21 June 2021

Will Putin's Hackers Launch a Cyber Pearl Harbor—and a Shooting War?

TOM O'CONNOR , NAVEED JAMALI AND FRED GUTERL 

Joe Biden took office in January in the wake of the SolarWinds attack, an unprecedented and potentially disastrous penetration of U.S. government computer systems by hackers believed to be directed by the Russian intelligence service, the SVR. The new American president promised to shore up the nation's cyber defenses against foreign foes. As if on cue, hackers struck with two major ransomware attacks, closing the Colonial Pipeline, which provides about 100 million gallons of gas a day to the southeastern U.S., and halting production at all U.S. facilities of the world's biggest beef producer, Brazil-based JBS. The events underscored the immense vulnerability of a trillion-dollar, internet-based economy for which security is an afterthought.

Most Americans seem to assume that a cyber attack, even by an avowed adversary like Russia or Iran, would be answered in kind—that the U.S. would cause an annoying power outage or a brief internet failure. But experts and former intelligence and cyber-security officials tell Newsweek that hackers linked to Russia have launched cyber attacks on the U.S. that have come frighteningly close to the red line: a digital incursion that would prompt a deadly real-life response.

As the U.S. continues to prove vulnerable to ransomware attacks from shadowy groups believed to be operating out of Russia or other former Soviet bloc countries, those with experience in advising the White House on challenges from the region urge Biden to take the opportunity to send a message.

"What I want is for Biden to very clearly explain what the risk is to Vladimir Putin, that we are not going to back down if we are attacked by Russia," says Evelyn Farkas, who served as deputy assistant secretary of defense for Russia, Ukraine and Eurasia, "and that we're going to be the ones that decide what a 'cyber Pearl Harbor' is, which means Russia doesn't control the escalation dynamic."

Game on: Russia's President Vladimir Putin and U.S. President Joe Biden meeting for the first time as presidents on June 16 in Geneva, Switzerland, where the recent escalation in cyber attacks was high on the agenda.SERGEI BOBYLEV/TASS/GETTY

At least Japanese leaders knew that bombing Pearl Harbor would inevitably provoke a military response. It's not clear that Russia or the cyber-militants operating within its borders have that awareness now. A shooting war between Russia and the U.S., avoided for more than a half-century, would leave only losers. But cyber warfare is so new that there's no agreed upon, widely understood Rubicon, as was established during the Cold War with the use of traditional weapons of mass destruction. (Think: Cuban Missile Crisis. After that near-catastrophe, the two sides have played it safe.)

The lack of clarity—of a shared algorithm for escalation—is tinder that could easily turn into a deadly fire. In short, there's a growing danger of a response far more devastating than the temporary internet outage or compromised credit score or muddled train schedule that Americans might think would be the worst-case scenario.

Russian President Vladimir Putin doesn't directly run the hackers who've recently infiltrated high-level government networks and paralyzed critical infrastructure. U.S. intelligence believes the digital operatives behind those attacks work with the Russian president's blessing but stay at arm's length—the better to give Moscow plausible deniability. It's part of a familiar pattern: Russian-affiliated groups have long harassed U.S. companies and government agencies and even had a hand in swinging the 2016 election to Donald Trump. The Biden administration has not directly accused the Kremlin of sponsoring these attacks but blames the Russians allowing such activity to continue.

The recent attacks seem to mark an intensification. They tend to be more focused on physical infrastructure like food, oil and gas pipelines, and hospitals, upon which Americans rely every day for their health and economic well-being. The trend has national security analysts worried. It's one thing to make Americans wait in line at the pump or to hit hospitals with ransom bills that drive up the cost of health care. It's something else entirely to cause real economic harm and even loss of life. And yet, hackers seem to be flirting with crossing what national security experts say is a "red line."

