CINCINNATI — Experts and federal officials are warning Americans to be vigilant against cyberattacks as Russia continues its invasion of Ukraine.
The FBI and U.S. Cybersecurity and Infrastructure Security Agency updated their warning to U.S. critical infrastructure firms Tuesday to reinforce their defenses.
“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data," the advisory said. "Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries."
WCPO sat down with cyber expert Richard Harknett Tuesday. Harknett is the director of the University of Cincinnati’s School of Public and International Affairs, co-director of the Ohio Cyber Range Institute, and Chair of the Center for Cyber Strategy and Cyber Policy. He’s also a former scholar-in-residence to the U.S. Cyber Command and the National Security Agency.
Q: Cyberattacks and cybercrime are nothing new. This is something companies are having to deal with on a minute-by-minute basis, probably. How is this situation different in the past two weeks with the invasion of Ukraine?
Cyberspace, as you correctly point out, is a vital asset for companies here in Cincinnati. You can’t conduct business without being on the digital platform. And they understand that it’s also an incredibly vulnerable space. At the criminal activity levels, our companies, our individuals, our citizens of Cincinnati have to deal with cyber operations against their personal information, about their business operations all the time. It’s something we call cyber persistence.
What happens during international crises, and we don’t have wars breaking out that often that involve a great power like Russia, the question becomes in this interaction between the United States and Russia, is cyber an opportunity for Russia to control the environment and advance their interests?
So the answer is possibly. … There’s a couple of possibilities of why Russia may consider using cyber means to kind of change the dynamic. And because we’re using economic sanctions, the possibility of using cyber operations against economic assets to disrupt the U.S. economy, to disrupt companies, that I think is on the table.
Q: Are there particular segments of the industry that are more sought-after targets?
The most sought-after target is the easiest target … you’re only as good as your weakest link. And lots of companies, large companies have third party contracts. So those third-party contracts could become cyber security issues. Of course, banks, you would think about disrupting the financial, but they’re probably the strongest industry we have in the U.S. with regard to cyber security. Your defense-based companies like GE Aircraft. I hope they don’t mind me saying it, but they’re the gold standard. They’re really good. Why? Because they get attacked every day from foreign adversaries who are trying to get their intellectual property.
Q: Anything else?
That’s only one category, Paula, that we have to be worried about. The second context is would Russia actually consider using their cyber operation to start to affect critical infrastructure? Duke Energy, our water treatment plants in the city — these are things that at the U.S. government level we have declared to be critical infrastructure and any significant attack, the phrase they use is an attack of significant consequence.
So, if you were able to knock out electricity, if you were able to affect water treatment ... we would, the United States would, consider that a use of force, an armed attack. So, the question becomes why would Russia, who right now is not fighting the United States in a direct war, what would create incentive for them to try to get the United States, through an attack, maybe to back down?
If the Ukrainians hold out and Putin gets frustrated, and the Russian economy starts to feel the pinch, if he’s as committed as people think he is, he’s likely to raise then the bar and not go home. And the question is for the United States, have we sent any signals that would encourage them to think that they could get away with this?
Q: Is there a DEFCON level for cyber threats and where are we at now?
That’s a great question. The Department of Homeland Security has a particular agency which is focused on cyber and critical infrastructure. And they do post warnings in coordination with the National Security Agency, the FBI, the U.S. Cyber Command … when they pick up intelligence and when they discover malware. There is a site called Virus Total and there’s been a number of times recently where the U.S. Cyber Command has found malware and instead of keeping it secret has actually published it on Virus Total so that the entire private sector is informed.
We assume in national cyber security and in business security, you’re going to get attacked. … Would it be a good thing right now for U.S. companies to talk to their employees and reemphasize good cyber hygiene — not clicking on links that you’re not sure where they came from, hovering over that link, make sure there’s not a .ru after it, that would be pretty obvious that would mean it’s coming from a Russian server. … Do you get a call that seems suspicious and is asking for personal identified information? Yeah, it would be good that we heighten our cyber security.
Q: Is there anything individual citizens should do?
So at the individual citizen level, we have to actually realize that we don’t have a neutral effect here. Every day we either contribute to national cyber security by being good at our cyber hygiene and making sure that we don’t have viruses on our computers, or we aid and abet the bad guys. … There’s more of a civic duty here and maybe in a wartime environment that would resonate with people more.
It’s not just about protecting yourself, it’s about protecting the entire space that we all benefit from.
Q: What is the psychological impact of a cyberattack on the general public?
The question becomes if you have an intentional act on something big, like critical infrastructure, would we read that and understand that differently than if a missile strike occurred?
Cyber doesn’t have that visual. We won’t see transformers destroyed if the electricity goes down. … To be honest with you we don’t have good research and good data for a good reason: we haven’t had one of these big attacks. We’ve been talking about big-scale cyberattacks for over a decade. … The United States has adversaries working every day to undermine U.S. national sources of power, but it’s done in an incremental way. They’re accumulating over time. Why? Because it doesn’t bring the U.S. military into play. It doesn’t get to that deterrent level that would say, now you’ve crossed the line and we’re going to war with you.
If you actually disrupt critical infrastructure, electric grids, water treatment — things of that nature, it should be no different than if I dropped a bomb on it or I used a piece of code. If the effect is war, then we have to make that clear to the Russians. Because deterrence only works, if you’re actually clear to the other side of what you intend to do.
I think it would be dangerous for the United States, which is the most digitally connected state at scale in the world, if we make a distinction between code and kinetic bomb. If we don’t respond in the same way then what you’re saying is it's okay if you shut us down with code, just don’t do it with a bomb.
Some answers were shortened for brevity.