Russian President Vladimir Putin‘s invasion of Ukraine has badly hurt his nation’s economy. Not only is the war costing his country an estimated $20 billion a day, according to the Center for Economic Recovery, but sanctions put in place by the West have cratered the Russian economy.
Putin has responded by calling the sanctions “akin to a declaration of war,” and has indicated he wants revenge for the perceived mistreatment his country has faced by the West. Yet, as Russia now stands largely cut-off from the world economy, with few allies coming to its aid, the Kremlin has few financial avenues in which it can seek retribution.
Democratic Congressman Jason Crow of Colorado, who serves on the House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems, said Putin may turn to one of his few remaining tools as he seeks revenge —cyberattacks.
“[Putin] will use the tools at his disposal to respond, and the biggest one that he has is cyber, so I think we can fully expect that there’ll be cyberattacks on the United States and our allies in weeks and months ahead,” Crow told Newsweek. “I think we can expect Putin to come at our financial system and some of our critical infrastructure.”
In 2020, unnamed U.S. officials told major media outlets that Russia was the likely suspect for a cyberattack on software company and government collaborator SolarWinds that potentially allowed hackers access to government data for months. Moscow denied responsibility for the attack, yet the Biden administration implemented sanctions against Russia in response.
Crow said that Putin believes in “proportional” responses, so if Russia were to launch an attack in response to the new sanctions tied to Ukraine, the likely target would be America’s financial system. Banks, private financial companies and key economic sectors could all become targets. Because these attacks could come at any time and through a variety of means, Crow said shoring up vulnerable institutions should be a priority.
Hackers initiating a cyberattack often target smaller firms connected to larger institutions in order to achieve their goals, Crow said, as they did in the SolarWinds hack. Through a practice called “island hopping,” malicious actors breach the security of smaller businesses that may be doing contract for larger firms, and use that “door” to work their way through related digital systems to their primary target.
Adam Levin, a cybersecurity expert and host of the What the Hack podcast, told Newsweek that an example of this approach was the 2013 attack on retail giant Target, in which a smaller heating and air conditioning company it contracted with was breached in order for the hackers to steal the payment information of Target‘s customers.
Levin warns that if Russia orders its hacking force to attack, small contractors and even individual employees could be the first targets.
“When you look in the mirror, you think you’re looking at you, and you look regular to you,” Levin told Newsweek. “But when a hacker looks at you, they’re looking at The Rock, they’re looking at Sharon Stone, Jay-Z, Beyoncé, Adam Levine, because you have what they want.”
You have data,” he added, “and data is valuable.”
Individuals have access to financial institutions, companies and the businesses with which they work. Levin says for a hacker it can be “more effective to go through the side door than the front door,” which means that a government entity or a global company may only be as strong as its weakest link.
In the Solar Winds case, its CEO Sudhakar Ramakrishna said “that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel.”
Crow said that the federal government needs to get better at defending against this type of attack. In November 2021, Crow’s bill to assess the Small Business Administration’s (SBA) cybersecurity infrastructure and create a plan to improve it, known as the SBA Cyber Awareness Act, passed the House, and has bipartisan support in the Senate.
Crow said this is an example of how the government can protect its weakest links.
“(The SBA) has data for small businesses that may not have good cyber defenses, and they themselves are a government system that isn’t necessarily used to being on the front lines of national security,” Crow told Newsweek.
“It’s those small companies that sometimes are a weak link or the backdoor into our national defense apparatus,” he added, “so we have to make sure that we’re securing them.”
However, with so many different avenues for a skilled hacker to infiltrate, Crow acknowledges that there must be a line when it comes to responding to cyberattacks initiated by Russia itself or by hackers within the country’s borders.
But that line can be difficult to distinguish.
James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), told Newsweek that cyber has long been seen as being within the realm of intelligence and espionage. With that comes a different set of rules, he said.
A country would likely not launch a ground attack over an act of espionage, yet as cyberattacks are becoming greater in their scope, like the strikes carried out against the Colonial Pipeline and Southern California hospitals, America must reckon with how it should respond to future attacks that could endanger the lives of its citizens and the functioning of its economy.
While these attacks do not produce the same visuals as a troop invasion, Lewis said its easy for governments to figure out who’s behind them, and then to target the perpetrators. The United States has started to push for accountability for this type of attack, and international rules have been put in place. However, as Russia and the U.S. were negotiating what the penalties for such cybercrimes should be, discussions were suspended.
“We’ve spent about 20 years coming up with excuses for inaction, and that changed in this administration. This administration pretty much told the Russians ‘you need to knock it off or else,'” Lewis told Newsweek. “But we don’t know what would have come of that, because Putin decided to invade Ukraine, so the talks are on hold.”
Russian authorities have indicated they would like to resume those discussions. The Kremlin’s special representative for cooperation in the field of information security Andrey Krutskikh told Newsweek in a piece published Tuesday that, “a cyberattack, be it accidental or intended, including [one] perpetrated under false flag, can easily trigger escalation between states, leading to a full-scale confrontation.”
“Ensuring international information security, therefore, becomes one of the key factors that directly influence strategic stability,” he added.
Lewis remains skeptical over when or even if the talks with Russia over cyberwarfare will resume, much less whether they will lead to progress, particularly in light of the Ukraine war. In the meantime, though, Crow said the U.S. must be prepared to respond to any attacks that Russia may initiate in the coming months.
“We need to develop doctrine for (cyberspace), and the international community needs to establish standards for what would constitute an act of war or an act of aggression that would necessitate a response,” Crow told Newsweek.
“There’re certainly a lot more sanctions that can be levied,” he added. “There’s no doubt about that. There are more banks and there are more individuals.”