Russia's Invasion of Ukraine Triggers Resiliency RemindersWith What Happens Next Unclear, Cybersecurity Experts Say: Be Ready for Anything
As the invasion of Ukraine ordered by Russian President Vladimir Putin continues, what will happen next remains unclear. Accordingly, cybersecurity experts are again calling on organizations globally to focus on what they can control, including their cybersecurity defenses and business resiliency preparedness.
"This is the beginning of a Russian invasion of Ukraine," President Joe Biden said on Tuesday. He warned that Putin is "setting up a rationale to take more territory by force … he's setting up a rationale to go much further."
"As we impose sanctions ... there could be blowback."
British Prime Minister Boris Johnson said Russia's "renewed invasion" this week was designed to give it a "pretext for a full-scale offensive."
As war comes to Europe, Biden announced Tuesday that together with allies, the U.S. would be imposing an escalating series of sanctions, not against Putin, but "on Russia's elites and their family members."
On Wednesday, the EU unveiled proposals to go much further, including sanctions against Russia's defense minister, among others. EU foreign ministers might even sanction all 351 members of the Russian state Duma, after the lawmakers greenlighted Putin's troop deployment by recognizing as independent republics the Russian-controlled areas of Donetsk and Luhansk, the Guardian reported.
But such moves won't arrest the conflict, tweets Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and the former CTO of cybersecurity firm CrowdStrike.
"No amount of sanctions will deter a Russian invasion of Ukraine," he says. "They will have only a purely punitive effect."
What's Happens Next?
What will Putin's next moves be? That remains impossible to predict.
"I'm hoping diplomacy is still available," Biden said Tuesday.
But given the uncertainty, cybersecurity experts have been urging the private sector to be prepared. One concern remains that cyberattacks in Ukraine could cause collateral damage globally, as previous online attacks launched by Russian have done, especially with the NotPetya wiper malware campaign in 2017 (see: Cyberattack Spillover From Ukraine: Be Prepared, UK Warns).
In recent weeks, Russia has targeted Ukraine's government with disinformation campaigns, distributed denial-of-service attacks and some wiper malware attacks of very limited impact. Whether these efforts were meant to cause mass disruption isn't clear. But the Kremlin's information warfare playbook has long included using online attacks to sow chaos and confusion and to target Ukrainian morale.
At least as of Tuesday evening, there were "no current, pending" Russian cybersecurity threats, said White House press secretary Jen Psaki (see: EU Activates Cyber Rapid Response Team Amid Ukraine Crisis).
Whether Russia might retaliate with direct cyberattacks in response to current and future sanctions imposed by the West remains to be seen, says Rep. Jim Langevin, D-R.I.
"We have to be realistic and understand that as we impose sanctions - we take actions - there could be blowback here," Langevin, who's a senior member of the House Armed Services Committee, said at a Tuesday virtual event hosted by The Wall Street Journal.
For countering such blowback, "private companies also have a role to play," he added, emphasizing the need for all businesses to review their backup and recovery procedures, enable multifactor authentication wherever possible and keep everything patched and updated, the Journal reported.
What Is Kremlin's Goal?
But is it likely that Moscow would order retaliatory attacks on the West, either directly via its military and intelligence agencies, or by using cybercriminals or allies as cut-outs?
Ciaran Martin, who ran Britain's National Cyber Security Center from its launch in 2014 until 2020, says the choice of approach depends on whether the Kremlin wants to draw the West into the conflict. If not, "then launching an unprecedented and obvious cyberattack against the West - and it would be obvious - would be a strange thing to do."
None of this is to downplay the horror of this crisis, nor the importance of the cyber dimension within it. But realism helps us prepare better. In the west, caution and preparation without panic is the right cyber security posture 26/END.— Ciaran Martin (@ciaranmartinoxf) February 22, 2022
Instead, Moscow may well continue with "an intensified version of the status quo," featuring "reckless attacks spilling over to the West, criminals as proxies," and "state cyber harassment operations," says Martin, who's now a professor of practice at the University of Oxford's Blavatnik School of Government (see: Ransomware, Response Dominate Irish Cybercrime Conference).
If Russia limits its military ambitions to annexing Donetsk and Luhansk, this might be accomplished in only about two months, Alperovitch says. "With such overwhelming ground, air and naval force, assisted by on-the-ground operations by GRU and FSB (and cyber intel collection), the Russians could neutralize all major organized resistance in the east within 60 days," he says, referring to Russia's GRU foreign intelligence agency as well as its Federal Security Service, or FSB.
Mandate: 'Prepare and Protect'
Hence the need for organizations to keep a clear head and do what they can to "prepare and protect" themselves, as Western cybersecurity agencies such as the U.S. Cybersecurity and Infrastructure Security Agency - via its Shields Up advice - as well as Britain's NCSC are calling on businesses to do. "Following Russia's further violation of Ukraine's territorial integrity, the NCSC has called on organizations in the U.K. to bolster their online defenses," it says.
A reading of Russia's previous cybersecurity tactics suggests what might happen next, says Chester Wisniewski, principal research scientist at cybersecurity firm Sophos.
"False flags, misattribution, disrupted communications and social media manipulation are all key components of Russia's information warfare playbook," he says. "They don't need to create a permanent cover for activities on the ground and elsewhere; they simply need to cause enough delay, confusion and contradiction to enable other simultaneous operations to accomplish their objectives."
These other operations may not even be tied directly to Ukraine. The SolarWinds supply chain attack that came to light in December 2020, which has been attributed to Russia's Foreign Intelligence Service, ran for more than a year before being discovered.
"We must keep our nose to the ground, batten down the hatches and monitor for anything unusual on our networks as the conflict cycles ebb and flow," or even if they suddenly curtail, Wisniewski says. "Because as we all know, it could take months for evidence of digital intrusions due to this Russian-Ukrainian conflict to surface."