The disruption in fuel supply due to the ransomware attack on Colonial Pipeline last month left drivers across the southeastern U.S. struggling to find gasoline and diesel.MARK KAUZLARICH/BLOOMBERG/GETTY

The red line was high on the agenda in the June 16 talks between Biden and Putin. Biden handed the Russian president a list of no-go targets upon which a cyber attack presumably might be considered an act of war that demands retaliation. Although it's not clear where that red line is—the White House has not released the list—it's not hard to imagine how easy it would be for hackers acting with some degree of autonomy from Moscow, and not directly answerable to the consequences of their actions, to cross it. To take one example, it's become a truism in cyber-security circles that hackers working with the backing of the likes of Russia and China may have the ability to cause a shutdown of a large swath of the U.S. electrical grid, which could kill millions.

In other words, the next big cyber attack could trigger a war with Russia, and not the virtual kind, but one involving troops, tanks, missiles, aircraft carriers and possibly nuclear weapons. "If a nation-state adversary were to set foot on our homeland and physically destroy our infrastructure, we would view this as an act of war," Brian Harrell, former Assistant Director for Infrastructure Security at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told Newsweek.

Russian-affiliated hackers have not crossed the red line yet, of course. But they've come close enough to keep national security experts wondering where the escalating trail of destruction might be heading, and how much control the Kremlin truly has over the hackers that do its bidding.

Drawing the Line

Although the situation may seem relatively calm on the surface, hackers are testing the limits nearly every day. In February, a still-undisclosed group of hackers managed to take control of a water treatment center in Oldsmar, Florida. It increased levels of sodium hydroxide, a highly caustic chemical also known as lye, from a safe 100 parts per million to a dangerous 11,100 ppm. Operators noticed the change and acted quickly to lower the levels before any damage was done.

"The cyber red line—I think everybody is fairly clear on this—is loss of life," William Hurd, a former CIA clandestine officer who served in Congress as a Texas representative from 2015 to this January, told Newsweek. He said the incident in Florida could have elicited a "kinetic response"—in other words, military action—had U.S. lives been lost.

Conflicts are playing out with increasing velocity and viciousness inside some of the country's energy, water, banking and other essential infrastructure. The vast majority of such incidents are never publicized, cyber experts say. Private companies, which are notoriously reluctant to fess up to having been hacked, own and operate more than 85 percent of critical infrastructure, according to Harrell.

"Our critical infrastructure sectors are the modern day battlefield and cyberspace is the great equalizer," he says. "Hacker groups can essentially attack with little individual attribution and virtually no consequence. I anticipate more attacks focused on energy, water, and financial services happening in the future."

In 2018, the Trump administration created CISA within the Department of Homeland Security. But even the cyber cops are hampered by a lack of information. Private operators are reluctant to report transgressions and often quietly pay ransom to get their systems back online with as little fuss—and publicity—as possible.

It's not entirely clear what an appropriate response to a cyber attack that crosses the red line would be. "It's ones and zeros and malware versus one-megaton warheads on Titans and on B-1's. How do you make that comparison so you can decide on proportional responses?" says Doug Wise, who served in the CIA as a member of the Senior Intelligence Service and was deputy director of the Defense Intelligence Agency. "That's the beauty of these cyber attacks, because we struggle at trying to compare the attack mechanism to the kinetic attack mechanism, particularly, strategic to strategic."

And then there's the question of whom to retaliate against. Although intelligence experts are pretty skilled at tracing the digital footprints of an attack to its source, the evidence is almost always highly technical and far less persuasive to military allies and the general public than, say, that of a bombing raid or an invading army. Any decision to retaliate risks looking to all the world like an unprovoked aggression. The Russians are skilled at confusing attribution, making it difficult to justify a proportional response, let alone an escalation.

The attribution problem complicates the question of where to draw the line. Some experts think it would make retaliation more difficult than it would be for a conventional strike. "It would take a significant cyber attack against the aviation infrastructure, power infrastructure, water distribution, and the transportation infrastructure," Wise said. "I think it would take probably two to three simultaneous attacks against these targets, along with clear attribution. The attribution issue is always the stumbling block."

Cyber Diplomacy

Still, it's a mistake to assume that the difficulty of attributing a cyber attack is insurance against a hasty retaliation. The element of uncertainty that the attribution problem adds to international affairs could also be destabilizing. Just as it's difficult to attribute an attack to an aggressor, it's also easy to mistakenly attribute an attack to an adversary—particularly one that, like Russia, is a constant thorn in the side of the U.S., and from which Americans are primed to expect aggression.

