This activity is likely “not about espionage, it’s probably very likely about disruptive or destructive (cyber) activity,” US Cybersecurity and Infrastructure Security Agency Director Jen Easterly said during a phone briefing with industry executives and state and local government personnel, according to three sources on the call, writes CNN’s Sean Lyngaas.
The advisory is part of a growing chorus of warnings that US infrastructure is at risk, writes Lyngass.
“For months, the US departments of Energy, Treasury and Homeland Security, among others, have briefed big electric utilities and banks on Russian hacking capabilities, and urged businesses to lower their thresholds for reporting suspicious activity.”
Some companies aren’t prepared
The bottom line of Biden’s warning Monday and the FBI advisory was that the infrastructure behind US society and American life is mostly in private hands and that it needs to be made more secure from hacks.
Biden has told Putin to cut it out
“We’ve had a long conversation about, if he uses it, what would be the consequence,” Biden told business leaders on Monday.
He specifically mentioned the energy, power and financial sectors.
What might a large-scale cyberattack look like?
CNN’s Ivana Kottasová wrote about the attack, which Estonia considered an act of cyber-warfare, last June. It all started with Estonia’s decision to remove a Soviet-era war memorial from central Tallinn.
Here are some key lines from her report:
The attack made Estonia realize that it needed to start treating cyber threats in the same way as physical attacks.
At that time, the country was already a leader in e-government, having introduced services like online voting and digital signatures. While no data was stolen during the incident, the websites of banks, the media and some government services were targeted with distributed denial of service attacks that lasted for 22 days. Some services were disrupted, while others were taken down completely.
NATO and the international community took notice of the attack on Estonia and experts developed a standard to assess cyber-war as a result.
When is a cyberattack an act of war?
I called Tess Bridgeman, co-editor in chief of the website Just Security and a former attorney in the Obama White House who is an expert on war powers and international law.
“If a cyberattack causes significant death, destruction or injury, of the same sort that you would see from a more traditional attack using kinetic means, like bullets or missiles, you know, then you would call it a ‘use of force’ in international law,” she said.
A cyberattack that targeted a dam or air traffic control towers might rise to this level, but the government would try very hard to avoid responding to a cyberattack with a military attack, she said.
The attacks on the US to date have fallen short of the threshold to justify a military response.
As the government seeks countermeasures to respond, Bridgeman said, there’s a good chance they won’t be publicly known.
“It may appear that the US is sitting by idly, but I would be highly doubtful that that’s the case,” she said, arguing that defensive actions might be more effective at de-escalating the standoff. “It’s setting the example for what responsible state behavior looks like.”
Could weapons be used to respond to a cyberattack?
The threat of a military response is always there for the worst cyberattacks, should they cost American lives.
“Our policy, our declared policy is, if it’s a big enough attack on us and it hurts us, we will use the conventional weapons response,” Richard Clarke, who was a top adviser to President George W. Bush on cybersecurity, told CNN’s Michael Smerconish shortly after the war in Ukraine began.
“So we could very easily find ourselves in a shooting war with Russia if they try devastating — and that would have to be devastating — cyberattacks like turning out the power grid,” Clarke said.
Most of these attacks are meant to be part of espionage campaigns or to be meddlesome rather than deadly. Clarke argued that Russian attacks on US industries could be more devastating than attacks on the government itself. He said the government doesn’t really know what would happen if the Amazon, Google and Microsoft cloud systems went offline, for instance.
“I can tell you if those clouds go down, the United States stops working, our economy stops working, the phones stop working — we will find ourselves pretty soon in the dark ages if the internet goes down,” said Clarke.
What if Russia attacked a US ally?
It’s not clear that Russia would want to provoke the US specifically in a such a devastating way, or how the US would respond.
Could a cyberattack trigger Article 5?
A cyberattack could absolutely trigger Article 5. NATO Secretary General Jens Stoltenberg made this clear in February just after Russia’s invasion.
But he added that NATO would be very careful in assessing an attack and would make sure a cyberattack on Ukraine — shutting off electricity, say — that accidentally spilled over into Poland or Romania is not construed as an attack on those countries.
He also said it’s intentionally unclear what kind of cyberattack would rise to the level of invoking Article 5.
NATO, he said, would not want to “give a potential adversary the privilege of defining exactly when we trigger Article 5.”