Published on July 6th, 2019 📆 | 3206 Views ⚑
0Russian cyberattacks are a real threat.
opinion
National security adviser John Bolton recently declared that âweâre now opening the aperture, broadening the areas weâre prepared to actâ in cyberspace to meet a Russian threat that extends far beyond the ballot box, costing American companies billions of dollars and posing unacceptable risks to our citizensâ safety and the American way of life. Â
Itâs about time.
For years, the Russians have been preparing the digital battlefield, treating our critical infrastructure as if it were their own cyber weapons range. Â
Overseas theyâve gone even further. In 2015 and 2016, the Kremlin planted malware in Ukraineâs electric grid, disrupting power for hundreds of thousands of residents in the middle of winter. Keenly aware of its capabilities and motivations, Director of National Intelligence Dan Coats has said that âthe warning lights are blinking red againâ â an allusion to CIA Director George Tenetâs warning to Congress just months before 9/11.
The federal government has a fundamental responsibility to deter Russia and other state actors from holding civilian infrastructure at risk. This is precisely why reports from The New York Times that the United States is embedding âpotentially crippling malwareâ in Russiaâs power grid should concern all Americans. Cyber weapons are horrible deterrents â and mimicking targeting civilian infrastructure sets a dangerous precedent for America. Â
Fear of punishment or retribution is a fundamental tenet of deterrence theory. And itâs true, as the head of U.S. Cyber Command, Army Gen. Paul Nakasone, told a Senate panel last year, the Russians âdonât fear us.â But to think that Vladimir Putin fears cyber-induced power outages in Moscow is a naive and dangerous miscalculation. To the contrary, an American cyberattack against Russiaâs power grid would play right into the Kremlin's strategic playbook.
Commander in cyber: Dear 2020 candidates, cybersecurity chief is your most important hire. Don't screw it up.
First, the costs to the Kremlin would pale in comparison with the benefits. The vast scale of Russiaâs power grids, which include a total power generation capacity of 236 gigawatts, would render the military effects of any cyberattack relatively limited while granting the Kremlin its long-awaited case study of American cyber aggression, which it would use to consolidate domestic support for more censorship policies under the guise of cybersecurity.
Furthermore, an American cyberattack against civilian infrastructure â especially a preventative one aimed at deterring Russian hackers â would erode the United Statesâ international credibility as a champion of a free and open internet governed by universal norms of acceptable behavior. Far more than sporadic blackouts â something that isnât uncommon anyway in Russia â Putin fears a digital age in which the West writes the rules.Â
The politics of cybersecurity: Huawei â Politicizing cybersecurity is a losing proposition
And finally, what better way to justify an even more persistent cyber presence in American infrastructure than in the name of self-defense? Fighting cyber with cyber is inherently escalatory, and reports of American cyber operations targeting Russiaâs power grid â true or not â will inevitably trigger an equal and opposite response.
Detractors argue that we must reserve the right to hold dual-use infrastructure at risk. And because Russia would depend heavily on its power grid for any attack on the United States, then we should be prepared to disrupt it at any time. But America is the most digitally dense nation in the world, and we risk establishing this norm at our own peril.Â
We cannot fall into the trap of applying nuclear rules of deterrence to todayâs Cold War of digital proportions. Cyber weapons can be a tremendous military asset, especially if used as a proportionate means of neutralizing conventional weapons â as took place last month when the Trump administration approved cyber strikes against the Iranian missile systems that took down a U.S. drone. But they are not conducive to threatening punishment. You canât parade them through public squares or test them in the desert â indeed the very knowledge of their existence by your adversaries renders them obsolete.
President Donald Trump says itâs âNOT TRUE" that the United States is increasing cyberattacks on Russiaâs power grid. I hope heâs right. No nation should target civilian infrastructure via cyberspace. Itâs wrong and not in our long-term national interest.
Dave Weinstein is chief security officer at Claroty, a cybersecurity startup, and a former chief technology officer of New Jersey. He also served at U.S. Cyber Command. Follow him on Twitter @jerzcyber
Gloss