Cybersecurity experts have been puzzled by the absence of a major cyberattack from Russia in the wake of its invasion of Ukraine and in retaliation for crippling sanctions. Kremlin-backed hackers have previously shut down Ukrainian electric grids and propagated malware that caused an estimated $10 billion worth of global damage. This time, barring a few issues on Ukrainian websites and the disruption of a satellite internet provider, it’s been quiet on the hacking front. Prevailing theories have been that Russia’s cyber capabilities are not that great, while Ukraine has become better at defending its networks.
A new warning from the White House suggests something more calculated: Russia has simply chosen not to do anything yet. President Vladimir Putin may well have been keeping his cyber assault on hold for the right moment.
Here’s the key line in President Joe Biden’s statement, published Monday afternoon in Washington: “Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
“Exploring options” could mean a number of things.
U.S. intelligence has been largely right in predicting Russia’s next moves since invading, so there’s good reason to take Biden’s warning seriously. Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said on Monday that U.S. intelligence had observed “preparatory activity,” and that federal agencies last week had convened more than 100 companies to “share new cybersecurity threat intelligence.”
She added that there was “no certainty there will be a cyber incident on critical infrastructure,” and that Biden’s warning was a call to action.
Cyberattacks have a psychological impact, hurting morale as much as actual infrastructure. They create the illusion that a shadowy group is in control and, worse, could be hiding in wait to cause even more damage. Putin, a former KGB officer who is well-versed in psychological warfare, may have been letting his missiles create the first wave of collective unease for both Ukrainians and the West.
Fortunately, there are basic things that organizations and individuals can do to mitigate potential threats. Companies can invest in running incident response simulations, disabling remote access for employees where it’s not critical and patching vulnerabilities they already know about. European banks operating in Russia have taken a more blunt approach by simply separating their Russian units from their main computer systems. Commerzbank AG, for instance, has designed a “kill switch” to make that separation possible, Bloomberg News reported earlier this month. Individuals should start using two-factor authentication, if they don’t already, to log into email and social media when possible.
The prospect of an attack on the horizon can create a sense of powerlessness at organizations, but there is much they can do to limit how bad the damage gets.