Russia hasn’t been conducting cyber-attacks against the U.S. and its European allies who are supporting Ukraine in their fight against a Russian invasion of their country in part because of President Biden’s warning last summer to Russian President Vladimir Putin that the U.S. will make his country pay a price, one of the leading cybersecurity experts in the Senate said last Friday.
“I don’t think there’s much doubt that the Russians have held back to some extent because they know that we hold them at risk,” Sen. Angus King (I-Maine), said during a panel hosted by the Truman Center as part of TruCon 2022. “It’s sort of a classic deterrence theory.”
Biden met with Putin in Geneva last June where he warned his Russian counterpart that the U.S. would respond with offensive cyber operations if Russian-sponsored cyber hackers attacked U.S. critical infrastructures. Biden followed up in July in a phone call with Putin that he also expected him to take action against non-state-sponsored actors targeting the U.S. with ransomware.
King said his comments aren’t based on any intelligence briefings he has been given since Russia invaded Ukraine in February but are “just based on my awareness over the years of how the Russians think. I think they know that we have some pretty potent capabilities ourselves and that they better be careful.”
Mieke Eoyang, deputy assistant secretary of defense for cyber policy at the Defense Department, said that as part of the DoD’s policy of integrated deterrence, cyber is just one of many “tools that we can use to bring to bear to impose costs on an adversary for taking steps in cyberspace or taking steps in other places.”
Asked whether Finland and Sweden’s applications to join NATO has led to an increase in Russian threats to launch a cyber-attack, Eoyang highlighted King’s comments about Biden’s earlier warning to Putin and added her comments about integrated deterrence.
Whatever response the U.S. makes, the costs have to matter to Russia, she said.
Regarding Russia’s response to the new effort to expand NATO, King said Putin doesn’t seem to have this figured out given early “saber rattling” warning against expansion of the allied alliance, followed by a statement early last week that expansion isn’t a threat to his country, and then reports late in the week of Russia developing new battle groups on its borders with Finland and Sweden.
At the outset of Russia’s invasion of Ukraine on Feb. 24, a consumer satellite broadband service operated by Viasat [VSAT] was hit by a denial-of-service attack, affecting modems across Ukraine and Europe. Viasat believes the attack was deliberate but so far there has been no attribution of the attacker.
Rob Knake, acting principal deputy national cyber director, said when he started his job on Feb. 28, he was “expecting that we were going to be in a very ugly cyber war.”
The Office of the National Cyber Director is learning how to implement the White House National Security Council’s strategy for interagency collaboration to bolster cybersecurity, Knake said. The office is not writing new executive orders or policy, he said.
“And right now, we’re in kind of a feedback loop as we’re seeing what’s working, as we’re seeing where there are seams in our communications processes,” Knake said during the panel discussion. “That’s an ongoing effort that we’re obligated to carry out at all times.”
Eoyang said that while expectations were for a “massive” cyber conflict that has a “strategic impact” on the war, “what we are seeing is the Russians are unable to bring cyber capability to bear in a way that fundamentally changes the Ukrainian strategic will to defend their territory.” She added that this “helps us have a better understanding of the limits of cyber when it comes to its use in armed conflict.”
U.S. cybersecurity officials have said that Russia is scanning networks looking for vulnerabilities, but there have been no indications of cyber-attacks against the U.S. or its allies and partners. Biden and Department of Homeland Security officials have been warning the public and private sectors to strengthen their readiness and resilience in case Russia does launch cyber-attacks.
Stephanie Hill, executive vice president of Lockheed Martin’s [LMT] Rotary and Missions Systems segment, told the panel her company has established a Shields Up Task Force that is looking at its own cyber defenses and readiness. Shields Up is the DHS Cybersecurity and Infrastructure Security Agency’s mantra, and website, for all organizations to be prepared for, respond to, and mitigate disruptive cyber incidents that could come from Russia.
Hill said at Lockheed Martin the work of the new task force begins with the company’s workforce and then layers in technology. She said Lockheed Martin’s biggest cybersecurity vulnerability is with its supply chain and that the company is hosting workshops to educate the small businesses it works with and is also piloting technology to give to these companies to bolster their cyber posture.