CINCINNATI — Experts and federal officials are warning Americans to be vigilant against cyberattacks as Russia continues its invasion of Ukraine.
The FBI and the US Cybersecurity and Infrastructure Security Agency on Tuesday updated their warning to US critical infrastructure companies to strengthen their defenses.
“Destructive malware can pose a direct threat to an organization’s day-to-day operations, affecting the availability of critical assets and data,” the advisory said. .”
WCPO spoke to cyber expert Richard Harknett on Tuesday. Harknett is director of the School of Public and International Affairs at the University of Cincinnati, co-director of the Ohio Cyber Range Institute, and president of the Center for Cyber Strategy and Cyber Policy. He is also a former resident scholar with US Cyber Command and the National Security Agency.
Q: Cyberattacks and cybercrime are not new. It’s something that companies have to deal with minute by minute, probably. How has this situation changed in the last two weeks with the invasion of Ukraine?
Cyberspace, as you rightly point out, is a vital asset for businesses here in Cincinnati. You cannot do business without being on the digital platform. And they understand that it’s also an incredibly vulnerable space. At the level of criminal activity, our businesses, our individuals, our citizens of Cincinnati have to deal with cyber operations against their personal information, on their business operations all the time. It’s something we call cyberpersistence.
What happens during international crises, and we don’t have wars that often break out involving a great power like Russia, the question becomes in this interaction between the United States and Russia, does cyber is an opportunity for Russia to control the environment and advance their interests?
So the answer is maybe. … There are several possibilities where Russia could consider using cybernetic means to somehow change the dynamic. And because we’re using economic sanctions, the ability to use cyber operations against economic assets to disrupt the American economy, to disrupt business, I think that’s on the table.
Q: Are there particular industry segments that are more desirable targets?
The most wanted target is the easiest target… you are only as good as your weakest link. And a lot of companies, large companies have contracts with third parties. These contracts with third parties could therefore become cybersecurity problems. Sure, the banks would think about disrupting the financial industry, but it’s probably the strongest industry we have in the United States when it comes to cybersecurity. Your defense-based companies like GE Aircraft. I hope they don’t blame me, but they are the gold standard. They are really good. Why? Because they are attacked every day by foreign adversaries trying to obtain their intellectual property.
Q: Anything else?
There is only one category, Paula, that we have to worry about. The second context is that would Russia actually consider using its cyber operation to start affecting critical infrastructure? Duke Energy, our water treatment plants in the city – these are things that at the US government level we have declared to be critical infrastructure and any significant attack, the phrase they use is a consequence attack important.
So if you could turn off the electricity, if you could affect the treatment of the water…we would consider that, the United States, a use of force, an armed attack. So the question becomes why Russia, which at the moment is not fighting the United States in a direct war, what would induce them to try to roll back the United States, through an attack, perhaps ?
If the Ukrainians hold on and Putin is frustrated, and the Russian economy starts to feel the pinch, if he is as engaged as people think he is, then he may raise the bar and not go home him. And the question is for the United States, have we sent signals that would encourage them to think that they could get away with this?
Q: Is there a DEFCON level for cyber threats and where do we stand?
That’s an excellent question. The Department of Homeland Security has a particular agency that focuses on cyber and critical infrastructure. And they issue warnings in coordination with the National Security Agency, FBI, US Cyber Command… when they gather intelligence and when they discover malware. There is a site called Virus Total and there have been a number of times recently where the US Cyber Command has found malware and instead of keeping it secret they actually posted it on Virus Total so that the entire private sector is informed.
We assume that in national cybersecurity and in corporate security, you are going to be attacked. …Would it be a good thing right now for American companies to talk to their employees and re-emphasize good cyber hygiene – don’t click on links you’re not sure where they came from? , hover over that link, make sure there’s no .ru after that, that would be pretty obvious that means it’s from a Russian server. … Do you receive a call that seems suspicious and asks you for identified personal information? Yes, it would be good if we strengthened our cybersecurity.
Q: Is there anything individual citizens should do?
So at the level of the individual citizen, we really have to realize that we don’t have a neutral effect here. Every day, we either contribute to national cybersecurity by being good at our cyber hygiene and making sure we don’t have viruses on our computers, or we help and abet the bad guys. … There is more of a civic duty here and perhaps in a war environment that would resonate more with people.
It’s not just about protecting ourselves, it’s about protecting all the space we all benefit from.
Q: What is the psychological impact of a cyberattack on the general public?
The question becomes if you have an intentional act on something significant, like critical infrastructure, would we interpret that and understand that differently than if a missile strike were to occur?
Cyber doesn’t have that visual. We won’t see destroyed transformers if the electricity fails. … To be honest with you, we don’t have good research and good data for a reason: we haven’t had one of those big attacks. We’ve been talking about large-scale cyberattacks for over a decade. … The United States has adversaries who work every day to undermine the domestic sources of power in the United States, but this is done incrementally. They accumulate over time. Why? Because it doesn’t involve the US military. It doesn’t achieve that level of deterrence that would say, now you’ve crossed the line and we’re going to war on you.
If you’re actually disrupting critical infrastructure, power grids, water treatment – things of that nature, it shouldn’t be any different than if I dropped a bomb on it or used a piece of code. If the effect is war, then we have to make that clear to the Russians. Because deterrence only works if you are actually clear to the other side of what you intend to do.
I think it would be dangerous for the United States, which is the most digitally connected state in the world, to distinguish between the code and the kinetic bomb. If we don’t respond the same, then what you’re saying is it’s okay if you stop us with code, but don’t stop us with a bomb.
Some answers have been abbreviated for brevity.