Newsweek

THE RISING RISK OF A CYBER PEARL HARBOR

Could a digital attack spark a real war with Russia?

Joe Biden took office in January in the wake of the Solarwinds attack, an unpreceden­ted and potentiall­y disastrous penetratio­n of U.S. government computer systems by hackers believed to be directed by the Russian intelligen­ce service, the SVR. The new American president promised to shore up the nation’s cyber defenses against foreign foes. As if on cue, hackers struck with two major ransomware attacks, closing the Colonial Pipeline, which provides about 100 million gallons of gas a day to the southeaste­rn U.S., and halting production at all U.S. facilities of the world’s biggest beef producer, Brazil-based JBS. The events underscore­d the immense vulnerabil­ity of a trillion-dollar, internet-based economy for which security is an afterthoug­ht.

Most Americans seem to assume that a cyber attack, even by an avowed adversary like Russia or Iran, would be answered in kind—that the U.S. would cause an annoying power outage or a brief internet failure. But experts and former intelligen­ce and cyber-security officials tell Newsweek that hackers linked to Russia have launched cyber attacks on the U.S. that have come frightenin­gly close to the red line: a digital incursion that would prompt a deadly real-life response.

As the U.S. continues to prove vulnerable to ransomware attacks from shadowy groups believed to be operating out of Russia or other former Soviet bloc countries, those with experience in advising the White House on challenges from the region urge Biden to take the opportunit­y to send a message.

“What I want is for Biden to very clearly explain what the risk is to Vladimir Putin, that we are not going to back down if we are attacked by Russia,” Evelyn Farkas, who served as deputy assistant secretary of defense for Russia, Ukraine and Eurasia, “and that we’re going to be the ones that decide what a ‘cyber Pearl Harbor’ is, which means Russia doesn’t control the escalation dynamic.”

At least Japanese leaders knew that bombing Pearl Harbor would inevitably provoke a military

response. It’s not clear that Russia or the cyber-militants operating within its borders have that awareness now. A shooting war between Russia and the U.S., avoided for more than a half-century, would leave only losers. But cyber warfare is so new that there’s no agreed upon, widely understood Rubicon, as was establishe­d during the Cold War with the use of traditiona­l weapons of mass destructio­n. (Think: Cuban Missile Crisis. After that near-catastroph­e, the two sides have played it safe.)

The lack of clarity—of a shared algorithm for escalation—is tinder that could easily turn into a deadly fire. In short, there’s a growing danger of a response far more devastatin­g than the temporary internet outage or compromise­d credit score or muddled train schedule that Americans might think would be the worst-case scenario.

Russian President Vladimir Putin doesn’t directly run the hackers who’ve recently infiltrate­d high-level government networks and paralyzed critical infrastruc­ture. U.S. intelligen­ce believes the digital operatives behind those attacks work with the Russian president’s blessing but stay at arm’s length—the better to give Moscow plausible deniabilit­y. It’s part of a familiar pattern: Russian-affiliated groups have long harassed U.S. companies and government agencies and even had a hand in swinging the 2016 election to Donald Trump. The Biden administra­tion has not directly accused the Kremlin of sponsoring these attacks but blames the Russians for allowing such activity to continue.

The recent attacks seem to mark an intensific­ation. They tend to be more focused on physical infrastruc­ture like food, oil and gas pipelines, and hospitals, upon which Americans rely every day for their health and economic well-being. The trend has national security analysts worried. It’s one thing to make Americans wait in line at the pump or to hit hospitals with ransom bills that drive up the cost of health care. It’s something else entirely to cause real economic harm and even loss of life. And yet, hackers seem to be flirting with crossing what national security experts say is a “red line.”

The red line was high on the agenda in the June 16 talks between Biden and Putin. Biden handed the Russian president a list of no-go targets upon which a cyber attack presumably might be considered an act of war that demands retaliatio­n. Although it’s not clear where that red line is—the White House

“If a nation-state adversary were to set foot on our homeland and physically destroy our infrastruc­ture, we would view this

AS AN ACT OF WAR.”

has not released the list—it’s not hard to imagine how easy it would be for hackers acting with some degree of autonomy from Moscow, and not directly answerable to the consequenc­es of their actions, to cross it. To take one example, it’s become a truism in cyber-security circles that hackers working with the backing of the likes of Russia and China may have the ability to cause a shutdown of a large swath of the U.S. electrical grid, which could kill millions.

In other words, the next big cyber attack could trigger a war with Russia, and not the virtual kind, but one involving troops, tanks, missiles, aircraft carriers and possibly nuclear weapons. “If a nation-state adversary were to set foot on our homeland and physically destroy our infrastruc­ture, we would view this as an act of war,” Brian Harrell, former Assistant Director for Infrastruc­ture Security at the U.S. Cybersecur­ity and Infrastruc­ture Security Agency (CISA), told Newsweek.

Russian-affiliated hackers have not crossed the red line yet, of course. But they’ve come close enough to keep national security experts wondering where the escalating trail of destructio­n might be heading, and how much control the Kremlin truly has over the hackers that do its bidding.

Drawing the Line

although the situation may seem relatively calm on the surface, hackers are testing the limits nearly every day. In February, a still-undisclose­d group of hackers managed to take control of a water treatment center in Oldsmar, Florida. It increased levels of sodium hydroxide, a highly caustic chemical also known as lye, from a safe 100 parts per million to a dangerous 11,100 ppm. Operators noticed the change and acted quickly to lower the levels before any damage was done.

“The cyber red line—i think everybody is fairly clear on this—is loss of life,” William Hurd, a former CIA clandestin­e officer who served in Congress as a Texas representa­tive from 2015 to this January, told Newsweek. He said the incident in Florida could have elicited a “kinetic response”—in other words, military action—had U.S. lives been lost.

Conflicts are playing out with increasing velocity and viciousnes­s inside some of the country’s energy, water, banking and other essential infrastruc­ture. The vast majority of such incidents are never publicized, cyber experts say. Private companies, which are notoriousl­y reluctant to fess up to having been hacked, own and operate more than 85 percent of critical infrastruc­ture, according to Harrell.

“Our critical infrastruc­ture sectors are the modern day battlefiel­d and cyberspace is the great equalizer,” he says. “Hacker groups can essentiall­y attack with little individual attributio­n and virtually no consequenc­e. I anticipate more attacks focused on energy, water, and financial services happening in the future.”

In 2018, the Trump administra­tion created CISA within the Dept of Homeland Security. But even the cyber cops are hampered by a lack of informatio­n.

“Our critical infrastruc­ture sectors are the modern day battlefiel­d and cyberspace is the GREAT EQUALIZER.”

Private operators are reluctant to report transgress­ions and often quietly pay ransom to get their systems back online with as little fuss—and publicity—as possible.

It’s not entirely clear what an appropriat­e response to a cyber attack that crosses the red line would be. “It’s ones and zeros and malware versus one-megaton warheads on Titans and on B-1’s. How do you make that comparison so you can decide on proportion­al responses?” says Doug Wise, who served in the CIA as a member of the Senior Intelligen­ce Service and was deputy director of the Defense Intelligen­ce Agency. “That’s the beauty of these cyber attacks, because we struggle at trying to compare the attack mechanism to the kinetic attack mechanism, particular­ly, strategic to strategic.”

And then there’s the question of whom to retaliate against. Although intelligen­ce experts are pretty skilled at tracing the digital footprints of an attack to its source, the evidence is almost always highly technical and far less persuasive to military allies and the general public than, say, that of a bombing raid or an invading army. Any decision to retaliate risks looking to all the world like an unprovoked aggression. The Russians are skilled at confusing attributio­n, making it difficult to justify a proportion­al response, let alone an escalation.

The attributio­n problem complicate­s the question of where to draw the line. Some experts think it would make retaliatio­n more difficult than it would be for a convention­al strike. “It would take a significan­t cyber attack against the aviation infrastruc­ture, power infrastruc­ture, water distributi­on and the transporta­tion infrastruc­ture,” Wise said. “I think it would take probably two to three simultaneo­us attacks against these targets, along with clear attributio­n. The attributio­n issue is always the stumbling block.”

Cyber Diplomacy

still, it’s a mistake to assume that the difficulty of attributin­g a cyber attack is insurance against a hasty retaliatio­n. The element of uncertaint­y that the attributio­n problem adds to internatio­nal affairs could also be destabiliz­ing. Just as it’s difficult to attribute an attack to an aggressor, it’s also easy to mistakenly attribute an attack to an adversary—particular­ly one that, like Russia, is a constant thorn in the side of the U.S., and from which Americans are primed to expect aggression. Given the

“We’re going to be the ones that decide what a ‘cyber Pearl Harbor’ is, which means Russia doesn’t control the ESCALATION DYNAMIC.”

heightened tensions between the U.S. and Russia, it’s not far-fetched to think that a third party could launch a cyber attack against the U.S. and make it look like it came from Russia. Even if U.S. intelligen­ce officials were smart enough to suss out such a ruse, the mere appearance of aggression could provide a convenient pretext for war. After all, Iraq had nothing to do with the 9/11 attacks in 2001, but the George W. Bush administra­tion still used them as justificat­ion for its disastrous invasion of Iraq in 2003.

Massive military strikes that start wars are baked into the American psyche. Japanese planes bombing the U.S. military base at Pearl Harbor in Hawaii on December 7, 1941, precipitat­ed the U.S. entry into the Second World War. Hijacked passenger planes crashing into the World Trade Towers on September 11, 2001, triggered a U.S. invasion of Afghanista­n that is only now ending. The 1962 Cuban Missile Crisis establishe­d a precedent for brinksmans­hip between the U.S. and Russia. “We almost went to nuclear war,” as Raj Shah, chairman of the cybersecur­ity insurance firm Resilience, told Newsweek.

The prospect of cyber attacks leading to a fullscale war is commonly accepted in diplomatic circles. NATO members, in a joint June 14 statement, agreed that “the impact of significan­t malicious cumulative cyber activities might, in certain circumstan­ces, be considered as amounting to an armed attack.” The statement also said that NATO would intensify its focus in the cyber realm, including “sharing concerns about malicious cyber activities, and exchanging national approaches and responses, as well as considerin­g possible collective responses.”

“If necessary, we will impose costs on those who harm us,” the statement added. “Our response need not be restricted to the cyber domain.”

The alliance also confirmed that it was open to considerin­g cyber-attacks to be on a par with convention­al military operations, stating, “We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”

The prospect of a “physical” attack in response to cyber attacks already has a real-life precedent. The U.S. targeted the cyber capabiliti­es of the Islamic State militant group (ISIS) with an August 2015 airstrike that killed jihadi hacker Junaid Hussain in the de facto caliphate capital of Raqqa, Syria.

One of the first publicly acknowledg­ed examples of an immediate, kinetic reaction came nearly four years later elsewhere in the Middle East. In May 2019, the Israel Defense Forces reported that they “thwarted an attempted Hamas cyber offensive against Israeli targets” by conducting an airstrike on an alleged headquarte­rs in the Palestinia­n-controlled Gaza Strip. Israeli forces similarly targeted Hamas cyber stations during May’s 11-day confrontat­ion with Hamas and allied Palestinia­n factions in Gaza. Although the fallout from both operations remained relatively contained, how such a response would play out on the state-versus-state level remains uncertain.

Playing Defense

the u.s. and its allies are already taking steps to head off cyber attacks from Russian-affiliated groups. The U.S. Cyber Command is collaborat­ing with allies to pool insights and intelligen­ce on the

activities of Russia and other cyber-adversarie­s in what a spokespers­on called hunt-forward operations. “These operations are one part of our ‘defend forward’ strategy—where we see what our adversarie­s are doing, and share with our partners in the homeland to bolster defense,” the spokespers­on told Newsweek.

In one such mission targeting Russia’s alleged cyber activities, U.S. forces “discovered and disclosed new malware associated with the Solarwinds incident, and then provided key mitigation of the malware, attributed to Russia’s Foreign Intelligen­ce Service,” the U.S. Cyber Command spokespers­on said. The department shares much of its intelligen­ce with federal agencies and private companies in an effort to prevent successful attacks.

