Russia has launched a full-scale invasion of Ukraine, sending troops over the border and shelling cities across the country. Already, dozens of Ukrainian soldiers have been killed in the assault, and millions more people in the region are now in mortal danger. Countries around the world are likely to feel some effects as well, via physical disruptions of agricultural and energy supplies, and digital disruptions caused by Russian cyberattacks. The latter, in particular, could easily end up reaching the United States.
If and when such attacks might come is impossible to predict with certainty, says Michael Daniel, who served as a cybersecurity adviser to President Barack Obama and is now the president and CEO of the Cyber Threat Alliance, a nonprofit. The Cybersecurity and Infrastructure Security Agency has already issued advice to businesses and other organizations on how to avoid digital invasions and respond if hackers do successfully breach their defenses. But individual Americans are getting very little governmental guidance on what they can or should be doing to prepare.
Read our ongoing coverage of the Russian invasion in Ukraine
The Russian government is not likely, for the moment, to target American digital infrastructure, Daniel told me. “That would be a big escalation.” But American computers could still be compromised in collateral damage from Russian attacks on Ukrainian systems, as they have been in the past. In 2017, for example, Russian military-intelligence hackers sent malware known as NotPetya into Ukrainian computer networks. As the infection spread, a small U.S. hospital system lost the use of every Windows machine in its arsenal, and dozens, if not hundreds, of other hospitals were hamstrung when a widely used transcription service for electronic medical records went down. Any company that does business in Ukraine—and any person or business doing business with that company—could be vulnerable to this sort of collateral damage, Daniel said. “No one really fully understands how the internet interconnects and operates together at some sort of macro level, so being able to map out all the possible permutations of how something might have an impact is essentially impossible ahead of time.”
Herbert Lin, a senior research scholar at Stanford’s Center for International Security and Cooperation, told me that direct attacks are still on the table. When it comes to patriotic hacking, he said, “the Russians have elevated it to an art form.” If the U.S. continues to escalate sanctions and Russia decides to retaliate with cyberattacks, Putin might target the technology that supports U.S. infrastructure. American banks have been shoring up their cyberdefenses, but “they’ve never had to withstand a full-on, all-in cyberattack by a nation as powerful in cyberspace as the Russians,” Lin said. Municipal power and water authorities would likely be more vulnerable, he said, because many of them don’t have extra money to spend on cybersecurity. And if Russia chooses to allow domestic cybercriminals to operate without consequences, as it’s done in the past, they could simply go after whatever foreign companies and systems seem like the easiest, most lucrative targets. None of these is a particularly likely scenario, Lin emphasized, but any of them are possible.
The experts I spoke with were divided on how much you or I should do in anticipation of possible attacks. “I do not think that ordinary Americans need to be taking any physical actions such as buying gas or taking cash out of the bank,” Jessica Beyer, a co-lead of the University of Washington’s Cybersecurity Initiative, told me in an email. Digitally stored files are not at great risk, she said, because “the major cloud computing companies have robust security in place.” CISA, for its part, told me that although “there is not currently a specific, credible cyber threat to the U.S.,” Americans should keep their devices updated, choose strong passwords, and use multifactor authentication. Daniel agreed, and emphasized that the current risk profile doesn’t call for much more action. “What we don’t want to do,” he said pointedly, is create “bank runs and shortages of gasoline by self-induced panic.”
Lin said that people might be wise to engage in some modest prepper behavior, such as having extra cash on hand, packing emergency kits, and keeping a few gallons of water per person—but then again, he said, these are things that people should always be doing, if they have the money. He also said that essential services such as power and water in urban areas might be more tempting targets than those in rural ones, and that the closer a person is to organizations of national-security significance, the more vigilant they’ll need to be. “I would not want to be the partner of a senior American general right now,” he said.
Perhaps the most likely way that Americans will feel the effect of any Russian cyberattacks is through information warfare. “The only way they could surprise me in what they’re doing right now is if they didn’t use it as a tool,” Daniel said. Russia’s primary misinformation target would be Russians, he said, because the government will want to justify the invasion to its citizens. But its tactics could spread west as well, he said, by, for example, creating fake U.S.-government websites, which could sow confusion.
The heightened digital threat from Russia could last as long as the crisis in Ukraine does, or longer. “There are things that could occur through cyberspace that have an impact on the physical world that could take weeks, months, years to actually recover from,” Daniel said. Imagine, for example, that attackers destroy transformers and other physical parts of the power grid. American manufacturers can make new transformers only so quickly. In the worst-case scenario, we could be putting things back together for a long time to come.