Russia as a Cyber Adversary: How Significant is the Threat to Critical Infrastructure in the United States
Executive summary
Critical infrastructure systems, particularly information, energy, financial, and defense, have come to the fore as a prominent target of adversarial cyber attacks in recent decades. In response, the United States has made significant changes in securing its 16 critical infrastructure systems on many fronts. However, gaps and vulnerabilities remain. These vulnerabilities have been weaponized by adversarial nations, including Russia, as a form of hybrid warfare in the new digital landscape. Russia has shown its prowess in attacking critical infrastructure systems both inside the United States and out through prominent attacks on the U.S. defense systems, the Ukrainian electrical grid, U.S. and European private sector energy companies, and more.
To counter the risk that Russia and other adversarial nations pose to critical infrastructure, the United States has invested significantly in building resiliency across each of the 16 sectors. Despite these investments, Russia still presents a considerable risk to the United States' security, economy, and people. Russia, a long adversary of the United States, has invested significantly in its cyber capabilities as part of a doctrine of informationization, with the intent to dominate the information landscape, particularly at the expense of Western nations. Under the leadership of President Vladimir Putin, Moscow has deployed several active measure tactics out of a playbook that dates well back to Czarist Russia, with a primary goal of destabilizing the current world order in its image and favor. Many experts have claimed that these active measures present the most significant threat to the West, namely the United States, since the fall of the Berlin Wall.
To successfully deter attacks on critical infrastructure, the United States must approach resiliency through a whole-of-system approach that addresses vulnerabilities throughout the international system, domestic government, private sector companies, and everyday technology users. The NIST Cybersecurity Framework and 2020 Cyberspace Solarium Commission Report lay a strong foundation for U.S. leaders to build a more resilient and agile posture against future attacks. Without collective buy-in from all parties to the critical infrastructure system, full resiliency against the Russian threat will not be accomplished. Leaving these sectors in a state of vulnerability could result in a catastrophic system failure and bring the daily operations of American society to a complete standstill.
Scope Note
In the decades since the Cold War, the world has grown significantly more digitized. So too has modern warfare. In response, Russia has made strategic strides in its cyber capabilities and strategy against Western adversaries, including the United States. With known hacks into government networks, information gathering on energy competitors, suspicious activities near underwater sea cables, and interference in U.S. elections, Moscow poses a real threat to the United States' critical infrastructure. This paper will draw on historical incidents, expert analysis, government documents, and critical news articles to assess the state of U.S. critical infrastructure, how significant this threat is to the United States, and what, if anything, can be done to deter it.
Background
Understanding critical infrastructure
Critical infrastructure is any system that is essential for the function of a society or economy. Currently, the United States government identifies 16 critical infrastructure sectors: chemical, commercial, communications, manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, and wastes, transportation systems, and water and wastewater systems.[i] There are three types of threats to critical infrastructures: natural, human-caused, and accidental/technical.[ii] This paper will focus on human-caused threats.
Human-caused threats include acts of terrorism, rioting, tampering, theft, financial crimes, explosions or bombings, and economic espionage. Many of the vulnerabilities associated with these threats are cyber. Common cyber threats include non-state actors seeking to destroy, incapacitate or exploit infrastructures to threaten national security; criminal groups attacking systems through phishing campaigns or spy/malware for identity theft, online fraud, or to extort for monetary gain; industrial espionage; disgruntled insiders or poorly trained employees and contractors who create opportunities for outsider penetration; national intelligence operations seeking to destabilize regimes or further other strategic goals; and national or commercial organizations trying to gain access to systems for political or commercial purposes.[iii]
The current state of critical infrastructure in the United States
Under the United States Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience, the U.S. government outlines its strategy for strengthening and maintaining "secure, functioning, and resilient critical infrastructure."[iv] This document serves as the authority on managing the United States' critical infrastructure systems, which provide essential services to American society. It establishes chains of responsibility across federal, state, local, tribal, and territorial entities and public and private owners and operators of critical infrastructure. It also clarifies critical infrastructure-related functions, roles, and responsibilities across the Federal Government to enhance coordination and collaboration for addressing major concerns facing various sectors.[v] A majority of the United States' critical infrastructure systems are privately owned, making the effectiveness of vulnerability assessments depend on the voluntary cooperation and collaboration of private owner/operators.[1]
A considerable concern with the United States' critical infrastructure systems is the geographic concentration of significant portions of infrastructure. Nearly half of the country's oil refineries are located along the coasts of Texas and Louisiana. Around one-third of all maritime container shipments pass through California ports, specifically Los Angeles and Long Beach, and fully one-fourth of America's pharmaceutical drugs are manufactured in Puerto Rico. This overconcentration of resources makes it far easier for bad actors to produce large-scale attacks on critical American infrastructure, both in-person and online.[vi]
One example of a cascading energy system failure happened in 2003 when an electricity blackout originating in the Northeast of the United States highlighted the fragility of America's aging, digital power grid. A single power surge in New York cost approximately $5 billion in lost productivity and left around 50 million people without power throughout New England, the Midwest, and parts of Canada. A software bug in the alarm system in the state of Ohio caused a network failure that rendered operators in other states incapable of redistributing an overloaded transmission, triggering a local blackout to cascade into a regional system collapse. With the right access, a malicious cyber actor could repeat a similar catastrophe.
Specifically, Russia has made notable plays for the U.S. energy infrastructure in recent years, which will be discussed in more detail in another section of the paper. These efforts have been primarily targeted toward oil and gas networks, which are often more susceptible to internal incidents due to inefficient security updates and antivirus protection.[vii] On a larger scale, disruption to energy supplies could cause substantial damage to the country's economy and security, potentially rendering other critical infrastructure systems inoperable. Given the interdependence of America's power grid and the sheer geographic overconcentration of oil refineries, there is a significant vulnerability to malicious actors within the energy sector.
Another concerning critical infrastructure vulnerability is the complex and combined physical and cybersecurity challenge facing America's transportation sector. Because the country has reached near-total computerization of rail, air, and marine traffic, the simplest disruption by a cyber-terrorist or even amateur hacker could rapidly escalate into a catastrophic event.[viii] The transportation sector is responsible for transporting people and commercial goods and large amounts of hazardous materials, making it a prime target of vulnerability. Trucks, moving containers, and even airplanes carrying this hazardous waste, if attacked, could cause irreparable economic, health, and psychological damage. As evidenced by the current COVID-19 pandemic, even the slightest disruptions in supply chains, which are heavily dependent on critical transportation infrastructure, can have lasting adverse effects on the well-being of citizens and the economy alike.[ix]
Lastly, the United States has grown particularly concerned over its communications infrastructure, specifically undersea cables (also known as submarine cables), as a target for Russian infiltration or attack.[x] