As President Joe Biden implements severe sanctions on the Russian economy in return for attacking Ukraine, there is increasing fear around the threat of cyberattacks targeting the United States as retribution.
But increasingly, analysts say a Russian state-sponsored cyberattack against the U.S. at this time is unlikely and that over-hyping the threat distracts from more serious, physical threats.
Russia has a history of pestering Ukraine’s cyberspace, especially since the 2014 invasion of Ukraine’s Crimean Peninsula. Prior to the current invasion, there were five major State-sponsored Russian cyberattacks on Ukraine. But as cyberattacks failed to destroy the Ukrainian state, now Russia is overtly using military force.
As Ukraine remains under attack, here are five reasons a Russian cyberattack on the U.S. is unlikely:
While the threat itself is disruptive, a Russian cyberattack on the United States would be a change of course. Russia has some of the most capable state-sponsored hackers in the world. But just because it can release cyberattacks against the U.S. doesn’t mean it will. It is important to “distinguish what is possible in theory from what is feasible, and thus probable, in practice,” write Lennart Maschmeyer and Nadiya Kostyuk at War on the Rocks, a platform for analysts and commentary on national security. “Perpetuating [exaggerated fears of cyberattacks] also risks playing into Russia’s hands by exaggerating its cyber capabilities and distracting from the need to prioritize efforts to counter its military threat.”
Hacks in Ukraine have been intended to subvert morale, and subversion is used as a part of covert operations. Russia hasn’t been attacking the United States’ cyberspace, and it would need a good strategic reason start now. James Lewis at the Center for Strategic and International Studies notes that Kremlin strategists “have more than 15 years of experience in using these tools. While they could disrupt U.S. critical infrastructure, they have chosen not to do so.”
Cyberattackers employing ransomware (like the group with Russian ties from last year’s Colonial Pipeline attack) are motivated by financial gain, which is different than the motives of a state actor.
Will Likely Fail.
In war time, cyberattacks are strategically sloppy. To be used in a war-like environment, a Russian cyberattack would need to have a clear objectives. Strategic analysts, like Lennart Maschmeyer writing for MIT’s International Security, describe a trilemma that cyberattackers face. The trilemma is that desirable qualities of an operation, namely speed, intensity, and control, tend to work against each other in cyberattacks, making them problematic for strategic deployment in times of real conflict. Cyberattacks struggle to achieve all of these qualities at once and often achieve one at the expense of another. Researching victims and developing attacks on specific systems requires a lot of time. So often, cyberattacks lose the element of speed. Then, it is much easier to intrude than to both intrude and avoid detection long enough to have any intense effect or create more than a temporary inconvenience.
Cyberattacks can have unintended consequences, like the 2017 NotPetya malware operation did when the worm deleted business data. The NotPetya attack was the only truly destructive attack Russia has pulled off in the last eight years. But the worm got way out of control, spreading from Ukraine to 65 countries. It eventually infected and disrupted a state-owned Russian oil company’s systems. Russian President Vladimir Putin doesn’t want the U.S. to engage militarily and cyberattacks may force the administration’s hand. Even, now, as Russia fires missiles at Ukrainian cities and invades the country’s borders, Putin has not formally declared war. He is instead characterizing the Russian advance as a rescue of Russians in Ukraine, much like how he got away with occupying Crimea in 2014.
Putin wants to make the west concede to his interests “without greatly increasing the risk of direct military conflict with NATO,” writes James Lewis. “The best outcome for Russia would be to be able to… say to the world that its security goals had been met and the international community should put the invasion behind it…”
Some describe cyberattacks as ‘cyber warfare’ and view them as a use of force, depending on their effect, so Putin would probably not choose to attack the U.S. in this way. “A major attack on U.S. critical infrastructure would create an unacceptable risk of retaliation, [and] would be impossible for the international community to ignore,” Lewis writes. Nuclear states tend to avoid major attacks on one another.
Although it doesn’t appear strategically beneficial for Russia to attack U.S. cyberspace at this time, American entities should improve their cybersecurity. James Lewis at the Center for Strategic and International Studies says the low likelihood of an attack by the Russians “is their choice. In another situation, they could change their minds.” The Department of Homeland Security says “there are not currently any specific credible threats” but wants the U.S. to “shift from being reactive to proactive” in protecting its critical infrastructure.