Between 1946 and 1958, the Bikini Atoll, in the North Pacific Ocean, was used as a testing ground for 23 new nuclear devices that were detonated at various spots on, above, or beneath it. The point of the tests was primarily to understand (and, in many cases, show off) how these new weapons really worked — and what they were capable of. The era of nuclear testing may now be over, but the age of cyber warfare is just beginning. And for Russia, the war with Ukraine has been likely serving as a live testing ground for its next generation of cyber weapons.
Countries and companies watching this latest chapter unfold should remember this: The online front of the war can — and has — jumped borders.
Cyberattacks, unlike traditional attacks, can be difficult to correctly attribute. Because cyberattacks may often be launched from an unaware host, plausible deniability exists. For example, without your knowledge, partial control of your home computer might be taken over and used to launch a chain of attacks. One similar incident occurred in 2013 when smart refrigerators were incorporated into a botnet and used to target businesses. Thousands of home security cameras were taken over and used to impair the operations of Twitter, Amazon, Spotify, Netflix, and other companies in 2016.
Yet, there is substantial evidence linking Russian hackers to a series of strikes in Ukraine. In 2015, following Russia’s annexation of the Crimean Peninsula, alleged Russian hackers managed to cut off electricity to around 230,000 subscribers in western Ukraine. The next year, attackers repeated the tactic, increasing the list of targets to include government entities and the financial sector. Ukraine was targeted by never-before-seen malware aimed to delete data in the hours before Russian forces arrived, an attack the Ukrainian government described as “on a fundamentally different level” than prior strikes.
It’s simple to see why Ukraine is a desirable target for testing cyber warfare skills. The country’s infrastructure is comparable to that of Western Europe and North America. But, unlike the United States, the United Kingdom, and the European Union (EU), Ukraine’s retaliatory resources are more restricted (though the U.S. and EU have both provided support in bolstering its cyber defenses). While Russia is the obvious suspect, other countries, such as Iran, North Korea, or China, might have been testing their own cyber arsenal in Ukraine as well.
The larger point here is that there’s little chance that cyberattacks will be limited to Ukraine. Governments and corporations should closely heed what’s going on there because cyberwar can — and has — quickly spread across borders.
What might a real global cyberwar look like:
Given that the U.S. and EU have banded together in support of Ukraine, the scope of a cyber war could be broad. Large-scale cyber skirmishes can become global due to a spillover effect. There’s some precedent for what a spillover would look like. In 2017, a suspected Russian attack featuring a piece of malware dubbed “NotPetya” disrupted Ukrainian airports, railways, and banks. But NotPetya did not stay in Ukraine. It spread rapidly around the world, infecting — and for a period largely shut down — a diverse array of multinational companies including the global shipping company Maersk, the pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, and among others.
The majority of cyberattacks have not been as damaging as they could have been. That might be because the attacker was unaware of the extent of the harm that could be done, but it’s more probable that they were mere “tests” of the cyberweapons. It is feasible to force systems like power grids to not only shut down but also to explode or self-destruct – damage that may take weeks or months to fix. Thus yet, there have been few such attacks, although steel factories and gas pipelines have been destroyed in certain cases. The most well-known example was the Stuxnet cyberattack, which is thought to have damaged 1,000 centrifuges at an Iranian nuclear enrichment plant.
So, what might a real, global cyberwar look like? Given the interdependence of critical infrastructure sectors, such as electricity and communications, an aggressive attack would likely knock down many sectors at the same time, magnifying the impact. Furthermore, in a “no holds barred” attack where maximum damage was inflicted, a primary goal would be to also produce long-lasting physical damage.
The two kinds of cyberattacks.
We can differentiate two different impacts of cyberattacks: direct and indirect.
Indirect attacks: Neither you nor your computer is individually targeted. The target would be the power grid, supply chains, banking systems, water treatment, communications, and transportation. There is not much you can do personally to defend these systems. But, how well, and for how long, can you fare without electricity, food, water, and cash?
Direct attacks: An attack targeting you. In war, the civilian population, either deliberately or accidentally, can also be targeted to weaken the desire to continue the war. In cyber warfare, the technical methods are quite similar, but the consequences can be more personal. For example, what if all the data on your computer is stolen or erased, especially if those are the only copies of photos or documents.
So what can you do to protect yourself?
Indirect cyberattack: You personally may have no way to protect the nation’s critical infrastructure. But, by collectively influencing the government, the private sector can be motivated to improve its protection, preparation, and, maybe even more important, improve its resilience in the face of such breaches.
Many people are unaware that various forms of cyberattacks do not have to be disclosed. As a result, the government and other such organizations have no awareness that cyberattacks — both attempted and genuine — are taking place. Pipeline firms, for example, were not compelled to report intrusions until after the Colonial Pipeline hack became public.
Regarding the resilience of our infrastructure, we often don’t realize how badly prepared we are until too late. A serious cyberattack can have a similar impact to a natural disaster, knocking out essential infrastructure and creating cascading crises.
Companies should push for assurances that our infrastructure can rapidly recover after a cyberattack before the cyberattack, and have those assurances verified by independent auditors.
Direct cyberattack: Most of the key things that you can do to prevent, or at least minimize, direct damage to you and your computer fall under the “Cyber Hygiene 101” category. This includes simple measures, such as having a strong password and not clicking on suspicious links — precautions many of us unfortunately overlook. But, we now know that there are ways to get onto your computer, such as Solarwinds, Log4j, and Pegasus, without you doing anything and which don’t require your password. These are called “zero-click vulnerabilities.”
As such, preparing for a cyberattack means doing everything possible to minimize potential damage if the attacker does get in. This includes:
- Make sure that your software is up-to-date throughout your organization, and that known vulnerabilities in earlier versions have been patched.
- Having effective antivirus and malware detection software — and remember, malware may already be laying dormant on your computer, awaiting orders.
- Frequently backing up your important data, such as documents that are only stored in one place in case it is destroyed.
It’s also worth taking steps in your organization to minimize risk and prepare to respond if (or when) the worst happens. This includes:
- Looking for possible vulnerabilities in your cyber supply chain, and pushing vendors of third-party software to prioritize cybersecurity.
- Testing your incident response plan — including running scenarios and tabletop exercises — to be sure that the plan is sound and that everyone knows what they’re supposed to do in a crisis.
There was a time, in the 1960s and 1970s when the world feared a global nuclear war. Fortunately, we made it through that period. With luck, we will also avoid a devastating global cyber war. But there is no guarantee and with geopolitical tensions rising to high levels, it is not wise to just rely upon good luck. Each of us needs to do everything that we can to increase our chances of being a survivor.