Last week I wrote a blog strongly encouraging my peer CEOs and other corporate leaders to take decisive and immediate steps to shore up their cybersecurity posture in accordance with CISA's recent Shields Up guidance. As a result, I got many questions about what was driving my sense of urgency. After all, cyberattacks have, thus far, appeared to play a very minor role in the conflict over Ukraine.
My sense of urgency stems from the fact that this is the calm before the cyber storm. In the first weeks of the invasion of Ukraine, the tactics have been primarily kinetic warfare (land, air, and sea), which is more effective in destroying targets and giving the invading Russian army strategic access to supply lines and staging areas. Cyberwarfare tactics serve as bookends to a kinetic campaign—providing intelligence and disrupting the opposition's operations to gain and maintain an advantage. The Russian government and its affiliates have a long history of using cyberwarfare tactics to gather intelligence and sow disruption. Since 2012, Ukraine has been repeatedly hit by these tactics, but they date back to at least 2007 with attacks on Estonian government, media, and banking organizations. Now we are on the cusp of witnessing what comes after the kinetic invasion.
I believe we are about to enter a new era—one in which the carefully-toed line between cyber espionage and cyberwarfare is decisively crossed. There are three key factors surrounding the war in Ukraine that have led us to this tipping point.
- Coordinated private sector service sanctions (e.g. SWIFT access)
- Uncoordinated private sector sanctions (e.g. companies that stand in support of Ukraine)
- Crowdsourcing as a tactic in warfare (e.g. Anonymous, Volunteer Ukraine IT Army, Conti, Ghostwriter)
There is a lot to unpack in each of these areas, and I will explore the implications of each over the course of a three-blog series. But before I dive in, let me be unequivocal: The invasion of Ukraine is an abhorrent act that, as of the time of writing, has taken the lives of 780 civilians and displaced 5 million people, either internally or as refugees. The choice to support Ukraine by Western governments and private companies is a moral and ethical one that weighs heavily on me and my fellow business leaders. It's also one that comes with the very real risk of proportional retaliation by Russia and its allies, both government and independent. It's that retaliation for which I want to make sure every organization is prepared.
(1) Coordinated Private Sector Service Sanctions
Since the invasion of Ukraine began in late February, countries around the world, led by the United States and Western Europe have coordinated an advanced economic operation targeting both Russia and Russian oligarchs. This includes broad-based elimination of Russian access to the SWIFT network, which is responsible for carrying almost all international financial transactions. This action is expected to have significant impacts on Russia's ability to finance the war. While the involved western countries have not initiated combat operations to support Ukraine (e.g. no fly zones) these financial and economic operations are profoundly disruptive.
It is reasonable to expect a proportional response against the West for the foreseeable future. Proportional response has long been a principle in warfare, and Russia has made clear that it views current economic operation as an act of war. Given that Russia has been thoroughly cut off from most global financial markets, it's reasonable to expect the response to take a non-financial form—likely cyberattacks aimed at inflicting commensurate financial pain.
The history of Russian cyberattacks suggests that these attacks will come not only from within the Russian government, but from Russian affiliates and sympathizers that have government support. The acceleration of crowdsourcing tactics (covered more below) implies that we could see attacks coming from cyber militias composed of individual Russian sympathizers around the world.
These attacks are not likely to be limited to government entities. The goal of proportional response is to inflict proportional pain. Russian citizens now find themselves cut off from their savings, cut off from goods and services, and cut off from many communications channels, including Instagram and other social media platforms.
To inflict similar pain on Western countries and their citizens, I expect to see Russia and its allies and affiliates target critical infrastructure—not just water and electric grids, but healthcare systems, banking systems, and other core services that we have too long taken for granted. Russia has a long track record of effectively hitting these targets in Ukraine and other countries. It's not a stretch to believe that they'll extend those attacks to a much greater number of targets.
In the next blog, I'll delve into the uncoordinated private sector sanctions, and what this means for private companies, both in and outside of critical sectors.