BOSTON — President Joe Biden couldn’t have been more blunt about the risks of cyberattacks spinning out of control. “If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence,” he told his intelligence brain trust in July.
Now tensions are soaring over Ukraine with Western officials warning about the danger of Russia launching damaging cyberattacks against Ukraine’s NATO allies. While no one is suggesting that could lead to a full-blown war between nuclear-armed rivals, the risk of escalation is serious.
The danger is in the uncertainty about what crosses a digital red line. Cyberattacks, including those that cripple critical infrastructure with ransomware, have been on the rise for years and often go unpunished. It’s unclear how grave a malicious cyber operation by a state actor would have to be to cross the threshold to an act of war.
“The rules are fuzzy,” said Max Smeets, director of the European Cyber Conflict Research Initiative. “It’s not clear what is allowed, what isn’t allowed.”
The United States and other NATO members have threatened crippling sanctions against Russia if it sends troops into Ukraine. Less clear is whether such sanctions, whose secondary effects could also hurt Europe, would be imposed if Russia were to seriously damage Ukrainian critical infrastructure — power, telecommunications, finance, railways — with cyberattacks in lieu of invading.
And if the West were to respond harshly to Russian aggression, Moscow could retaliate against NATO nations in cyberspace with an intensity and on a scale previously unseen. A major cyberattack on U.S. targets would almost certainly unleash a muscular response. But what of lesser cyberattacks? Or if Russian President Vladimir Putin restricted them to a NATO member in Europe?
Under Article 5 of the organization’s treaty, an attack on any of its 30 members is considered an attack on all. But unclear is what it would take to unleash full-scale cyber retaliation. Or how bad an attack would have to be to trigger retaliation from NATO’s most potent cyber military forces, led by the U.S. and Britain.
Cyberspace is exceptionally unruly. No arms control treaties exist to put guard rails on state-backed hacking, which is often shielded by plausible deniability as it’s often difficult to quickly attribute cyberattacks and intelligence-gathering intrusions. The technology is cheap and criminals can act as proxies, further muddying attribution. Freelancers and hacktivists compound the problem.
In 2015, the major powers and others agreed on a set of 11 voluntary norms of international cyber behavior at the United Nations. But they are routinely ignored. Russia helped craft them only to knock Ukraine’s power grid offline that winter and set in motion its hack-and-leak operation to interfere in the 2016 U.S. presidential election.
Hacking is now a core component of great power conflict. In 2016, NATO formally designated cyberspace a “domain” of conflict, alongside land, sea and air.
Nowhere has the militarization of cyberspace been more clear than in Putin’s bid to return Ukraine to Moscow’s orbit.
To Serhii Demediuk, the No. 2 official on Ukraine’s National Security and Defense Council, a noisy cyberattack last month was “part of a full-scale Russian operation directed at destabilizing the situation in Ukraine, aimed at exploding our Euro-Atlantic integration and seizing power.”
The attack damaged servers at the State Emergency Service and at the Motor Transport Insurance Bureau with a malicious “wiper” cloaked as ransomware. The damage proved minimal, but a message posted simultaneously on dozens of defaced government websites said: “Be afraid and expect the worst.”
Such attacks are apt to continue as Putin tries to “degrade” and “delegitimize” trust in Ukrainian institutions, the cybersecurity firm CrowdStrike said in a blog on Russian military cyber wreckage in the former Soviet republic: Winter attacks on the power grid in 2015 and 2016 were followed by NotPetya, which exacted more than $10 billion in damage globally.
Michele Markoff, the U.S. State Department’s deputy coordinator for cyber issues, thinks “muscular diplomacy” is the only way to end such “immoral, unethical and destabilizing behavior.”
But how? Unlike nuclear arms, cyberweapons can’t easily be quantified, verified and limited in treaties. Nor are violators apt to be held accountable in the United Nations, not with Russia and China wielding veto power on its Security Council.
“We’ve wallowed kind of in a quagmire for years now on making transgressors accountable,” said Duncan Hollis, a Temple Law professor and former State Department legal adviser.
Members endorsed in May an update to the 2015 U.N. norm s that further delineates what should be out of bounds: including hospitals, energy, water and sanitation, education and financial services. That has hardly deterred Russian-speaking ransomware crooks, who are at the very least tolerated by the Kremlin. Nor have U.S. indictments of Russian and Chinese state hackers and the blacklisting of tech companies accused of aiding them helped much.
Under a new policy NATO adopted last year after U.S lobbying, an accumulation of lower-level cyberattacks — far below, say, blacking out the U.S. East Coast — could be enough to trigger Article 5. But NATO is vague on what a tipping point might be.
NATO’s doctrinal shift followed a pair of seismic cyberespionage shocks — the highly targeted 2020 SolarWinds supply chain hack by Russia that badly rattled Washington and the reckless March 2021 Microsoft Exchange hack attributed to Chinese state security that set off a criminal hacking free-for-all.
A cluster of wholesale data pilfering in the mid-2010s attributed to China — from the U.S. Office of Personnel Management, United Airlines, Marriott hotels and the health insurer Anthem — inflicted a deep national security wound. And U.S. officials have worried for more than a decade about rivals — Russia especially — quietly “pre-positioning” enough malware in U.S. critical infrastructure including the energy sector to cause considerable chaos in an armed conflict.
In response, U.S. Cyber Command developed a strategy in 2018 it calls “persistent engagement” to counter rivals who “operate continuously below the threshold of armed conflict to weaken institutions and gain strategic advantages.”
The aim: deny foes the chance to breach U.S. systems by operating “across the interconnected battlespace, globally, as close as possible to adversaries,” Cybercom commander Gen. Paul Nakasone wrote.
That has sometimes meant penetrating not just adversaries’ networks but also those of allies — without asking permission, said Smeets, the European cyber conflict analyst.
Disinformation campaigns have also muddied the definition of a “cyber threat.” No longer do they merely encompass malware like NotPetya or the the Stuxnet virus that wrecked Iranian nuclear centrifuges, an operation widely attributed to the U.S. and Israel and discovered in 2010.
During the 2018 U.S. midterm elections, Cybercom temporarily knocked offline a key Russian disinformation mill.
Most major powers have the equivalent of a U.S. Cyber Command for both offense and defense.
Also active are terrorists, criminals working as state proxies, begrudged freelancers and hacktivists like the Cyber Partisans of Belarus.
Hollis compares the current messy cyber moment to the early 19th century when U.S. and European navies were so small they often relied on privateers — we know them now as pirates— for high-seas dirty work.
The U.S. and other NATO partners are, meantime, helping Ukraine stand up a separate cyber military unit, said Demediuk, the Ukrainian security official. Since Russia seized Crimea in 2014, NATO has closely and systematically coordinating cyber actions with Ukraine, including joint missions, he said.
In November, Ukraine exposed an eight-year espionage operation by agents of Russia’s FSB in Crimea involving more than 5,000 attempted hacks. The main goal: to gain control over critical infrastructure, including power plants, heating and water supply systems, Ukraine’s state news agency said.
This month, Microsoft said the operation, dubbed Armageddon, persists with attempts to penetrate Ukraine’s military, judiciary and law enforcement. Microsoft detected no damage, but that doesn’t mean Russian cyber operators haven’t gained undetected footholds.
That’s where hackers hide until they are ready to pounce.