The global outpouring of cyber assistance in the wake of a call from Ukraine’s digital transformation minister for a “hacker army” to launch cyberattacks against Russia was unprecedented. And it wasn’t just hackers.
Dozens of cyber security firms and experts worldwide began extending their services – free of charge – to Ukrainian organizations and individuals to ward off expected cyber assaults from Russia.
Tech giants like Apple, Google, and Microsoft weighed in with ways to aid Ukraine, which itself did not see the onslaught of expected cyberattacks materialize ahead of the physical invasion of the country by Russian troops.
The outpouring of private sector help began to shape a new, unorganized, private sector force, that collectively demonstrated its ability to leverage incredible power in the new battlespace.
“We believe the willing must stand together in alliance to contend with the speed and consequences of the convergence of the physical world on the digital, and the digital world on the physical, write Christopher Ahlberg, CEO of Recorded Future and Geoff Brown, former CISO, New York City in The Cyber Initiatives Group’s, ‘Watch’ or ‘Stand Against’ the Digital Machinery of Aggression in Ukraine. “In doing so, with all our leadership, innovation, and energies, can we truly act together, to further help Ukraine, and to contend with the borderless digital ramifications of this history changing aggression.”
The rise of this new private sector-led force comes as the White House has been warning for weeks about potential Russian cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) launched a Shields Up campaign to warn businesses of what is likely coming, saying, “Every organization—large and small—must be prepared to respond to disruptive cyber incidents.”
But to date, those expected cyberattacks have failed to materialize on scale with the warnings, so what’s going on?
“Russia has used cyber as part of its attack on Ukraine, but rapid and severe escalation in kinetic violence largely eclipsed cyber effects to date,” says James Allen, Executive Vice President, Booz Allen Hamilton. “Cyber is best understood as a component of national power – part of a mix of options, each of which has its own advantages and disadvantages and all of which work in concert. As conditions on the ground change, cyber could become more prominent as kinetic options become less useful. It is also possible that Russia could use cyber to broaden the fight beyond Ukraine but may be evaluating the risk/benefit trade-off before doing so. A consideration both within Ukraine and beyond is that Russia’s actions to date affect attack surfaces – damage to infrastructure, heightened defenses, changes in psycho-social factors, political goals and will, etc. All are relevant to leveraging cyber effectively to achieve the desired effects.”
“I think the whole world is wondering, based on the conflict in Ukraine - with economic sanctions, with actual kinetics - what triggers the cyberattacks that go beyond the region? And we don't know,” says Mandiant CEO Kevin Mandia, who served as CEO of FireEye when the company discovered and then publicly disclosed, the SolarWinds hack. “I don't think anybody has a bright line on, "Hey, if the pain gets to this level, then cyber is a viable alternative for the Russian government to start exercising." So, I think we're all waiting for it. But the good news is that the minute it hits, we'll all know it.”
Background:
- Cyber efforts to evade Russian censorship and penetrate government barriers to Internet access blossomed in the first few weeks of the Ukraine crisis. In addition to the ad hoc gathering of hacktivists and other cyber volunteers, mainstream media used unorthodox channels to share information with the Russian public. The Washington Post profiled a number of users, including the BBC, Deutsche Welle, and Twitter, which employ Tor software, an anonymity service that “routes Internet traffic through a scattered network of servers, effectively neutralizing the website blockade.” Telegram, a group-chat service widely used in Russia, also emerged as a way to circumvent Russian blocking efforts. Among others, The New York Times, Washington Post, and the BBC established Telegram channels for newsfeeds.
- The Washington Post reported that the big takeaway on the cyber front was that “the hacks associated with [the Ukraine conflict] are less consequential or damaging than many cyber watchers predicted.” In the opening days of Russia’s invasion, observers projected this dire prospect, “Ukrainians are steeling themselves for powerful Russian cyberattacks that could shut off power, disrupt communications and wreak further havoc among citizens.”
- Victor Zhora, deputy chief of Ukraine’s information protection service, cited three reasons why the expected cyber onslaught didn’t reach anticipated levels: Russian hackers aren’t nimble enough to compromise the most important Ukrainian targets during fast-moving military operations; stealthy cyberattacks aren’t that useful in comparison to the damage Russian military actions are causing; and Russian cyber operators are busy protecting their own digital infrastructure.
- Meanwhile, an IT executive at the center of Ukraine’s volunteer digital corps said of those who have joined cyber efforts from across the globe on Ukraine’s behalf, “We are really a swarm, a self-organizing swarm.” Roman Zakharov noted his group, StandforUkraine, includes software engineers, marketing managers, graphic designers and online ad buyers.
- Early on, SpaceX CEO Elon Musk sent a truckload of Starlink antennas — which can be used to connect to the company's satellite-based internet service — to Ukraine. However, Musk added on Twitter what he called an "important warning: Starlink is the only non-Russian communications system still working in some parts of Ukraine, so probability of being targeted is high. Please use with caution."
