Daniel Carr, head of cyber at Ariel Re, examines the threat level for cyber-attacks on businesses and governments from Russia as the conflict in Ukraine continues and warns companies have to be alert.
The harrowing events in Ukraine have resulted in significant speculation and uncertainty around Russia, the mindset of its leadership, and the possibility it may launch destructive cyberattacks on the West. No one can be certain of an adversary’s plans or objectives, but their moves can be analysed within a wider context.
Russia is an advanced nation when it comes to cyber capabilities and its ability to use them in support of its broader aims. There have been significant cyber campaigns in Ukraine over several years, commonly understood to be conducted by or in close association with the Russian state. These have not only been disinformation campaigns aimed at undermining the regime but have also had more destructive effects. In December 2017, an attack on the Ukrainian energy grid in Kiev resulted in a lasting more than an hour. This not only demonstrated the ability to conduct such operations, but also a willingness to pursue more kinetic outcomes against another nation, which risks being interpreted under international law as a show of force. However, at the time, Ukraine did not possess the same cyber capability as the West (notably NATO) to respond to such attacks in kind.
Since around 2010, both Eastern and Western nations have pursued research and development in offensive cyber capabilities in the expectation they could form part of a wider arsenal in future warfare. Whilst this activity has continued, with many nations focusing on obtaining covert access to critical infrastructure around the world, the value of cyber as a warfare capability remains unclear.
When contemplating Russia’s likely actions on the West in response to events in Ukraine, all nations and businesses should remain on high alert. While Vladimir Putin’s mindset has been called into question in Western media, it must be noted that Russia has always used misinformation as a key component of its military and foreign policy. On learning of Russia’s invasion in Ukraine, the West responded by stating it would re-establish its own information warfare capabilities. Consequently, not everything seen in the public media should be consumed with complete certainty.
It is telling that Russia embarked upon this invasion as the world’s economies begin to exit the pandemic. As a result, many economies are seeing inflation rise markedly, requiring creative fiscal policy to stabilise markets. War is expensive – financially, socially, and politically. It could be argued that Putin’s timing is strategic, showing a willingness to withstand a hit to the Russian economy – as he has in past conflicts in Crimea and Georgia – at a time when sanctions will have a disproportionate effect on the wider world, as well as Russia.
It’s clear that events in Ukraine have not gone fully to plan for Russia. However, both the West and Russia have shown limited desire to engage in direct military conflict, with the potential to significantly escalate global tensions. This not only threatens Russia’s chances of succeeding in Ukraine, but also materially alters Russia’s engagement, necessitating a need to fight multiple adversaries on several fronts. This would likely be a distraction, and contrary to Russia’s immediate tactical objective of establishing a foothold in Ukraine.
Russia holds the capability to mount serious attacks on Western infrastructure. However, the West also has the ability to inflict serious damage to Russia’s infrastructure. Any technological infrastructure can be attacked and compromised. However, while feasible, the use of cyber will be balanced against its likely consequences and poses a number of questions to the aggressor.
Will a cyberattack be considered a show of force and draw other nations into a wider military conflict?
Is cyber the most effective and efficient means to achieve their objective(s)?
Will any attacks be met with a similar, or more destructive, response against Russia’s infrastructure?
The answers are not known, but Russia will be acutely aware of the West’s cyber capabilities – as demonstrated in the Stuxnet operation against Iran in 2010. Perversely, the events in Ukraine could result in reduced levels of state-backed cyber activity in the near-term, as neither wants to risk being misconstrued as the aggressor, resulting in not only a global cyber conflict, but a more complex and challenging conflict in Ukraine itself.
Global geopolitical tensions are at the worst levels since the Cold War, and events can develop rapidly. Insurers and their clients need to remain on high alert. Additional vigilance should be taken to protect and secure infrastructure – especially those operating in Critical National Infrastructure sectors. Businesses and insurers should work closely with the cyber security industry, especially threat intelligence firms monitoring the evolving landscape. Similarly, they should gain familiarity with national state bodies and reporting agencies who will be supplying additional information at this time – e.g. US Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre (NCSC) – especially around the threats of disinformation.
There is likely to be a heightened state of conflict around Ukraine for the foreseeable future. Whilst it may not be prudent for either the West or Russia to embark upon offensive cyber campaigns, if the West directly entered into a kinetic conflict in Ukraine, this could quickly spill over into a wider hybrid conflict. Launching destructive attacks at scale and simultaneously remains challenging for any nation, requiring significant human resource. Therefore, any attacks are more likely to be targeted against strategic assets as opposed to widespread destruction, but they still retain the potential to cause devastating consequences.