Earlier this week I conducted a follow-up discussion with an industry colleague about global cyber attack activity, specifically related to Russia and the situation in Syria. It was a valuable conversation so I want to share my thoughts on the topics we debated.
Our dialog began with a simple query: will Russia escalate its cyber attacks against the United States in retaliation for the military response the U.S. took against Syria after Assad’s chemical weapons attack against its very own citizens?
This is an interesting question for a few reasons. The chief issue with this specific question, and with discussions surrounding this topic in general, is there is no agreed upon, clear definition of what exactly constitutes a cyber attack. There is no way to answer the question before defining the term cyber attack. So lets start there.
Is a cyber attack defined as the mere exploitation of a vulnerability, and subsequent acquisition of access to a target network? Does an actor need to perform some malicious activity after obtaining access before the compromise is considered an attack?
In the context of attacking the electric power industry, is attacking the power grid and causing an outage, like what transpired in Ukraine in December’s 2015 and 2016, the demarcation line between what is and is not a cyber attack? Is sending phishing emails with malicious attachments, ultimately leading to establishing a foothold into a network for potential use later, a cyber attack?
This is where the media, the security industry, governments, and certain professionals tend to disagree on terminology. I feel it is important to dissect the words to better understand the original question. In the above, I would argue the latter – a phishing campaign resulting in mere command-and-control capabilities on a network – is not a cyber attack. Is most definitely is a network breach. I argue it is considered network exploitation or offensive cyber operations, but not necessarily a cyber attack. Generally it is part of a much larger, potentially multi-faceted campaign, but just breaching a network is not a cyber attack.
Just like breaking into a vehicle does not assume intent to steal the car, remotely accessing a network is likely equivalent to breaking and entering or trespassing. There may be intent to steal intellectual properly, disrupt network operations, surveil, participate in a botnet, or a host of other activities potentially rising to the level of a cyber attack. But mere access to a network cannot assume the actors intent.
Now back to the original question about the possibility of Russia increasing cyber attacks against the United States in retaliation for the airstrikes in Syria.
I do not believe Russian cyber attacks will increase as a direct result of the U.S. military actions in Syria. While Russia is likely not pleased with the airstrikes, there is no specific strategic reason for a cyber response from Russia. United States critical infrastructure is already purported to have been attacked on multiple recent occasions by Russia, most recently by leveraging a major Cisco router vulnerability.
Russia has already demonstrated sophisticated cyber operations capability, with the potential to own deliberate targets in the United States. However, they have yet to establish malicious intent. For the moment they have simply conducted a show of force, signifying their strength. This is the military equivalent of sending an aircraft carrier with an airwing aboard, accompanied by a battle group, off the coast of Russia. It suggests power and superiority.
It is unlikely Russia will currently attempt any cyber attack leading to major damage or disruption. In the short term they will continue to pursue network access, especially strategic targets within critical infrastructure, but doubtful anything beyond.
On the one hand, Russia has a high degree of cyber sophistication. Hypothetically, the Putin regime may explore false flag operations against the United States, but if the attack were ever unequivocally attributed to Russia then it may not end well. Although in this era of crying fake news left and right, even indisputable evidence of a Russian plot may not be convincing.
On the other hand, Russia could directly attack the United States. The problem with this approach is the U.S. policy on response. A cyber attack does not necessitate an in-kind response. Just because an adversary uses the cyber domain to attack, the United States does not limit its response to the same domain.
Put another way, if the U.S. is the victim of a major nation state backed cyber attack, it will likely respond kinetically. The U.S. government has stated on multiple occasions it has the option to respond via military force if it determines a cyber attack is above an as-yet publicly defined damage threshold. Expect bombs to be dropped, missiles to be launched, or troops to be engaged if the U.S. feels its sovereignty has been attacked.
Putin is most certainly cognizant of this, and is leveraging the ambiguity cyberspace offers to continue conducting operations and demonstrating Russian nation state capability. These minor operations will continue in the short term, but I find it hard to believe an actual attack will occur in the near future. Russia most assuredly does not want a traditional conflict with the United States. Russia will continue to pick at the proverbial scab since there are no repercussions.
Expect to see Russian cyber exploitation remain in the news cycle for the foreseeable future. Awareness of this threat is an important factor in ensuring U.S. government agencies, critical infrastructure, and businesses are prepared for the possibility of an attack. Resilient, proactive defensive measures and situational awareness will go a long way in limiting risk and potential exposure for the inevitable attack that will unquestionably materialize at some strategic time in the future.