Strategy Feb 25, 2022
What Does the Invasion of Ukraine Mean for Cybersecurity?
Former NSA director Michael Rogers discusses the implications for companies.
After building up tens of thousands of troops along the Ukrainian border for several weeks, Russia has invaded the country in an act of war that’s been condemned worldwide. Expecting backlash, Russian President Vladimir Putin has promised “consequences” for countries that try to intervene.
For the U.S., which has imposed a wave of new sanctions on Russia, that could mean an increase in cyberattacks, according to former National Security Agency Director Adm. Michael Rogers, who also served as commander of the United States Cyber Command. He is currently a senior fellow and adjunct professor at the Kellogg School of Management.
Rogers spoke with Kellogg Insight about what U.S. businesses can expect to see in light of the conflict, and how they should protect themselves from this heightened cyber threat.
This interview has been edited for length and clarity.
to your inbox.
Kellogg Insight: The U.S. is already responding to the invasion of Ukraine with additional sanctions. Can we expect Russia to escalate? And if so, how?
Adm. Mike Rogers: I don’t see them pushing beyond Ukraine, in terms of conventional military forces. So if you’re in Moscow and you’re trying to get the rest of the world to back off on the sanctions, focusing on cyberattacks and disinformation are attractive tools because they give you a couple advantages.
Number one, there’s a measure of plausible deniability, because you can’t necessarily prove that actors associated with Russia did it. It’s much less visible than when you’re moving tanks across a border with satellites and imagery—everybody sees that. But because cyber has this element of plausible deniability, that can inhibit the level of response from other nations. If they’re not absolutely sure that it originated from Russia, a lot of times they won’t respond directly.
Number two, cyberattacks and disinformation can be used to go after government targets and to generate domestic pressure against governments. Imagine, for example, you’re a citizen in the United States, Germany, or another country, and suddenly you start getting intermittent disruptions of fuel deliveries, particularly heating oil in the middle of the winter. Suddenly, you start experiencing intermittent power outages or you can’t access your financial institutions. Those are the kinds of things that get people anxious, and might motivate them to ask their governments to ease up on Russia to make them stop. I’m not saying this is how far Russia will go, but it’s something to consider.
In the coming weeks, I think you’re going to see Russian President Vladimir Putin using cyber as a way to show that he’s serious, he has capabilities, and he wants you to be leery about pushing him too far.
“Companies need to recognize that this isn’t a situation that’s going to end in days or weeks.”
— Adm. Mike Rogers
Insight: How might U.S. businesses experience these potential cyberattacks from Russia? What would this look like for them?
Rogers: They could experience ransomware attacks, denials of service, network degradation, and lockouts, for instance.
Certain organizations should be on particularly high alert for these attacks. For example, if you are a company or a brand that is uniquely associated with America, like Coca-Cola or McDonald’s, you are an extension of America to the outside world. Those companies should be thinking about whether they’re prepared to deal with significant cyber activity directed against them. And that’s because targeting those companies sends a broad message to the U.S. government—not just to the company.
If you’re a company that’s doing business in Russia, you also probably have a little higher probability of being a target of a cyberattack. In addition, I think Russia will be looking at the government, the military, and economic infrastructure, like if you run a pipeline or parts of an electrical grid. Major financial institutions are probably also a major target.
Insight: Should companies be expecting something qualitatively different from the usual cyberattack? Or should they just expect the quantity of attacks to increase?
Rogers: Companies could now find themselves caught in cyber warfare.
Today, companies mostly see two types of cyberattacks. The most common is ransomware, where someone penetrates your system and locks it down until you pay them to regain access. Criminal groups typically use this as a way to generate revenue. The second most common threat involves someone penetrating your systems to steal intellectual property. But the threat level varies by sector. So, from an intellectual-property standpoint, if you’re in the high-tech, energy, or defense areas, you’re an attractive target.
These are all threats that currently exist and they’re not going to go away, but I think we could now be seeing groups doing it for different reasons. For example, rather than as a vehicle to squeeze money out of companies, they may now be focused more on inflicting damage purely for the sake of inflicting damage. They may just go in, manipulate your data, and try to change it. Or they’ll lock down your networks and go after your infrastructure or your operational technology, which enables you to remotely work your industrial control systems, for example.
Insight: How should businesses react to this increased threat?