- The Tech to the Rescue Foundation recently launched #TechForUkraine, aiding NGO’s with free digital services. Reportedly, more than 225 companies and 300 individuals worldwide had pledged support. A website for #TechForUkraine offered to match up cyber service providers to NGO’s that were using weak security systems and outdated software.
- Microsoft worked with Ukrainian government officials to warn of hacking threats. Google, in coordination with Ukraine, disabled a feature that displays traffic conditions in its widely used Maps app, a move that potentially made navigating more difficult for the Russian military. Apple responded to a request from the Ukrainian deputy prime minister to end product sales in Russia.
A Deeper Understanding of Russia’s Capabilities
The Cipher Brief spoke during a recent expert briefing with Kevin Mandia about Russia's capabilities in cyber and whether there are specific industries that Russian hackers are more likely to target if they do in fact, launch a cyber campaign. What follows is an edited transcript of that conversation.
Mandia: The reality is that Russia has different groups that do different things. So, when you think about what's on the table, and what they can bring to bear against United States or the European allies, it depends on whether you're up against the GRU, the FSB, a Russian citizen who wants to wreak havoc to promote their country's agenda, or the SVR. You know, Putin can wake up today and say, "I want to hack the New York Stock Exchange." I think that would've been a decision made a while ago and those steps in that operation would've been planned out a lot in advance.
I think what's on the table more broadly, is either a swath of indiscriminate attacks just to cause mass damage or a precision strike attack that goes deep, maybe against utilities or something like that. I don't think anybody really knows what tactic will be deployed, and it could be a blend of both. Some folks who advise me at my company have said that it may be something that feels reciprocal to what's happening economically. So, it could be that financial services are targeted, because that feels like a reciprocal type of attack.
You've got to also believe that the defense industrial base is always going to be a target, and oil and gas could be inside of what would be considered reciprocity. If we damage their business in oil and gas with economic sanctions, maybe they will try to do the same via a cyberattack.
Those are all hypotheticals. I don't have a crystal ball but I do know when the gloves come off, if they come off, everyone in the United States is going to know about it very quickly because we're all on high alert, both the government organizations and the private sector.
The Cipher Brief hosts expert-level briefings on national security issues for Subscriber+Members that help provide context around today’s national security issues and what they mean for business. Upgrade your status to Subscriber+ today.
The Cipher Brief: So much of the critical infrastructure in the U.S. is in private hands. How prepared do you think those private sector companies are when it comes to a Russian-backed attack against critical infrastructure?
Mandia: The good news is that we've never been more prepared. Everybody's communicating. Everybody's alert. Everybody's involved. So, I would call this community defense. If you're going all out in cyber and if your intent is to cause mass damage when you go on the offense, it would make sense to target critical infrastructure, and specifically, the utilities. If you don't have energy, you have no healthcare. You don't have finance if you can take out energy. I just don't think that's the first thing people would try, because that's just an enormous escalation.
You're not going to get a hundred percent hit rate against financial services. It's also something that's hard to do. Every single major utility has fault tolerance, redundancy, and tests their cybersecurity. I'm not sitting back panicked about an attack on our grid because I think that's over escalation based on what I’ve seen.
The Cipher Brief: You’ve said before that the industry changed after the Colonial Pipeline attack. Do you think the industry changed again with the launch of this war in Ukraine?
Mandia: The reality is we have a war going on right now. And with that, there's going to be a cyber component to it. And the challenge with the cyber domain, is that you do have unintentional consequences. Even if you're on offense and you're trying to show a lot of restraint and just target one nation, you may accidentally impact a lot of other nations, especially with the global economy where a lot of folks have employees in Ukraine or in whatever theater emerges in a conflict zone. It is very hard to isolate your attacks in cyberspace. It just is. If you go after one machine, you have no idea what you might be impacting. And that's evident when you go back to the Colonial attack. When those ransomware actors spread ransomware, they had no idea what the results were going to be. When you go on offense and you conduct destructive attacks, you're not sure about the purpose of every machine that you may be destroying and what the downhill effects of those are, so the bottom line is that you share all of your threat intelligence to safeguard an organization and keep them out of harm's way. You don't want to see a company go out of business because of a cyberattack. That's crazy to me and just shouldn't happen. We have to impose risk, repercussions and rules. Nobody deserves to lose their job because a nation compromised their company and destroyed it. That just seems like something we just can't allow to happen as a nation.
I don't think anybody's got a bright line, but certainly it's a bright line if lives are at stake and the intel can save lives, I think you’ve got to share it.
The piece includes reporting, research and analysis by Suzanne Kelly and Ken Hughes
Sign up for the Cyber Initiatives Group newsletter. Better results in cyber require better thinking. Join experts from the new public-private cyber ecosystem as we educate and create a new cyber future. Sign up for the CIG newsletter today.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business
