For the U.S., which has imposed a wave of new sanctions on Russia, that could mean an increase in cyberattacks, according to former National Security Agency Director Adm. Michael Rogers, who also served as commander of the United States Cyber Command. He is currently a senior fellow and adjunct professor at the Kellogg School of Management.
Rogers spoke with Kellogg Insight about what U.S. businesses can expect to see in light of the conflict, and how they should protect themselves from this heightened cyber threat.
This interview has been edited for length and clarity.
Kellogg Insight: The U.S. is already responding to the invasion of Ukraine with additional sanctions. Can we expect Russia to escalate? And if so, how?
Adm. Mike Rogers: I don’t see them pushing beyond Ukraine, in terms of conventional military forces. So if you’re in Moscow and you’re trying to get the rest of the world to back off on the sanctions, focusing on cyberattacks and disinformation are attractive tools because they give you a couple advantages.
Number one, there’s a measure of plausible deniability, because you can’t necessarily prove that actors associated with Russia did it. It’s much less visible than when you’re moving tanks across a border with satellites and imagery—everybody sees that. But because cyber has this element of plausible deniability, that can inhibit the level of response from other nations. If they’re not absolutely sure that it originated from Russia, a lot of times they won’t respond directly.
Number two, cyberattacks and disinformation can be used to go after government targets and to generate domestic pressure against governments. Imagine, for example, you’re a citizen in the United States, Germany, or another country, and suddenly you start getting intermittent disruptions of fuel deliveries, particularly heating oil in the middle of the winter. Suddenly, you start experiencing intermittent power outages or you can’t access your financial institutions. Those are the kinds of things that get people anxious, and might motivate them to ask their governments to ease up on Russia to make them stop. I’m not saying this is how far Russia will go, but it’s something to consider.
In the coming weeks, I think you’re going to see Russian President Vladimir Putin using cyber as a way to show that he’s serious, he has capabilities, and he wants you to be leery about pushing him too far.
Insight: How might U.S. businesses experience these potential cyberattacks from Russia? What would this look like for them?
Rogers: They could experience ransomware attacks, denials of service, network degradation, and lockouts, for instance.
Certain organizations should be on particularly high alert for these attacks. For example, if you are a company or a brand that is uniquely associated with America, like Coca-Cola or McDonald’s, you are an extension of America to the outside world. Those companies should be thinking about whether they’re prepared to deal with significant cyber activity directed against them. And that’s because targeting those companies sends a broad message to the U.S. government—not just to the company.
If you’re a company that’s doing business in Russia, you also probably have a little higher probability of being a target of a cyberattack. In addition, I think Russia will be looking at the government, the military, and economic infrastructure, like if you run a pipeline or parts of an electrical grid. Major financial institutions are probably also a major target.
Insight: Should companies be expecting something qualitatively different from the usual cyberattack? Or should they just expect the quantity of attacks to increase?
Rogers: Companies could now find themselves caught in cyber warfare.
Today, companies mostly see two types of cyberattacks. The most common is ransomware, where someone penetrates your system and locks it down until you pay them to regain access. Criminal groups typically use this as a way to generate revenue. The second most common threat involves someone penetrating your systems to steal intellectual property. But the threat level varies by sector. So, from an intellectual-property standpoint, if you’re in the high-tech, energy, or defense areas, you’re an attractive target.
These are all threats that currently exist and they’re not going to go away, but I think we could now be seeing groups doing it for different reasons. For example, rather than as a vehicle to squeeze money out of companies, they may now be focused more on inflicting damage purely for the sake of inflicting damage. They may just go in, manipulate your data, and try to change it. Or they’ll lock down your networks and go after your infrastructure or your operational technology, which enables you to remotely work your industrial control systems, for example.
Insight: How should businesses react to this increased threat?
Rogers: The mechanics of how you defend your system and prepare your security don’t change all that much: cyber-resilience and basic cyber hygiene. In the next 7 to 30 days, I would also review your backup plan: Are you comfortable that you’ve got alternative sources of data?
But companies need to recognize that this isn’t a situation that’s going to end in days or weeks. This is likely going to go on for months or even years, so businesses need to think long-term, [Editor’s note: we have released a podcast featuring Rogers’s advice on how companies can prepare for cyberattacks, which you can now check out here.]
Insight: Does the U.S. government have a role to play in helping companies navigate this moment? What resources are available, if any?
Rogers: The government has already put out some guidance around how companies can strengthen their networks’ defenses, and they’re trying to warn them of the increased Russian cyber activity that may be directed at them.
The part I’m not seeing yet—but that may be on the horizon—is whether the government starts to work more closely with companies in real time, particularly those companies involved in a critical infrastructure area like energy or finance. I think if some of these types of companies lose functionality, you’re going to see significant government interest and action around this.
And that’s in contrast to what happened with the Colonial Pipeline cyberattack, which occurred almost a year ago. At that time, the U.S. government’s initial response was to wait for Colonial to come to them and give them the details of what happened. If that happened today, I think the government would be working directly with them to figure out things like: Do we need to send people out to help? Is this just one element of a broader set of activities we’ll see directed at energy companies as a whole?
Insight: Is there any other advice you’d like to leave businesses with, in this moment?
Rogers: Don’t forget about your people. This is a stressful time for them—it’s a lot of work and a lot of tension. If you have employees in Ukraine or Russia, what are you doing to help them? Are they going to become targets because they’re affiliated with an American organization? Don’t forget the human piece in all of this.