Rogers: The mechanics of how you defend your system and prepare your security don’t change all that much: cyber-resilience and basic cyber hygiene. In the next 7 to 30 days, I would also review your backup plan: Are you comfortable that you’ve got alternative sources of data?
But companies need to recognize that this isn’t a situation that’s going to end in days or weeks. This is likely going to go on for months or even years, so businesses need to think long-term, [Editor’s note: we have released a podcast featuring Rogers’s advice on how companies can prepare for cyberattacks, which you can now check out here.]
Insight: Does the U.S. government have a role to play in helping companies navigate this moment? What resources are available, if any?
Rogers: The government has already put out some guidance around how companies can strengthen their networks’ defenses, and they’re trying to warn them of the increased Russian cyber activity that may be directed at them.
The part I’m not seeing yet—but that may be on the horizon—is whether the government starts to work more closely with companies in real time, particularly those companies involved in a critical infrastructure area like energy or finance. I think if some of these types of companies lose functionality, you’re going to see significant government interest and action around this.
And that’s in contrast to what happened with the Colonial Pipeline cyberattack, which occurred almost a year ago. At that time, the U.S. government’s initial response was to wait for Colonial to come to them and give them the details of what happened. If that happened today, I think the government would be working directly with them to figure out things like: Do we need to send people out to help? Is this just one element of a broader set of activities we’ll see directed at energy companies as a whole?
Insight: Is there any other advice you’d like to leave businesses with, in this moment?
Rogers: Don’t forget about your people. This is a stressful time for them—it’s a lot of work and a lot of tension. If you have employees in Ukraine or Russia, what are you doing to help them? Are they going to become targets because they’re affiliated with an American organization? Don’t forget the human piece in all of this.
What Went Wrong with FTX—and What’s Next for Crypto?One key issue will be introducing regulation without strangling innovation, a fintech expert explains.
How Experts Make Complex DecisionsBy studying 200 million chess moves, researchers shed light on what gives players an advantage—and what trips them up.
What Donors Need to Hear to Open the CheckbookInsights from marketing on how charities can grow by appealing to different kinds of donors.
The Complicated Logic Behind Donating to a Food Pantry Rather than Giving a Hungry Person CashIf we were in need, we’d likely want money. So what accounts for that difference?
To Improve Fundraising, Give Donors a Local ConnectionResearch offers concrete strategies for appealing to donors who want to make an impact.
Which Form of Government Is Best?Democracies may not outlast dictatorships, but they adapt better.
How You Can Make a More Positive Social ImpactA 3-step guide to becoming a more thoughtful consumer and donor.
Podcast: What the FTX Meltdown Means for the Future of CryptoThe implosion of the crypto exchange has sent the industry reeling. We dig into what happened and whether cryptocurrency, as a concept, can weather the storm.
What Went Wrong at AIG?Unpacking the insurance giant's collapse during the 2008 financial crisis.
How Much Do Campaign Ads Matter?Tone is key, according to new research, which found that a change in TV ad strategy could have altered the results of the 2000 presidential election.
How Are Black–White Biracial People Perceived in Terms of Race?Understanding the answer—and why black and white Americans may percieve biracial people differently—is increasingly important in a multiracial society.
Why Well-Meaning NGOs Sometimes Do More Harm than GoodStudies of aid groups in Ghana and Uganda show why it’s so important to coordinate with local governments and institutions.
Immigrants to the U.S. Create More Jobs than They TakeA new study finds that immigrants are far more likely to found companies—both large and small—than native-born Americans.
How Has Marketing Changed over the Past Half-Century?Phil Kotler’s groundbreaking textbook came out 55 years ago. Sixteen editions later, he and coauthor Alexander Chernev discuss how big data, social media, and purpose-driven branding are moving the field forward.
Why Are So Many Politicians Embracing Conspiracy Theories?Conspiratorial thinking has always been attractive in times of uncertainty—but it’s become more mainstream. An expert explains why, and whether anything can be done.
What the New Climate Bill Means for the U.S.—and the WorldThe Inflation Reduction Act won’t reverse inflation or halt climate change, but it's still a big deal.
Take 5: The Surprising Ways Emotions Shape Consumer BehaviorCompanies, take note—emotions like anger, fear, and anticipation can impact what ends up in consumers’ shopping carts.