What Does the Invasion of Ukraine Mean for Cybersecurity?
Skip to content
Podcast | Insight Unpacked Season 1: Extraordinary Brands and How to Build Them
Strategy Feb 25, 2022

What Does the Invasion of Ukraine Mean for Cybersecurity?

Former NSA director Michael Rogers discusses the implications for companies.

two armies engage in cyberwarfare

Yevgenia Nayberg

Based on insights from

Michael Rogers

After building up tens of thousands of troops along the Ukrainian border for several weeks, Russia has invaded the country in an act of war that’s been condemned worldwide. Expecting backlash, Russian President Vladimir Putin has promised “consequences” for countries that try to intervene.

For the U.S., which has imposed a wave of new sanctions on Russia, that could mean an increase in cyberattacks, according to former National Security Agency Director Adm. Michael Rogers, who also served as commander of the United States Cyber Command. He is currently a senior fellow and adjunct professor at the Kellogg School of Management.

Rogers spoke with Kellogg Insight about what U.S. businesses can expect to see in light of the conflict, and how they should protect themselves from this heightened cyber threat.

*

This interview has been edited for length and clarity.

Add Insight
to your inbox.

Kellogg Insight: The U.S. is already responding to the invasion of Ukraine with additional sanctions. Can we expect Russia to escalate? And if so, how?

Adm. Mike Rogers
: I don’t see them pushing beyond Ukraine, in terms of conventional military forces. So if you’re in Moscow and you’re trying to get the rest of the world to back off on the sanctions, focusing on cyberattacks and disinformation are attractive tools because they give you a couple advantages.

Number one, there’s a measure of plausible deniability, because you can’t necessarily prove that actors associated with Russia did it. It’s much less visible than when you’re moving tanks across a border with satellites and imagery—everybody sees that. But because cyber has this element of plausible deniability, that can inhibit the level of response from other nations. If they’re not absolutely sure that it originated from Russia, a lot of times they won’t respond directly.

Number two, cyberattacks and disinformation can be used to go after government targets and to generate domestic pressure against governments. Imagine, for example, you’re a citizen in the United States, Germany, or another country, and suddenly you start getting intermittent disruptions of fuel deliveries, particularly heating oil in the middle of the winter. Suddenly, you start experiencing intermittent power outages or you can’t access your financial institutions. Those are the kinds of things that get people anxious, and might motivate them to ask their governments to ease up on Russia to make them stop. I’m not saying this is how far Russia will go, but it’s something to consider.

In the coming weeks, I think you’re going to see Russian President Vladimir Putin using cyber as a way to show that he’s serious, he has capabilities, and he wants you to be leery about pushing him too far.

“Companies need to recognize that this isn’t a situation that’s going to end in days or weeks.”

— Adm. Mike Rogers

Insight: How might U.S. businesses experience these potential cyberattacks from Russia? What would this look like for them?

Rogers: They could experience ransomware attacks, denials of service, network degradation, and lockouts, for instance.

Certain organizations should be on particularly high alert for these attacks. For example, if you are a company or a brand that is uniquely associated with America, like Coca-Cola or McDonald’s, you are an extension of America to the outside world. Those companies should be thinking about whether they’re prepared to deal with significant cyber activity directed against them. And that’s because targeting those companies sends a broad message to the U.S. government—not just to the company.

If you’re a company that’s doing business in Russia, you also probably have a little higher probability of being a target of a cyberattack. In addition, I think Russia will be looking at the government, the military, and economic infrastructure, like if you run a pipeline or parts of an electrical grid. Major financial institutions are probably also a major target.

Insight:
Should companies be expecting something qualitatively different from the usual cyberattack? Or should they just expect the quantity of attacks to increase?

Rogers:
Companies could now find themselves caught in cyber warfare.

Today, companies mostly see two types of cyberattacks. The most common is ransomware, where someone penetrates your system and locks it down until you pay them to regain access. Criminal groups typically use this as a way to generate revenue. The second most common threat involves someone penetrating your systems to steal intellectual property. But the threat level varies by sector. So, from an intellectual-property standpoint, if you’re in the high-tech, energy, or defense areas, you’re an attractive target.

These are all threats that currently exist and they’re not going to go away, but I think we could now be seeing groups doing it for different reasons. For example, rather than as a vehicle to squeeze money out of companies, they may now be focused more on inflicting damage purely for the sake of inflicting damage. They may just go in, manipulate your data, and try to change it. Or they’ll lock down your networks and go after your infrastructure or your operational technology, which enables you to remotely work your industrial control systems, for example.

Insight: How should businesses react to this increased threat?

Rogers:
The mechanics of how you defend your system and prepare your security don’t change all that much: cyber-resilience and basic cyber hygiene. In the next 7 to 30 days, I would also review your backup plan: Are you comfortable that you’ve got alternative sources of data?

But companies need to recognize that this isn’t a situation that’s going to end in days or weeks. This is likely going to go on for months or even years, so businesses need to think long-term, [Editor’s note: we have released a podcast featuring Rogers’s advice on how companies can prepare for cyberattacks, which you can now check out here.]

