INVASION OF UKRAINE COULD INCLUDE CYBERATTACKS ELSEWHERE
UC San Diego expert discusses possible fallout of Russian military action
Russia is conducting military exercises in Belarus that might be a prelude to an invasion of Ukraine that would involve not only conventional forces but a massive cyberattack, altering the very nature of war.
Analysts say the digital assault could, for starters, knock out much of Ukraine’s power grid. The attack also could spread to other parts of Europe and to the U.S., potentially affecting everything from power plants and Internet service to air travel.
CNN reported that the Department of Homeland Security has told U.S. businesses and government bodies to prepare for the possibility that Russia will directly target the U.S. during a secondary assault.
The Union-Tribune discussed the situation with Peter Cowhey, emeritus dean of the School of Global Policy and Strategy at UC San Diego. Cowhey is a noted cybersecurity expert who advised the Clinton and Obama administrations on international digital technologies. He also is a member of the Council on Foreign Relations, a nonpartisan think tank.
Q:
We know what conventional
warfare looks like. Can you helps us visualize what might happen if Russia combines an invasion with a huge cyberattack?
A:
We saw this earlier, with Russia’s 2015 annexation of a piece of eastern Ukraine. There was a short blackout of the electric grid. It’s commonly believed that
Russia was the source.
Today, Russia may hope that the disruption of the grid, along with some other actions, would produce enough internal chaos to give them the pretext to go in to help restore order, or to help protect Russian citizens in the Ukraine.
The U.S. has tried to pre-empt this in two ways. One has been to call Russia’s plays in advance to the world — “Watch Russia, in this phase, may do this.” This advance warning tells Putin that our intelligence can prove Russia did it, not some mysterious rogue actor.
The U.S. also has sent technical aid to Ukraine in an attempt to help make their grid more secure. Now, here’s a fact of life: there’s no electric grid in the world that’s secure. What we can do is reduce certain areas of high risk and help Ukraine restore the grid faster.
Q:
If Ukraine’s power grid goes
down, does that mean Internet service would go down and that food distribution would be affected?
A:
It’s not just the electric grids
that are vulnerable. All modern infrastructure is vulnerable. This could affect communications because the batteries in radio towers and cellphones would eventually run down.
That said, there is some redundancy in power for certain emergency communications. And the networks are designed around the Internet protocols. So it is easier to restore at least partial service quickly, compared to the electric grid.
An attack on the food supply would primarily be a supply-chain problem. There is the secondary issue of whether it would lead to attacks on fertilizer plants. And water infrastructure is more vulnerable, on average, than electric grids simply because we’ve spent less time and money around the world to modernize water systems. Q:
Could a cyberattack against Ukraine spread to other parts of Europe and perhaps to the United States? A:
There’s no guarantee for anybody in these circumstances. But there’s probably not a high risk of a major, sustained attack in western Europe. You could have a limited taste of disruption; the grid goes down in parts of Germany for a few hours or, more likely, Poland or Romania. It’s something Russia would deny, but it would have signaled that things could get worse. The message is, “Maybe you should be more conciliatory when it comes to Russia’s diplomatic demands.”
If there’s a bigger attack and we’ve identified who is responsible, we (U.S.) can counter it. We could make the Russian grid equally erratic. We have those capabilities, so reciprocity is something the Russians have to think about. For that matter, the Brits could carry out reciprocity as well.
Q:
Can you describe how robust American reciprocity might be? The public here doesn’t know much about our capabilities. They’re mostly secret.
A:
Although those are closely held secrets, I believe that most of us who are familiar with cybersecurity matters believe that the U.S. has substantial access to the Russian infrastructure. And the U.S. military doctrine governing cyber has gone from being solely defensive to the idea of forward engagement as an active tool.
Cyber is a two-edged sword from the viewpoint of military risk. It is ubiquitous and you can’t really stop it with 100 percent certainty. That’s bad.
On the other hand, unlike having a Russian tank cross the border into Poland, which is an overt act of war that is very clear cut and dramatic, a lot of cyber is in the gray zone. And the gray zone means that there’s more room for the diplomats to sort of work around it, push around it, try to limit it and pull it back.
There’s a feeling that cyber, if it’s used as a signaling device for limited disruption, can make its point without necessarily getting you into an all-out conflict. And that has some saving grace. It’s not a good situation, but it’s better than some of the alternatives
Q:
Let’s talk about San Diego for a moment. CNN says that the Department of Homeland Security has notified many governments in the United States and a lot of corporations to be prepared for the potential of some type of cyberattack directly from Russia. I’m trying to explain what that might mean to the person on the street in San Diego. What do you think?
A:
All forms of our infrastructure are potentially subject to cyberattack. The best thing we have going for us in San Diego is that we’re not on the East Coast. The East Coast commands a higher level of political and media attention, therefore making it a more tempting target for Russia. That said, imagine two scenarios for disrupting the electric grid.
The electric grid components most vulnerable to Russian disruption would be substations and the local distribution networks for electricity. There is a lot of old equipment that is ripe for mischief even though we are working on improved security. The impact would be something like that of a really major local storm or wildfire that harmed grid facilities.
A more serious disruption would be an attack on the regional transmission grid that links all the states of the western United States. This grid has better protections but Russia could conceivably cause a blackout that covered a large part of the West Coast that lasted several days. That would be a costly mess with damage in the billions with disruptions something like a good-sized hurricane’s harms.
You also can imagine communications networks being disrupted.
Q:
The American public is exhausted and exasperated after two years of pandemic. What will the effect be on our psyche, as we’re coming out of this, if there’s a cyberattack?
A:
People are frustrated and weary. I worry that a major cyberattack will feed a type of anger that wants radical action to fix the problem, such as a major confrontation with Russia. The problem is that there is no quick fix for cyber risks. Under some circumstances, we may want to take cyber action against Russia. But it needs to be measured because cyber conflict can become a Pandora’s box that is not easily closed. Our best strategy is to make our infrastructure more secure and more resilient because that lowers the rewards for bad conduct in the long term.