NBC News reported Thursday that President Joe Biden was briefed on a “menu of options for the U.S. to carry out massive cyberattacks designed to disrupt Russia’s ability to sustain its military operations in Ukraine.” Reportedly, those options included disrupting the internet across Russia, turning off electricity and hacking railroad controls, all with the specific and limited aim to degrade Russia’s capacity to continue moving troops, equipment and supplies into Ukraine.
How good are our offensive cyber capabilities against Russia? The general answer, it seems, is pretty good.
I’ve spent 30 years in counterintelligence, intelligence and security work, but I’ve never had to articulate the previous sentences as real-time, real-life scenarios. Contemplate, yes. Carry out, no. Yet here we are in completely uncharted territory.
An American president should consider every feasible tool in his kit to counter an authoritarian adversary’s quest to conquer a free democratic nation. Part of that consideration likely includes the cyber equivalent of Newton’s third law: “For every action there is an equal and opposite reaction.” The White House is undoubtedly discussing those possible actions and reactions right now. Specifically, Biden should be asking U.S. military, intelligence and Department of Homeland Security leaders three big questions.
First, how good are our offensive cyber capabilities against Russia? The general answer, it seems, is pretty damn good. In 2019, The New York Times revealed that the U.S. government was “stepping up digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin.” The report explained that the U.S. had put “reconnaissance probes into the control systems of the Russian electric grid” since at least 2012. That’s 10 years of exploration and potential planting of cyberattack seeds that could sprout on our command.
As I detailed in a column for MSNBC after the 2020 U.S. presidential election, American military and intelligence cyber gurus won a resounding, and mostly secret, victory in the cyberwar against foreign agents — Russia chief among them — attempting to influence election outcomes. I wrote then: “While the more public part of the plan was impressive, the secret and stealthy side may someday become the plot of a Hollywood spy thriller.” Gen. Paul Nakasone, who led both the National Security Agency and the military's U.S. Cyber Command, suggested in a statement that secret operations stopped foreign interference. “‘I'm confident the actions we've taken against adversaries over the past several weeks and months have ensured they're not going to interfere in our elections,’ Nakasone said, referring to cyber strikes carried out against the computer infrastructure associated with Russian and Iranian government hackers.” Clearly, our ability to electronically and proactively smack down efforts from the Russian intelligence service to digitally impact our elections speaks to an impressive offensive capability.
Further evidence of the U.S. government’s ability to trace and identify by name, location, date and time-specific keystrokes Russian government cyber actors is found in special counsel Robert Mueller’s 2018 indictment of 12 Russian military intelligence officers, accusing them of carrying out malicious cyber activity to interfere with the 2016 presidential election. For those reasons, Biden should feel confident that America can conduct successful cyber operations against the Russian government and its infrastructure.
Biden’s second question should be: Can America defend against almost-certain Russian retaliation? The answer here is not as clear. Newton’s third law — the part where reactions are supposed to be equal to actions — may not apply where Putin is concerned. Recently, The New York Times addressed the concerns some analysts have that Russia’s increasingly dictatorial leader may have become unstable and unpredictable and that he has “fundamentally changed amid the pandemic” and become “more paranoid, more aggrieved and more reckless.” That means while our cyberattacks might be limited to disrupting Russian military maneuvers, Putin’s response might not be so constrained. Our private sector could take a hit. It has before. In fact, so have U.S. government agencies.
The Department of Homeland Security warned last week that U.S. entities of all kinds could face cyberthreats stemming from "the potential for the Russian government to consider escalating its destabilizing actions" beyond Ukraine. The Shields Up program at the Cybersecurity and Infrastructure Security Agency cautioned companies and agencies to make sure their "most critical digital assets" are protected. Russia’s offensive cyber capabilities are sophisticated and formidable. These factors necessitate a careful, measured defensive strategy prior to any offensive cyber actions against Russia. The potential for digital repercussions that impact the American people — not just government agencies — leads to the next question our president should be asking.
Is a deeply divided American citizenry capable of collective sacrifice and resiliency required if daily living is disrupted by retaliatory Russian cyberattacks?
Is a deeply divided American citizenry — fueled by pro-Putin, anti-Biden propaganda from the far right — capable of the kind of collective sacrifice and resiliency required if daily living is disrupted by retaliatory Russian cyberattacks?
Peter Cowhey, a cyber expert at the University of California, San Diego, recently discussed the potential domestic digital fallout if the U.S. were to conduct cyberattacks against Russia for its invasion of Ukraine. In a Q&A with The San Diego Union-Tribune, he said:
All forms of our [U.S.] infrastructure are potentially subject to cyberattack. ...
The electric grid components most vulnerable to Russian disruption would be sub-stations and the local distribution networks for electricity. There is a lot of old equipment that is ripe for mischief even though we are working on improved security. The impact would be something like that of a really major local storm or wildfire that harmed grid facilities.
A more serious disruption would be an attack on the regional transmission grid that links all the states of the western United States. This grid has better protections but Russia could conceivably cause a blackout that covered a large part of the West Coast that lasted several days. That would be a costly mess with damage in the billions with disruptions something like a good-sized hurricane’s harms.
You also can imagine communications networks being disrupted.
If Americans have managed to politicize a global pandemic and can’t agree on wearing masks or getting vaccines that are proven to save lives, can we coalesce around a threat to a democracy 5,000 miles away? Are we capable of dealing with disruptions to our internet service, a power outage, the temporary inability to swipe a card to pay for our morning coffee or for our gasoline? Putin is hoping that the previous presidential administration — egged on by Russian government propaganda on social media — so divided us that we no longer agree on what we stand for.
Let’s hope he’s wrong.