Given the heightened tensions between the U.S. and Russia, it's not far-fetched to think that a third party could launch a cyber attack against the U.S. and make it look like it came from Russia. Even if U.S. intelligence officials were smart enough to suss out such a ruse, the mere appearance of aggression could provide a convenient pretext for war. After all, Iraq had nothing to do with the 9/11 attacks in 2001, but that didn't stop the George W. Bush administration from using them as justification for its disastrous invasion of Iraq in 2003.

Massive military strikes that start wars are baked into the American psyche. Japanese planes bombing the U.S. military base at Pearl Harbor in Hawaii on December 7, 1941, precipitated the U.S. entry into the Second World War. Hijacked passenger planes crashing into the World Trade Towers on September 11, 2001, triggered a U.S. invasion of Afghanistan that is only now ending. The 1962 Cuban Missile Crisis established a precedent for brinksmanship between the U.S. and Russia. "We almost went to nuclear war," as Raj Shah, chairman of the cybersecurity insurance firm Resilience, told Newsweek.

The Cuban Missile Crisis brought the U.S. and the Soviet Union to the brink of war (here, a meeting of the United Nations Security Council during the crisis in 1962); could recent cyber attacks do the same—or worse?BETTMANN/GETTY

The prospect of cyber attacks leading to a full-scale war is commonly accepted in diplomatic circles. NATO members, in a joint June 14 statement, agreed that "the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack." The statement also said that NATO would intensify its focus in the cyber realm, including "sharing concerns about malicious cyber activities, and exchanging national approaches and responses, as well as considering possible collective responses."

"If necessary, we will impose costs on those who harm us," the statement added. "Our response need not be restricted to the cyber domain."

The alliance also confirmed that it was open to considering cyber-attacks to be on a par with conventional military operations. "We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis."

U.S.President Joe Biden and other NATO heads of the states and governments pose for a family photo during the NATO summit at the Alliance's headquarters, in Brussels, Belgium on June 14, 2021.KEVIN LAMARQUE/AFP/GETTY

The prospect of a "physical" attack in response to cyberattacks already has a real-life precedent. The U.S. targeted the cyber capabilities of the Islamic State militant group (ISIS) with an August 2015 airstrike that killed jihadi hacker Junaid Hussain in the de facto caliphate capital of Raqqa, Syria.

One of the first publicly acknowledged examples of an immediate, kinetic reaction came nearly four years later elsewhere in the Middle East. In May 2019, the Israel Defense Forces reported that they "thwarted an attempted Hamas cyber offensive against Israeli targets" by conducting an airstrike on an alleged headquarters in the Palestinian-controlled Gaza Strip. Israeli forces similarly targeted Hamas cyber stations during last month's 11-day confrontation with Hamas and allied Palestinian factions in Gaza. Although the fallout from both operations remained relatively contained, how such a response would play out on the state-versus-state level remains uncertain.
Playing Defense

The U.S. and its allies are already taking steps to head off cyber attacks from Russian-affiliated groups. The U.S. Cyber Command is collaborating with allies to pool insights and intelligence on the activities of Russia and other cyber-adversaries in what a spokesperson called hunt-forward operations. "These operations are one part of our 'defend forward' strategy—where we see what our adversaries are doing, and share with our partners in the homeland to bolster defense," the spokesperson told Newsweek.

In one such mission targeting Russia's alleged cyber activities, U.S. forces "discovered and disclosed new malware associated with the SolarWinds incident, and then provided key mitigation of the malware, attributed to Russia's Foreign Intelligence Service," the U.S. Cyber Command spokesperson said. The department shares much of its intelligence with federal agencies and private companies in an effort to prevent successful attacks.

SolarWinds CEO Sudhakar Ramakrishna (center), along with FireEye CEO Kevin Mandia (left) and and Microsoft President Brad Smith talk with each other before the start of a Senate Intelligence Committee hearing on February 23, 2021 in Washington, DC.DREW ANGERER/POOL/AFP/GETTY

Biden has alluded to retaliation against Russia for cyber attacks, but the U.S. is mum on what steps it is taking. As NATO's joint communique asserted, the Biden administration has considered a range of options in response to major cyberattacks.

