What Does the Invasion of Ukraine Mean for Cybersecurity?
Skip to content
The Insightful Leader Live: What to Know about Today’s AI—and Tomorrow’s | Register Now
Strategy Feb 25, 2022

What Does the Invasion of Ukraine Mean for Cybersecurity?

Former NSA director Michael Rogers discusses the implications for companies.

two armies engage in cyberwarfare

Yevgenia Nayberg

Based on insights from

Michael Rogers

After building up tens of thousands of troops along the Ukrainian border for several weeks, Russia has invaded the country in an act of war that’s been condemned worldwide. Expecting backlash, Russian President Vladimir Putin has promised “consequences” for countries that try to intervene.

For the U.S., which has imposed a wave of new sanctions on Russia, that could mean an increase in cyberattacks, according to former National Security Agency Director Adm. Michael Rogers, who also served as commander of the United States Cyber Command. He is currently a senior fellow and adjunct professor at the Kellogg School of Management.

Rogers spoke with Kellogg Insight about what U.S. businesses can expect to see in light of the conflict, and how they should protect themselves from this heightened cyber threat.

*

This interview has been edited for length and clarity.

Kellogg Insight: The U.S. is already responding to the invasion of Ukraine with additional sanctions. Can we expect Russia to escalate? And if so, how?

Adm. Mike Rogers
: I don’t see them pushing beyond Ukraine, in terms of conventional military forces. So if you’re in Moscow and you’re trying to get the rest of the world to back off on the sanctions, focusing on cyberattacks and disinformation are attractive tools because they give you a couple advantages.

Number one, there’s a measure of plausible deniability, because you can’t necessarily prove that actors associated with Russia did it. It’s much less visible than when you’re moving tanks across a border with satellites and imagery—everybody sees that. But because cyber has this element of plausible deniability, that can inhibit the level of response from other nations. If they’re not absolutely sure that it originated from Russia, a lot of times they won’t respond directly.

Number two, cyberattacks and disinformation can be used to go after government targets and to generate domestic pressure against governments. Imagine, for example, you’re a citizen in the United States, Germany, or another country, and suddenly you start getting intermittent disruptions of fuel deliveries, particularly heating oil in the middle of the winter. Suddenly, you start experiencing intermittent power outages or you can’t access your financial institutions. Those are the kinds of things that get people anxious, and might motivate them to ask their governments to ease up on Russia to make them stop. I’m not saying this is how far Russia will go, but it’s something to consider.

In the coming weeks, I think you’re going to see Russian President Vladimir Putin using cyber as a way to show that he’s serious, he has capabilities, and he wants you to be leery about pushing him too far.

“Companies need to recognize that this isn’t a situation that’s going to end in days or weeks.”

— Adm. Mike Rogers

Insight: How might U.S. businesses experience these potential cyberattacks from Russia? What would this look like for them?

Rogers: They could experience ransomware attacks, denials of service, network degradation, and lockouts, for instance.

Certain organizations should be on particularly high alert for these attacks. For example, if you are a company or a brand that is uniquely associated with America, like Coca-Cola or McDonald’s, you are an extension of America to the outside world. Those companies should be thinking about whether they’re prepared to deal with significant cyber activity directed against them. And that’s because targeting those companies sends a broad message to the U.S. government—not just to the company.

If you’re a company that’s doing business in Russia, you also probably have a little higher probability of being a target of a cyberattack. In addition, I think Russia will be looking at the government, the military, and economic infrastructure, like if you run a pipeline or parts of an electrical grid. Major financial institutions are probably also a major target.

Insight:
Should companies be expecting something qualitatively different from the usual cyberattack? Or should they just expect the quantity of attacks to increase?

Rogers:
Companies could now find themselves caught in cyber warfare.

Today, companies mostly see two types of cyberattacks. The most common is ransomware, where someone penetrates your system and locks it down until you pay them to regain access. Criminal groups typically use this as a way to generate revenue. The second most common threat involves someone penetrating your systems to steal intellectual property. But the threat level varies by sector. So, from an intellectual-property standpoint, if you’re in the high-tech, energy, or defense areas, you’re an attractive target.

These are all threats that currently exist and they’re not going to go away, but I think we could now be seeing groups doing it for different reasons. For example, rather than as a vehicle to squeeze money out of companies, they may now be focused more on inflicting damage purely for the sake of inflicting damage. They may just go in, manipulate your data, and try to change it. Or they’ll lock down your networks and go after your infrastructure or your operational technology, which enables you to remotely work your industrial control systems, for example.

Insight: How should businesses react to this increased threat?

Rogers:
The mechanics of how you defend your system and prepare your security don’t change all that much: cyber-resilience and basic cyber hygiene. In the next 7 to 30 days, I would also review your backup plan: Are you comfortable that you’ve got alternative sources of data?

But companies need to recognize that this isn’t a situation that’s going to end in days or weeks. This is likely going to go on for months or even years, so businesses need to think long-term, [Editor’s note: we have released a podcast featuring Rogers’s advice on how companies can prepare for cyberattacks, which you can now check out here.]

Insight:
Does the U.S. government have a role to play in helping companies navigate this moment? What resources are available, if any?

