I was always told the best part of defense is offense,” Wallace told MPs.
Meanwhile, examples of significant disruption to Russian bank and government websites remained unexplained in the days after Putin’s launched his assault. Several Russian government websites were unreachable for parts of the day, including the website of the Ministry of Defense, the Kremlin’s website and the parliamentary Duma’s website, as was the website of the state-owned Sberbank, the country’s biggest bank.
Russia’s National Computer Incident Response and Coordination Center warned of cyberattacks on Russian infrastructure, Russian media reported Friday. The agency raised the threat level to “critical.”
Experts pointed out it isn’t clear what was behind the disruption. It could be Russian services taking down websites or blocking traffic from outside of the country as a precautionary measure to protect against cyberattacks; it could be Ukrainian government-backed groups or even activist hackers launching operations on Russian targets. Some of the attacks were claimed by pro-Ukrainian activist hackers on Thursday. Russian government services and media did not report cyberattacks on the country.
In any scenario, a key advantage of cyber operations is that they offer “plausible deniability” to the actor carrying them out, and authorship can easily be disguised.
“Publicly announcing you’ll [as a state] conduct offensive cyber operations is not how it works … Whether it is happening below the surface is another question. It’s mainly an intelligence competence, so covertly much can be achieved,” said Bart Groothuis, a member of the European Parliament who formerly served as cybersecurity official in the Dutch Ministry of Defense.
According to Timo Koster, former cyber ambassador of the Netherlands and former director of the defense policy and capabilities division at NATO, “states will try to use electronic warfare to disrupt the offensive where possible, by targeting command and control systems. And to disable critical infrastructure in Russia. Not just to complicate Russia’s operation but also to give him one more problem to deal with.”
Dos and don’ts in cyberspace
Countries have for years conducted cyber espionage campaigns to gain intelligence over others’ security strategies and state secrets.
But the West — and European governments in particular — has also shied away from launching all-too overt cyber operations to disrupt Russian government services, in part because they don’t want to cross red lines they’ve been promoting at fora like the United Nations and have repeatedly warned Russia shouldn’t cross itself.
“A lot of what Russia does, by our understanding, is a violation of international law. And we, the West, don’t want to respond with that,” said Jaak Tarien, head of NATO’s Cooperative Cyber Defence Centre of Excellence, a NATO-accredited cyber defense center based in Tallinn that advises the defense alliance and its members on cybersecurity.
“In our strategic decision-making exercises, sometimes it’s been seen that the Western leaders would rather go kinetic, drop the bomb, but that they see offensive cyber as something very provocative,” Tarien added.
There are exceptions, though. The clearest case is the U.S. Cyber Command, part of the U.S. military, which took down the Internet Research Agency based in St. Petersburg in 2018 to prevent it from spreading misinformation about the mid-term election, officials previously told the New York Times.
One main reason for the current caution to use cyberweapons targeted at Russia — and Russian caution to target NATO countries — is that it could also draw the alliance into an armed conflict with Moscow.
“It’s not wise to go down the route of escalation,” said Groothuis, the member of the European Parliament. “Some member states may have good [cyber] offensive skills, but we also have a vulnerable digital infrastructure so you don’t want tit-for-tat escalation in that domain.”
What’s worrying officials in Europe and the NATO alliance is that an accidental escalation of cyber threats could hit a NATO country harder than intended — causing a “spillover” of Russia’s cyber aggressions against Ukraine into Europe.
Such spillover happened in 2017, when Russia’s military intelligence service spread malware called NotPetya on Ukrainian networks; it quickly led to a global outbreak of the malware that is still considered the most devastating cyberattack in history.
In recent days, cybersecurity firm Symantec reported on new malware that was targeted at Ukrainian government services but had also spread to computers in Lithuania. The reports echoed concerns by lawmakers expressed earlier this week that the Baltics could become a new cybersecurity front line as tensions with Russia grow.
A collateral strike or accidental spillover could even trigger the defense alliance’s Article 5 on collective defense and prompt its members to launch a military operation to come to each others’ defenses.
U.S. Senate intelligence chair Mark Warner (D-Virginia) pointed to the lack of an international agreement, like the Geneva Convention, to outline the rules of cyber warfare.
“The one that I am most immediately concerned about is a cyberattack against Ukraine that bleeds into Poland or Romania or the Baltics and causes death, but it’s inadvertent because clearly the attack was focused on Ukraine,” Warner said.