Insight:
Does the U.S. government have a role to play in helping companies navigate this moment? What resources are available, if any?

Rogers: The government has already put out some guidance around how companies can strengthen their networks’ defenses, and they’re trying to warn them of the increased Russian cyber activity that may be directed at them.

The part I’m not seeing yet—but that may be on the horizon—is whether the government starts to work more closely with companies in real time, particularly those companies involved in a critical infrastructure area like energy or finance. I think if some of these types of companies lose functionality, you’re going to see significant government interest and action around this.

And that’s in contrast to what happened with the Colonial Pipeline cyberattack, which occurred almost a year ago. At that time, the U.S. government’s initial response was to wait for Colonial to come to them and give them the details of what happened. If that happened today, I think the government would be working directly with them to figure out things like: Do we need to send people out to help? Is this just one element of a broader set of activities we’ll see directed at energy companies as a whole?

Insight:
Is there any other advice you’d like to leave businesses with, in this moment?

Rogers:
Don’t forget about your people. This is a stressful time for them—it’s a lot of work and a lot of tension. If you have employees in Ukraine or Russia, what are you doing to help them? Are they going to become targets because they’re affiliated with an American organization? Don’t forget the human piece in all of this.

Featured Faculty

Adjunct Professor within the Kellogg Public Private Initiative; Senior Fellow

Most Popular This Week
  1. Your Team Doesn’t Need You to Be the Hero
    Too many leaders instinctively try to fix a crisis themselves. A U.S. Army colonel explains how to curb this tendency in yourself and allow your teams to flourish.
    person with red cape trying to put out fire while firefighters stand by.
  2. What Triggers a Career Hot Streak?
    New research reveals a recipe for success.
    Collage of sculptor's work culminating in Artist of the Year recognition
  3. What’s the Secret to Successful Innovation?
    Hint: it’s not the product itself.
    standing woman speaking with man seated on stool
  4. Which Form of Government Is Best?
    Democracies may not outlast dictatorships, but they adapt better.
    Is democracy the best form of government?
  5. How Much Do Campaign Ads Matter?
    Tone is key, according to new research, which found that a change in TV ad strategy could have altered the results of the 2000 presidential election.
    Political advertisements on television next to polling place
  6. What Went Wrong with FTX—and What’s Next for Crypto?
    One key issue will be introducing regulation without strangling innovation, a fintech expert explains.
    stock trader surrounded by computer monitors
  7. How Are Black–White Biracial People Perceived in Terms of Race?
    Understanding the answer—and why black and white Americans may percieve biracial people differently—is increasingly important in a multiracial society.
    How are biracial people perceived in terms of race
  8. Immigrants to the U.S. Create More Jobs than They Take
    A new study finds that immigrants are far more likely to found companies—both large and small—than native-born Americans.
    Immigrant CEO welcomes new hires
  9. How Experts Make Complex Decisions
    By studying 200 million chess moves, researchers shed light on what gives players an advantage—and what trips them up.
    two people playing chess
  10. Yes, Consumers Care if Your Product Is Ethical
    New research shows that morality matters—but it’s in the eye of the beholder.
    woman chooses organic lettuce in grocery
  11. Why Well-Meaning NGOs Sometimes Do More Harm than Good
    Studies of aid groups in Ghana and Uganda show why it’s so important to coordinate with local governments and institutions.
    To succeed, foreign aid and health programs need buy-in and coordination with local partners.
  12. Product Q&A Forums Hold a Lot of Promise. Here’s How to Make Them Work.
    The key to these online communities, where users can ask and answer questions, is how many questions get useful answers.
    man sits at computer reading Q&A forum
  13. What Went Wrong at AIG?
    Unpacking the insurance giant's collapse during the 2008 financial crisis.
    What went wrong during the AIG financial crisis?
  14. When Do Open Borders Make Economic Sense?
    A new study provides a window into the logic behind various immigration policies.
    How immigration affects the economy depends on taxation and worker skills.
  15. What the New Climate Bill Means for the U.S.—and the World
    The Inflation Reduction Act won’t reverse inflation or halt climate change, but it's still a big deal.
    energy bill with solar panels wind turbines and pipelines
  16. Post-War Reconstruction Is a Good Investment
    Ukraine’s European neighbors will need to make a major financial commitment to help rebuild its economy after the war. Fortunately, as the legacy of the post–World War II Marshall Plan shows, investing in Ukraine's future will also serve Europe's own long-term interests.
    two people look out over a city
  17. How Has Marketing Changed over the Past Half-Century?
    Phil Kotler’s groundbreaking textbook came out 55 years ago. Sixteen editions later, he and coauthor Alexander Chernev discuss how big data, social media, and purpose-driven branding are moving the field forward.
    people in 1967 and 2022 react to advertising
  18. The Political Divide in America Goes Beyond Polarization and Tribalism
    These days, political identity functions a lot like religious identity.
    people engage in conflict with swords
More in Strategy