Russia has cyber capacity to ‘drive a lot of dissonance across America’ cybersecurity expert says 

Chris Krebs: It’s a pretty remarkable report, both for what it says and what it doesn’t say. So first, on what it says, is it gives a very broad rundown of the capabilities, the techniques of the various cyberoperators affiliated with the Russian government — and they are quite capable. So it gives cyberdefense teams good insight and things to look for, as well as some good guidance on how to prepare in the coming weeks and months. But more importantly, I think what is not in the alert is the timing of the alert. As you mentioned, US government officials are negotiating and having discussions with the Russians, and, assuming those do not play out well, and the Russians in fact move in to Ukraine, the US government and their allies, our allies, will take pretty strong steps, from what I understand, including very, very aggressive sanctions, and that will stoke the ire of these cyberoperators. And I would expect them — and I think that’s what the US government expects — that some of those Russian government cyberoperators will then strike out at US companies and other organizations. Again, assuming a series of events takes place, including robust sanctions from the US government.

Partly. I think the SolarWinds or the broader Russian SVR [Foreign Intelligence Service], which is the equivalent, effectively, of the CIA, that’s probably the most recent. But the Russian government cyberoperators have been very active over the last several years, not just here in the US, but also, I think, probably more notably, in Ukraine. Two years in a row, they shut down the electric grid right around Christmas time. And also, my first year in the Trump administration, they were responsible for a Ukrainian origin event known as NotPetya, that unfortunately had a global cascade. So I think organizations really need to be thinking about the first-order effects. You know, what happens if Russia does in fact move into Ukraine? If you have operations there, you need to be thinking about what the impacts are. But what are going to be the secondary and tertiary effects, including if the US responds with sanctions, how will the Kremlin react?

So, CISA has been doing a good job quietly over the last several months, engaging private-sector partners as we’ve seen this build up along the Ukrainian border. There has been a pretty substantial emphasis on improving critical infrastructure cybersecurity over the last several years, in fact, going back several administrations. But there’s still a significant amount of work to do because unfortunately, the adversary gets a vote, too, and the increase of defensive capabilities is not always directly pegged to the sophistication or capability of the adversary. So, as we improve defenses, we have to continue to make the bad guys pay and make them not want to play the game anymore. And that’s just cost imposition and deterrence. 

You know, without getting to any specific capabilities directly targeting the Russians, I think if you step back, I mean, the American government, between the intelligence community and the Department of Defense Cyber Command, has been in this game for quite some time. They are remarkably capable and our adversaries recognize that. So, we absolutely have capabilities, and I think we have a different value system, though, in which we use them. We certainly … like the Chinese government, we do not use our capabilities for domestic commercial gain, which they’ve been known to do. And we stay away from critical infrastructure. I mean, that’s just kind of the rules-based order that we stick to, that unfortunately our adversaries don’t always play by the same game.

Well, I think you have to differentiate the sorts of actions that we’re talking about here. Intelligence collection is as old as mankind, but when we talk about cyberdisruption operations against critical infrastructure, against energy grids, against communications infrastructure, in a steady state peacetime, that is just not the way that I think the US or allies in the West and elsewhere have engaged. 

So, I think generally, in the United States, there are absolutely some underperforming sectors within the critical infrastructure community that the government has to help and we have to continue providing them support and resources. But there are going to be areas where there’s been market failures, and I would expect to see regulation to some degree over the course of the next year or so. We’ve already seen some regulatory enhancements in the pipeline sector. This summer, the Transportation Security Administration used some of their authorities. We’ve seen the same in the rail and public transportation sector. I would also hope that the Congress can pass a cyber incident notification requirement. We don’t even have that, right? In the US, if you suffer an attack from a foreign government or a foreign cyber criminal, you have no obligation or requirement to report that to the United States government. And that puts the defenders and the policymakers at a disadvantage when they’re trying to formulate their own strategies and dialogue with the foreign adversary. So, we need — at a minimum — that cyber notification requirement. But to your point about elections, we still have work to do. We need to continue investing in American election administration and systems, robust post-election, pre- certification audits, but also recognize that our adversaries are not just using technical means, like targeting election systems, but they’re using dis- and misinformation to undermine confidence. And that’s probably my greatest concern going forward is just the soft space in between our ears, frankly, that the bad guys are really starting to tune in on and drive a lot of dissonance across America and drive a deep wedge between us.