"The way that I've consistently characterized our response when it came to SolarWinds and to other cyberattacks of that scope and scale is that we are prepared to take responsive actions that are seen and unseen," White House national security adviser Jake Sullivan told reporters on Sunday, "and I'll leave it at that."

Even these vague statements have raised concern among Russian officials. "What people can be afraid of in America," Putin told NBC News, "the very same thing can be a danger to us. The U.S. is a high-tech country, NATO has declared cyberspace an area of combat. That means they are planning something; they are preparing something, so, obviously, this cannot but worry us."

Speaking of cyberattacks, U.S. National Security Adviser Jake Sullivan recently said, "We are prepared to take responsive actions that are seen and unseen."SAUL LOEB/AFP/GETTY

After the summit, Putin asserted that the "majority" of cyber attacks originated from the U.S. and its allies.

Avoiding Unintended War

One reason cyber-security was on the agenda for Biden and Putin is to avoid an unintended war. Both the U.S. and Russia have asserted their right to wage cyber operations offensively and defensively. Without international agreements in place, it's not clear what behavior is acceptable and what isn't.

"We can't allow this to continue to escalate," says Shawn Henry, president and chief security officer of cybersecurity company CrowdStrike. "It's the exact reason we had nuclear arms talks, because we realize things couldn't continue to escalate, they couldn't spiral out of control. We couldn't worry about an adversary launching a weapon mistakenly because we know what the response would be."

Henry, a former FBI executive assistant director, says the dialogue is overdue. "It takes us back to that exact point in the conversation where nation-states need to sit down and define what the red lines are and what the responses are going to be, so there is no misunderstanding."
Prospects for a Treaty

Judging from his rhetoric, Putin seems amenable to an agreement to rein in the cyber warfare shenanigans. In September, he asserted that "one of today's major strategic challenges is the risk of a large-scale confrontation in the digital field," as conveyed to Newsweek by the Russian embassy in Washington.

Putin wants to establish high-level communication between Washington and Moscow on "international information security," using existing agencies that deal with nuclear and computer readiness. He is also in favor of establishing new rules along the lines of U.S.-Soviet agreements on avoiding maritime incidents and mutual "guarantees of non-intervention into internal affairs of each other."

In a reference to the nuclear weapons that dominated the Cold War discourse on arms control, Putin is also seeking a global agreement on "no-first-strike" rules regarding cyber attacks against communications systems, the embassy said.

A group cyber soldiers work together to defend their network during a training exercise in the art of cybersecurity design and maintenance at Camp Williams in Utah.U.S. ARMY RESERVE/SGT. STEPHANIE RAMIREZ

Sullivan told reporters that nuclear talks remained the "starting point" for bilateral discussions with Russia on cyber: "Whether additional elements get added to strategic stability talks in the realm of space or cyber or other areas, that's something to be determined as we go forward." Indeed, the joint statement on "strategic stability" released by both sides after the meeting stuck strictly to nuclear arms, with no references to cyber weapons.

Still, the talks made some progress on cyber warfare. While the Biden administration has drawn no direct link between the recent ransomware assault and the Kremlin, U.S. officials have called on Russia to hold hackers within its borders accountable for any attacks that originate there. Putin said during an interview with the Rossiya-1 outlet that he would agree to the extradition of those arrested in Russia if the U.S. does the same; Biden has vowed to reciprocate in the event such attacks were launched from U.S. soil.

In some ways, the Biden-Putin summit sends a signal that cyber warfare has taken its place alongside other military technologies as an accepted part of a nation's arsenal—and one that requires international agreements to keep in check. It also underscores the crucial importance of information technology to national defense.

"Domains of competition, it's not strictly military anymore," says Mike Madsen, director of strategic engagement for the Pentagon's Defense Innovation Unit. "It's economic, it's social, it's all these different things. We talked about air superiority and air supremacy, and there's a day when there's going to be concepts of cyber curiosity and cyber supremacy in a domain of competition."

"In this era of Great Power competition," he says, "the technology race is the most important front."

No comments: