Winter is here
Gary Kasparov, the famous Russian chess player wrote a book in 2015 titled "Winter is Coming" which chronicled the collapse of the Soviet Union, charted the rise of Putin, and painfully captured the many missed opportunities of the West to contain Putin. The book also laid out historical reasons that Putin invaded Ukraine in a chilling fashion. Now that "Winter is Here," Putin initiated a ground war that might evolve to other geographies and realms, including information operations and cyber.
The prospect of a full-blown Cyber war -- once remote -- seems more likely if the Russian invasion of the Ukraine escalates and spills out of Eastern Europe and enters the highly-connected world in which we live. How bad can it be? No one fully knows, but cybersecurity professionals are no strangers to Russian cyber-attacks.
The cybersecurity industry has over a decade experience defending against attacks that came directly from the Russian state or from Russian-based organizations that had the backing of the Russian government. This experience informs us that if a cyber war happens, it will be more disruptive than anything else we’ve encountered in this realm. Most long-term cybersecurity professionals have a bad feeling of where this is headed, and we’ve seen organizations preparing for the worst. The worst will look far different than anything we’ve witnessed, and organizations are well-served to prepare. How will a cyber war be different and what will it look like?
For starters, it will happen all at once. Take, for example, the Colonial Pipeline breach which occurred last year. The Colonial Pipeline breach was a particularly nasty ransomware attack that shut down a component of our critical infrastructure and affected the flow of fuel across the United States. In a cyber war we would have hundreds of Colonial Pipeline breaches occurring at the same time. There aren't enough security professionals or service providers around to respond to breaches occurring simultaneously. Incident response companies, already spread thin, will be hard-pressed to assist additional companies in this scenario. The result would be longer recoveries for all, causing more disruption to supply chains and, ultimately, or daily lives.
I think this will happen and it will be worse than anything we’ve seen for the simple reason that the Russians have been perfecting their art for the last decade. They have had the opportunity to fine-tune their methods and, as a result, can scale the operations to have a broader effect in the West. Let’s take stock. The Russians most certainly interfered in the 2016 US Presidential election in one way, shape, or form. They likely attacked multiple companies and government organizations via the Solar Winds supply chain attack whose damage is still being assessed. Then there are the numerous ransomware attacks, including the Colonial Pipeline attack, prosecuted by criminal gangs mostly based out of Russia with the blessing of the Russian government. The result of those attacks were billions of dollars that flowed to Russian criminal gangs via Bitcoin hurting American businesses, hospitals, school districts and numerous other types of organizations. These are but a few of the Russian or Russian-backed attacks we are aware of. As any security professional will tell you, what you read about in the press is the tip of the iceberg in this realm. There are far more serious cyber security incidents that occur daily that go unreported.
Another obvious reason why I believe the Russian cyber attack is likely to occur is their susceptibility in a hyper connected world. Our digital lives are inextricably linked and highly reliant on the Internet, GPS, and the electrical grid to fuel our lives of convenience. Should we dial up economic sanctions in a way that causes genuine pain for the Russian people, look for the Russian state to return the favor by disrupting the Internet and other facets of our online lives. To make matters worse, cyber-attacks are an attractive option because a sophisticated attacker can cover his tracks and maintain plausible deniability. Many of the headline -- grabbing public reaches took weeks to determine origin given the technical difficulties associated with arriving at firm cause. In short, the Russians could potentially cause significant disruption in the United States in the West and maintain that it wasn’t them.
The mostly likely avenue of cyber disruption is the financial sector in response to any economic sanctions levied by the West. The good news is banks and other financial institutions are the most prepared for any cyber-attack. Banks, insurance companies, and other financial services companies encounter sophisticated attacks daily. Over the years, they have developed some of the most complex defenses, including protection from denial of services attacks, that leave them best suited to weather any cyber-attacks.
I conducted an informal poll of Chief Information Security Officers (CISOs) across the financial sector this week and found that organizations were preparing for the worst by standing up internal response teams. Another potential target is electrical providers, who are conducting operations to isolate critical operational technologies and conducting more intensive reviews of vulnerable systems. Given their critical role in keeping the lights on, electrical companies are using this opportunity to upgrade their preparedness by adding staff and dedicating more financial resources given the increased likelihood of disruption from the Russians.
One constant theme that has come to the forefront the last two weeks is Vladimir Putin’s obsession with the humiliation Russian encountered following the collapse of the Soviet Union and end of the Cold War in 1991. Coupled with this week’s threats towards the West, one can conclude that the risk for U.S. confrontation with Russia is significantly higher than it was a month ago. If Russia decided to conduct a cyber-attack against the West to inflict maximum disruption, it will be on a scale we’ve not yet experienced. I believe this will occur, will occur soon, and organizations and individuals should prepare for Winter. Winter is here.
John Dickson is VP, Security Solution Architecture, Coalfire. He has spent more than 25 years advising clients on cybersecurity risk. A former Air Force officer and Big 4 consultant, he is a trusted advisor to CSO and CISOs on matters of software risk. At Coalfire he leads the solution architecture, field CISO, and security strategy advisor teams. Mr. Dickson is a Certified Information Security Systems Professional (CISSP). Reach John on Twitter @johnbdickson.