US sends top security official to help NATO brace for Russian cyberattacks
By David E. Sanger
The White House dispatched its top cybersecurity official to NATO on Tuesday in what it described as a mission to prepare allies to deter, and perhaps disrupt, Russian cyberattacks on Ukraine, and to brace for the possibility that sanctions on Moscow could lead to a wave of retaliatory cyberattacks on Europe and the United States.
The visit by the official, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, underscored recent intelligence assessments that an invasion of Ukraine would almost certainly be preceded by renewed cyberattacks on Ukraine’s electric grid, its communications systems and its government ministries.
All of those systems have been Russian targets in the past six years. Ukraine has often been President Vladimir Putin’s testing ground for Russia’s arsenal of cyberweapons.
“We have been warning for weeks and months, both publicly and privately, that cyberattacks could be part of a broad-based Russian effort to destabilize and further invade Ukraine,” the White House said in a statement announcing Neuberger’s arrival at NATO headquarters in Brussels. After speaking with the North Atlantic Council, NATO’s main policy body, she will go on to Poland, where she will meet with Baltic officials responsible for cyberdefense.
Neuberger will tell NATO members that over the last few years they have witnessed a lot of cyberskirmishes, but no cyberwar. She will say, according to a White House statement, “that the kinds of disruptive or destructive cyberactions possible during a conflict are different in scope, kind and sophistication from the types of incidents we have seen during peacetime.”
In January, hackers brought down dozens of government websites in Ukraine, and Microsoft warned that it had detected a dangerous form of malware in government and private computer networks in the country.
The U.S. government has been quietly sending teams into Ukraine in recent weeks to help shore up the country’s defenses, and it is preparing to do the same with NATO countries on the alliance’s eastern flank. But those experts are reporting back to Washington that there is relatively little they can do to fundamentally harden Ukraine’s networks in a few weeks.
Ukraine poses some unique cyberdefense challenges. The electric grid is still connected to Russia’s own electric supply network, a huge vulnerability that Ukrainian officials vowed to fix after attacks that turned out the lights in 2015 and 2016. Those incidents were later blamed on Russian hackers, though it was never clear if they were working at the government’s behest.
Ukraine is scheduled to conduct some long-planned experiments in coming weeks that involve disconnecting from Russian electric supply networks and linking to other European power grids. But the effort is preliminary, and American officials doubt it will be of much help in any near-term confrontation with Russia.
There are also concerns about how easy it would be to shutter the Ukrainian internet and communications throughout the country. A blog post this week from the Atlantic Council noted that by slicing a single undersea cable in the Kerch Strait that was installed in 2014 by Russia’s state-owned telecommunications company, Russia could disrupt much of Ukraine’s internet traffic — but at the cost of also cutting off Crimea and other Russian-speaking territory.
“It could create panic in the rest of Ukraine and limit the international community’s visibility into further Russian actions,” wrote Justin Sherman, a fellow at the Cyber Statecraft Initiative at the Atlantic Council. Such an action would echo a move taken by Russia when it annexed Crimea nearly eight years ago and would be “well in line with the Kremlin’s willingness to accept some costs to invade and forcibly exert control over Ukraine.”
Many of these scenarios have been mapped out by U.S. Cyber Command and the National Security Agency, and they have been part of war game exercises overseen by the White House.
Neuberger’s trip is largely focused on how to coordinate a NATO response should Russia again attack parts of the power grid in Ukraine or take out communications in an effort to destabilize the government of President Volodymyr Zelenskyy. One senior administration official noted recently that American intelligence assessments suggested that “getting a friendly government in place is Putin’s first objective,” and if he could accomplish that without occupying the country and sparking an insurgency, “that would be his best option.”
The official spoke on the condition of anonymity to talk about American assessments of Putin’s next moves.
If Russia conducts cyberattacks on Ukraine that are not connected to a traditional military invasion, American officials acknowledge it is uncertain whether Europe would agree to invoke the sanctions that the United States has promised would follow a ground assault. As President Joe Biden himself acknowledged in a news conference two weeks ago, the allies are divided on what kind of sanctions or other steps would be triggered by an action that falls short of a full-fledged invasion.
When the White House tried to explain what Biden meant when he questioned how the West would respond to a “minor incursion” into Ukrainian territory, White House press secretary Jen Psaki suggested in a statement that he had “cyberattacks and paramilitary tactics” in mind, which fall short of traditional military attacks. Still, she said that “those acts of Russian aggression will be met with a decisive, reciprocal and united response.”
But Biden’s comments highlighted the reality that NATO and the European Union have never acted in concert in responding to a broad cyberattack. When Russia was blamed for the SolarWinds supply chain attack in late 2020 and early 2021, which affected the U.S. government and hundreds of global firms, only Washington announced significant sanctions. And Biden himself pulled back from warnings during the transition to the presidency that he would authorize a counter cyberattack.
“I chose to be proportionate,” he said last year when he imposed the sanctions. “The United States is not looking to kick off a cycle of escalation and conflict with Russia. We want a stable, predictable relationship.”
Biden’s staff has since all but abandoned hope of stability and predictability with Putin. The administration is quickly returning to strategies of deterrence while mapping out what kind of efforts the United States could engage in to disrupt Russian cyberoperations without triggering direct conflict with Moscow. That is where Neuberger’s trip fits in; she worked on both defensive and offensive operations when she served at the National Security Agency.
Some of the cyberattack techniques that Russia has perfected in Ukraine have been used in the United States. Actions that Russia took to influence the 2014 Ukrainian election became the model for election interference in 2016. Four years ago, the Department of Homeland Security warned that Russia had targeted American and European nuclear power plants and water and electric systems with malware that could potentially paralyze them; the United States responded in kind.
But the Russians have never pulled off a major disruptive attack on the United States; even the Colonial Pipeline attack, which led to long gasoline lines last year, was a criminal ransomware case gone bad. U.S. intelligence officials doubt that Putin will launch direct, disruptive attacks on American infrastructure and believe that he will avoid a direct confrontation with the United States.
“The last thing they’ll want to do is escalate a conflict with the United States in the midst of trying to fight a war with Ukraine,” Dmitry Alperovitch, a founder of Silverado Policy Accelerator, a think tank, and the former chief technology officer of the cybersecurity firm CrowdStrike, noted recently.
American officials say they agree. But that is a prediction, they note, not a guarantee. Two weeks ago, the Cybersecurity and Infrastructure Security Agency issued a warning to American companies to be on the lookout for telltale signs of Russian-created malware, and last week, Britain did the same.