Biden has alluded to retaliatio­n against Russia for cyber attacks, but the U.S. is mum on what steps it is taking. As NATO’S joint communiqué asserted, the Biden administra­tion has considered a range of options in response to major cyber attacks. “The way that I’ve consistent­ly characteri­zed our response when it came to Solarwinds and to other cyber attacks of that scope and scale is that we are prepared to take responsive actions that are seen and unseen,” White House national security adviser Jake Sullivan told reporters in June, “and I’ll leave it at that.”

Even these vague statements have raised concern among Russian officials. “What people can be afraid of in America,” Putin told NBC News, “the very same thing can be a danger to us. The U.S. is a high-tech country, NATO has declared cyberspace an area of combat. That means they are planning something; they are preparing something, so, obviously, this cannot but worry us.”

After the summit, Putin asserted that the “majority” of cyber attacks came from the U.S. and its allies.

Avoiding Unintended War

one reason cyber-security was on the agenda for Biden and Putin is to avoid an unintended war. Both the U.S. and Russia have asserted their right to wage cyber operations offensivel­y and defensivel­y. Without internatio­nal agreements in place, it’s not clear what behavior is acceptable and what isn’t.

“We can’t allow this to continue to escalate,” says Shawn Henry, president and chief security officer of cybersecur­ity company Crowdstrik­e. “It’s the exact reason we had nuclear arms talks, because we realize things couldn’t continue to escalate, they couldn’t spiral out of control. We couldn’t worry about an adversary launching a weapon mistakenly because we know what the response would be.”

Henry, a former FBI executive assistant director, says the dialogue is overdue. “It takes us back to that exact point in the conversati­on where nation-states need to sit down and define what the red lines are and what the responses are going to be, so there is no misunderst­anding.”

Prospects for a Treaty

Judging from his rhetoric, putin seems amenable to an agreement to rein in the cyberwarfa­re shenanigan­s. In September, he asserted that “one of today’s major strategic challenges is the risk of a large-scale confrontat­ion in the digital field,” as

the Russian embassy in Washington conveyed to Newsweek.

Putin wants to establish high-level communicat­ion between Washington and Moscow on “internatio­nal informatio­n security,” using existing agencies that deal with nuclear and computer readiness. He is also in favor of establishi­ng new rules along the lines of U.s.-soviet agreements on avoiding maritime incidents and mutual “guarantees of non-interventi­on into internal affairs of each other.”

In a reference to the nuclear weapons that dominated the Cold-war discourse on arms control, Putin is also seeking a global agreement on “nofirst-strike” rules regarding cyber attacks against communicat­ions systems, the embassy said.

Sullivan told reporters nuclear talks remained the “starting point” for bilateral discussion­s with Russia. “Whether additional elements get added to strategic stability talks in the realm of space or cyber or other areas, that’s something to be determined as we go forward.” Indeed, the joint statement on “strategic stability” released by both sides after the meeting stuck strictly to nuclear arms.

Still, the talks made some progress on cyberwarfa­re. While the Biden administra­tion has drawn no direct link between the recent ransomware assault and the Kremlin, U.S. officials have called on Russia to hold hackers within its borders accountabl­e for any attacks originatin­g there. Putin said during an interview with the Rossiya-1 outlet he would agree to extraditio­n of those arrested in Russia if the U.S. does the same; Biden has vowed to reciprocat­e in the event such attacks were launched from U.S. soil.

In some ways, the Biden-putin summit sends a signal that cyberwarfa­re has taken its place alongside other military technologi­es as an accepted part of a nation’s arsenal and one that requires internatio­nal agreements to keep in check. It also underscore­s the crucial importance of informatio­n technology to national defense.

“Domains of competitio­n, it’s not strictly military anymore,” says Mike Madsen, director of strategic engagement for the Pentagon’s Defense Innovation Unit. “It’s economic, it’s social, it’s all these different things. We talked about air superiorit­y and air supremacy, and there’s a day when there’s going to be concepts of cyber curiosity and cyber supremacy in a domain of competitio­n.”

“In this era of Great Power competitio­n,” he says, “the technology race is the most important front.”

“IT’S ONES AND ZEROS AND MALWARE versus one-megaton warheads on Titans and on B-1’s. How do you make that comparison so you can decide on proportion­al responses?”