After massing tens of thousands of troops along the Ukrainian border for several weeks, Russia invaded the country in an act of war that has been condemned worldwide. Anticipating a backlash, Russian President Vladimir Putin has promised “consequences” for countries that try to intervene.
For the US, which has imposed a wave of new sanctions on Russia, that could mean an increase in cyberattacks, according to former National Security Agency director Adm. Michael Rogers, who also served as commander of the United States Cyber Command. He is currently a senior fellow and adjunct professor at the Kellogg School of Management.
Rogers spoke to me Kellogg Insight about what US businesses can expect to see in light of the conflict and how they should protect themselves against this increased cyber threat.
*
This interview has been edited for length and clarity.
Kellogg Insight: The US is already responding to the invasion of Ukraine with additional sanctions. Can we expect Russia’s escalation? And if so, how?
Admiral Mike Rogers: I don’t see them pushing beyond Ukraine, in terms of conventional military forces. So if you’re in Moscow trying to get the rest of the world to cave to sanctions, focusing on cyber attacks and disinformation are attractive tools because they give you some advantages.
Number one, there’s a measure of reasonable deniability, because you can’t necessarily prove that it was done by actors associated with Russia. It’s much less visible than when you move tanks across the border with satellites and imagery—everyone sees that. But because cyberspace has that element of plausible deniability, that can hinder the level of response from other nations. If they are not absolutely sure that it is from Russia, many times they will not respond immediately.
Second, cyber-attacks and disinformation can be used to target government targets and create domestic pressure against governments. Imagine, for example, that you are a citizen of the United States, Germany, or another country, and suddenly you begin to receive periodic interruptions in the delivery of fuel, especially heating oil in the middle of winter. Suddenly, you start experiencing periodic power outages or you can’t access your financial institutions. These are the things that make people anxious and may prompt them to ask their governments to go easy on Russia to stop them. I’m not saying this is how Russia will end up, but it’s something to consider.
In the coming weeks, I think you’re going to see Russian President Vladimir Putin use cyberspace as a way to show that he’s serious, that he’s capable, and that he wants you to be hesitant to push him too far.
“Companies need to recognize that this is not a situation that will end in days or weeks.”
— Admiral Mike Rogers
Insight: How can American businesses experience these potential cyberattacks from Russia? How would that look to them?
Rogers: They could face ransomware attacks, denial of service, network degradation and lockouts, for example.
Some organizations should be on particularly high alert for these attacks. For example, if you are a company or brand uniquely associated with America, like Coca-Cola or McDonald’s, you are an extension of America to the outside world. These companies should consider whether they are prepared to deal with significant cyber-activity directed against them. And that’s because targeting these companies sends a broad message to the US government — not just the company.
If you’re a company operating in Russia, you probably also have a slightly higher chance of becoming the target of a cyber attack. In addition, I think Russia will look at government, military, and economic infrastructure, such as if you operate a pipeline or parts of an electrical grid. Large financial institutions are probably also a major target.
Insight: Should companies expect something qualitatively different from the usual cyber attack? Or should they just wait for the number of attacks to increase?
Rogers: Companies could now find themselves caught up in cyberwarfare.
Today, companies mainly see two types of cyberattacks. The most common is ransomware, where someone infiltrates your system and locks it until you pay them to gain access again. Criminal groups usually use it as a way to generate revenue. The second most common threat involves someone breaking into your systems to steal intellectual property. But the threat level varies by sector. So from an intellectual property perspective, if you’re in the high-tech, energy, or defense sectors, you’re an attractive target.
These are all threats that currently exist and are not going to go away, but I think we could now see teams doing it for different reasons. For example, rather than being a vehicle to squeeze money out of companies, they may now focus more on causing damage purely for the sake of causing damage. They might just come in, manipulate your data and try to change it. Otherwise, they’ll lock down your networks and go after your infrastructure or operating technology, which allows you to remotely operate your industrial control systems, for example.
Insight: How should businesses respond to this increased threat?
Rogers: The mechanics of how you defend your system and prepare your security don’t change that much: cyber resilience and basic cyber hygiene. Over the next 7 to 30 days, I’ll also look at your backup plan: Are you comfortable having alternative data sources?
But companies need to recognize that this is not a situation that will end in days or weeks. This is likely to continue for months or even years, so businesses need to think long-term, [Editor’s note: we have released a podcast featuring Rogers’s advice on how companies can prepare for cyberattacks, which you can now check out here.]
Insight: Does the US government have a role to play in helping companies navigate this time? What resources are available, if any?
Rogers: The government already has get some instructions around how companies can strengthen their network defenses and try to warn them of increased Russian online activity that may be targeting them.
The part I don’t see yet—but that may be on the horizon—is whether the government starts working more closely with real-time companies, particularly those companies involved in a critical infrastructure sector like energy or finance. I think if some of these categories of companies lose functionality, you’re going to see significant government interest and action around that.
And that contrasts with what happened with the Colonial Pipeline cyber attack, which happened almost a year ago. At the time, the US government’s initial response was to wait for Colonial to come to them and give them the details of what happened. If that were happening today, I think the government would be working directly with them to figure out things like: Do we need to send people out to help? Is this just one element of a wider set of activities that we will see directed at energy companies as a whole?
Insight: Is there any other advice you’d like to leave businesses with right now?
Rogers: Don’t forget your people. This is a stressful time for them—it’s a lot of work and a lot of tension. If you have employees in Ukraine or Russia, what are you doing to help them? Will they be targeted because they are connected to an American organization? Don’t forget the human part in all of this.
Selected Faculty