18 October 2022

Putin’s Next Strike may not be Nuclear

GREGORY SIMS

OPINION — In a performance worthy of Joseph Goebbels, Vladimir Putin’s announcement of the formal annexation of occupied portions of eastern Ukraine – along with his earlier speech on the mobilization of Russian military manpower – accused Western governments of “open Satanism” and of being out to plunder Russia. He also accused what he refers to as “Ukraine’s neo-Nazi” regime of murdering and torturing its own people and without elaborating, accused the West of conducting “nuclear blackmail” against Russia. He is pledging to use all means at his disposal in response.

Many people interpreted his last statement as a veiled threat to use nuclear weapons if the West persists in supporting Ukraine. This, understandably, has garnered a considerable amount of attention and anxiety.

If Putin decides to take off the gloves in engaging the West, however, he is far more likely to unleash yet un-played non-nuclear options before crossing the nuclear threshold – namely strategic cyber and infrastructure attacks. The recent sabotage of the Nordstream 1 seabed gas pipeline could be just a taste of things to come.

Although Russia’s nuclear arsenal gets most of the attention, it has also developed other offensive capabilities that could generate debilitating strategic-level military, economic, and societal effects in the West, including the United States. One is Russia’s robust program for attacking seabed infrastructure, including undersea communications cables, over which flow 99% of all international data and voice traffic and carry approximately $10 trillion in financial transactions daily. Of most immediate concern, however, is Russia’s offensive cyber capabilities which could be used with greater agility, cheaply, and with greater deniability from the safety of Russian soil.

Make no mistake, despite its underwhelming military performance in Ukraine, Russia remains a formidable cyber power capable of sophisticated operations using extensive state and state-sponsored resources, including cyber criminal groups.

The US Cyber and Infrastructure Security Agency (CISA) released an advisory on this threat back in April, but the force of its message may have dissipated in the months that followed. It would be wise to re-familiarize ourselves with it.

Panic is the most destructive element of cyber and critical infrastructure attacks because they are, first and foremost, manifestations of psychological warfare intended to break morale and implode societies. In the event of a no-holds-barred Russian cyberattack, or attacks on critical infrastructure using kinetic sabotage, we likely will not be able to avoid substantial economic and even human losses. Due to its scale alone, such an attack would certainly change how we measure such events in money and lives.

Thinking seriously about it beforehand and taking prudent precautions, however, will blunt the psychological blow and allow us to more quickly transition from shock to recovery and response. To that end, the following are some tips to prepare for such a turn of events.

The best way to prepare for a cyber war is to imagine how it would play out and use that to form your plan. So, how would a Russian cyber offensive look?

It would likely begin stealthily to avoid prematurely triggering defensive responses. During this initial phase, it would target low-hanging fruit across sectors. Some targets would receive special attention, however, like software companies, financial services, public power, media, and defense contractors. This will allow them to spread attack effects to the customers and clients of infected victims.

Most of these early attacks would likely not originate from the Russian government but from government-connected black hat hacking groups. We would also see an increase in business email compromise (BEC) attacks and ransomware incidents during this first stage. The second, more intense phase would see exotic zero-day exploits unleashed. By then, it will be too late to start building your defenses, and you will wish you had hardened your enterprise earlier.

Attacks will target three critical dimensions of your cybersecurity: Your perimeter, your websites, and your people. How to prepare? Start by asking questions and uncovering your own cyber dirty laundry before the Russians do.

Your Perimeter

Do you know what your company has exposed to the internet? Are you sure? Do you have things exposed to the internet that do not need to be? When was the last time you validated your assumptions? Do you know what software is running on those systems? Do you know if any of that software is outdated or poses vulnerabilities to your organization? Are you patching these systems and keeping them up to date? Do you have a strict set of mandatory guidelines that you enforce on all internet-facing systems?

Your Websites

Have your developers been trained on secure development practices? If so, have they been trained on the leading vulnerabilities caused by insecure development? Have you defined the security standards for all web applications? Do you perform regular security testing against your web applications? Do you re-test after pushing significant updates that impact core functionality?

Your People

Have your people been trained to recognize social engineering methods, such as phishing, spear phishing, vishing, and smishing, which are typically the starting point for most breaches? Have they been effectively trained or “box-check” trained? If your personnel think they’ve identified a suspected phishing message or have mistakenly clicked on one, are you confident they know what to do?

Russia is a capable cyber adversary, and things are heating up fast. While we cannot dismiss the possibility that Russia will resort to nuclear weapons, we are far more likely to see cyber and infrastructure attacks before reaching that point.

The recent sabotage against communications cables used by the German railway network and cyber attacks against Lloyd’s of London and US airports may be indications it has already begun.

Any full-scale cyber war that would follow will be won or lost in the preparation. Although much of the malware Russia would use in an all-out cyber war is likely already in place, if you’ve hardened your systems and your personnel and limited what’s on your perimeter, you still have a good chance of protecting yourself and mitigating the shock.

Look no further than the Ukrainians as an example of resilience in the face of unimaginable adversity. Forewarned is forearmed.

No comments: