“If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond,” he said during remarks from the White House.
But now, even as the Russian army drops bombs and mortar shells on civilians in hospitals and neighborhoods and its invasion of Ukraine nears its fourth week, no known nightmare cyber scenario — a widespread power outage, a poisoned water system, a crippled supply chain — has come to pass in Ukraine, the US or elsewhere.
But the general consensus among the nearly 20 experts who spoke with CNN for this story is that while Russia is well positioned to launch catastrophic cyberattacks on the US, it is not likely to do so.
“We do need to consider this possibility as a low probability but high-impact scenario,” said Paul Prudhomme, the head of threat intelligence advisory at the cybersecurity firm IntSights.
The prospects for a grand-scale cyberattack in America are low, experts say. For one, Putin understands that his country’s cyber capabilities, though formidable, are outmatched by those of the United States, which is generally thought to be the most sophisticated player in the domain.
The federal Cybersecurity and Infrastructure Security Agency told CNN it hasn’t yet received any credible cyber threats resulting from the conflict in Ukraine, but it emphasized that the energy sector has been bolstering its defenses in recent years and is on high alert as it urgently prepares for any attempted breach.
Experts say Russia’s ability to conduct an impactful cyberattack in the US shouldn’t be underestimated.
“If we look at just what they’ve been able to do, there is only, according to public knowledge, one country out there that has any experience taking down electric systems — that’s Russia,” said Robert M. Lee, a cybersecurity expert who investigated the 2015 attack in Ukraine.
Testing the waters
Cyberattacks against the US by Russia are more than merely possible — they’ve been happening for years on a low-grade scale.
The country has been testing the waters in the US, laying the groundwork, experts say, for a much more extensive cyber campaign.
Then, in late 2020, came the most advanced cyber-op yet: About 100 organizations around the world — including multiple US government agencies — were revealed to have been breached by Russian hackers who compromised the software provider SolarWinds and exploited their access to monitor internal operations and withdraw data.
Putin has been systematically testing vulnerabilities in Europe and the US for the past four years, and is in a position to cause all sorts of economy-crushing problems, experts say.
“They know how to weaponize these things — they’ve done it,” said Melissa Hathaway, who led cybersecurity initiatives in the presidential administrations of George W. Bush and Barack Obama. “If I need to cause a national crisis in another country, they know how to do this, they’ve systematically been testing the system.”
“The group has a history of gaining access and maintaining access to US and European utility companies, but they don’t do anything with it,” Prudhomme said. “They want to have that access ready at a moment’s notice so, if and when they get the order on demand, they can flip the switch.”
But it’s a two-way street. Experts say that while it’s true Russians are lurking in the software of various structural areas, Americans are also lurking in theirs.
It’s the “cyber equivalent of mutually assured destruction,” said Karen Walsh, CEO of a cybersecurity firm called Allegro Solutions, using a term that historically described a philosophy of deterrence during the nuclear standoff of the Cold War.
Putin, experts say, understands the extent of this sophistication and is likely loath to poke the bear.
“He seems to recognize that that’s a different level of escalation,” Timothy Frye, Columbia professor and author of “Weak Strongman: The Limits of Power in Putin’s Russia,” said of a crippling cyberattack on a major electric utility in the US or another NATO country. “That might be part of the calculations as well.”
Still, some experts say, Europe’s critical infrastructure could be an enticing target for Russia. That’s in part because the continent is far more dependent on Russian oil than the US is.
“I don’t think anyone’s thought through how much control Russia has over the future of Europe,” said Hathaway, now the president of Hathaway Global Strategies.
Putin has been most willing to wreak havoc on the Ukrainian power grid, which the Russians also hacked in 2016 — just a year after shutting off power to more than 200,000 consumers.
“That one scared the hell out of everybody,” said Lee, now CEO of a cybersecurity firm called Dragos and a former cyber warfare specialist with the Air Force. “That was a capability they developed that could be deployed on any electric transmission site in the world and have reliable effects everywhere. Like, it was — it was bad.”
The NotPetya attack was launched against a Ukrainian accounting software firm, but the malware spread to companies across the globe, resulting in billions of dollars in damage.
“It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict,” White House press secretary Sarah Sanders said in 2018.
The US has ‘significant’ cyber vulnerabilities
If the Colonial Pipeline breach demonstrated anything, it is the extent to which critical infrastructure in America is susceptible to cyberattacks.
That attack, Prudhomme stressed, was financially motivated. The hackers, he said, used a compromised password found in a dark-web data dump and were able to employ an inactive VPN account to penetrate the Colonial Pipeline’s network, which didn’t use multifactor authentication.
“Criminal hackers will tend to go for low-hanging fruit,” he said. “The point of entry here was fairly simple.”
But even if localized networks are vulnerable, experts say that the American power grid is far too complex to shut down in one simple motion.
“For a successful attack to be able to take the lights out, they need to gain access to a lot of different points … and nobody is looking,” said Vikram Thakur, technical director at cybersecurity company Symantec. “We don’t think it’s plausible.”
Sophisticated hackers could, however, still seize on any vulnerabilities to cause smaller-scale damage to the electrical grid and other means of energy production.
Smaller utility companies may not be able to make enough of an investment in cybersecurity, potentially making their systems more vulnerable to attacks. The equipment and devices specifically used to distribute electricity to consumers are also more at risk, experts say, because they are not required to adhere to federal cybersecurity standards that apply to the higher-voltage generators and transmission lines in the electrical industry.
And while new cybersecurity requirements were introduced for certain oil and gas pipelines last year, they are not as comprehensive as the electrical industry standards and there aren’t federal cybersecurity regulations for water systems, said Ernie Hayden, who has spent decades working in the power sector, identifying risks to energy and electric providers as a chief information security officer, cybersecurity engineer and consultant.
If networks aren’t properly secured, a hacker could not only launch a ransomware or malware attack but directly infiltrate systems, known as operational technology, that control critical equipment, said Hayden.
Even these smaller-scale, localized disruptions are unlikely, however, and experts said they would not cause the cascading blackouts or mass destruction that many fear. But they could still have a psychological impact, which may be the intent of the attacker.
Tom Alrich, a cybersecurity risk management consultant specializing in supply chain threats to software, said he doesn’t believe hackers, including any from Russia, would be able to cause outages by accessing electrical infrastructure. Even if they could, he said, they would get nothing out of it. Instead, Alrich said, the focus should be on ransomware attacks that shut down a company’s operations without directly attacking the systems that control the physical infrastructure, which is what happened in the case of the Colonial Pipeline, or cyberattacks that “poison” the software developed by a given company or organization, such as the infamous SolarWinds hack.
Max Stier, president and CEO of Partnership for Public Service — a nonpartisan non-profit that promotes better government — pointed to some federal failures. He noted that the Department of Energy has some key positions unfilled because the US Senate has been slow to confirm nominees.
“The notion of cyber risk is profound,” Stier said. “It’s a battlefield that doesn’t respect physical boundaries, one where we know the Russians already have been playing, and not just the Russians; and it’s one where we have significant vulnerability.”
CORRECTION: An earlier version of this story misstated the number of organizations breached in the SolarWinds hack. The figure is about 100.