Rogers: The government has already put out some guidance around how companies can strengthen their networks’ defenses, and they’re trying to warn them of the increased Russian cyber activity that may be directed at them.

The part I’m not seeing yet—but that may be on the horizon—is whether the government starts to work more closely with companies in real time, particularly those companies involved in a critical infrastructure area like energy or finance. I think if some of these types of companies lose functionality, you’re going to see significant government interest and action around this.

And that’s in contrast to what happened with the Colonial Pipeline cyberattack, which occurred almost a year ago. At that time, the U.S. government’s initial response was to wait for Colonial to come to them and give them the details of what happened. If that happened today, I think the government would be working directly with them to figure out things like: Do we need to send people out to help? Is this just one element of a broader set of activities we’ll see directed at energy companies as a whole?

Insight:
Is there any other advice you’d like to leave businesses with, in this moment?

Rogers:
Don’t forget about your people. This is a stressful time for them—it’s a lot of work and a lot of tension. If you have employees in Ukraine or Russia, what are you doing to help them? Are they going to become targets because they’re affiliated with an American organization? Don’t forget the human piece in all of this.

Featured Faculty

Senior Fellow and Adjunct Professor in the Kellogg Executive Leadership Institute

Most Popular This Week
  1. What Went Wrong at Silicon Valley Bank?
    And how can it be avoided next time? A new analysis sheds light on vulnerabilities within the U.S. banking industry.
    People visit a bank
  2. How Are Black–White Biracial People Perceived in Terms of Race?
    Understanding the answer—and why black and white Americans may percieve biracial people differently—is increasingly important in a multiracial society.
    How are biracial people perceived in terms of race
  3. What Went Wrong at AIG?
    Unpacking the insurance giant's collapse during the 2008 financial crisis.
    What went wrong during the AIG financial crisis?
  4. Will AI Eventually Replace Doctors?
    Maybe not entirely. But the doctor–patient relationship is likely to change dramatically.
    doctors offices in small nodules
  5. Which Form of Government Is Best?
    Democracies may not outlast dictatorships, but they adapt better.
    Is democracy the best form of government?
  6. Podcast: "It's Hard to Regulate U.S. Banks!"
    Silicon Valley Bank spectacularly collapsed—and a new analysis suggests that its precarious situation is not as much of an outlier as we’d hope. On this episode of The Insightful Leader, we learn what went wrong and what should happen next.
  7. What Happens to Worker Productivity after a Minimum Wage Increase?
    A pay raise boosts productivity for some—but the impact on the bottom line is more complicated.
    employees unload pallets from a truck using hand carts
  8. Why Do Some People Succeed after Failing, While Others Continue to Flounder?
    A new study dispels some of the mystery behind success after failure.
    Scientists build a staircase from paper
  9. Marketers, Don’t Be Too Hasty to Act on Data
    Don’t like the trends you’re seeing? It’s tempting to take immediate action. Instead, consider a hypothesis-driven approach to solving your problems.
    CEO stands before large data wall
  10. Why Well-Meaning NGOs Sometimes Do More Harm than Good
    Studies of aid groups in Ghana and Uganda show why it’s so important to coordinate with local governments and institutions.
    To succeed, foreign aid and health programs need buy-in and coordination with local partners.
  11. Understanding the Pandemic’s Lasting Impact on Real Estate
    Work-from-home has stuck around. What does this mean for residential and commercial real-estate markets?
    realtor showing converted office building to family
  12. How Has Marketing Changed over the Past Half-Century?
    Phil Kotler’s groundbreaking textbook came out 55 years ago. Sixteen editions later, he and coauthor Alexander Chernev discuss how big data, social media, and purpose-driven branding are moving the field forward.
    people in 1967 and 2022 react to advertising
  13. How Much Do Campaign Ads Matter?
    Tone is key, according to new research, which found that a change in TV ad strategy could have altered the results of the 2000 presidential election.
    Political advertisements on television next to polling place
  14. How Peer Pressure Can Lead Teens to Underachieve—Even in Schools Where It’s “Cool to Be Smart”
    New research offers lessons for administrators hoping to improve student performance.
    Eager student raises hand while other student hesitates.
  15. Immigrants to the U.S. Create More Jobs than They Take
    A new study finds that immigrants are far more likely to found companies—both large and small—than native-born Americans.
    Immigrant CEO welcomes new hires
  16. Leaders, Don’t Be Afraid to Admit Your Flaws
    We prefer to work for people who can make themselves vulnerable, a new study finds. But there are limits.
    person removes mask to show less happy face
  17. For Students with Disabilities, Discrimination Starts Before They Even Enter School
    Public-school principals are less welcoming to prospective families with disabled children—particularly when they’re Black.
    child in wheelchair facing padlocked school doors
  18. Executive Presence Isn’t One-Size-Fits-All. Here’s How to Develop Yours.
    A professor and executive coach unpacks this seemingly elusive trait.
    woman standing confidently
  19. How Self-Reflection Can Make You a Better Leader
    Setting aside 15 minutes a day can help you prioritize, prepare, and build a stronger team
    Self-reflection improves leadership over time
More in Strategy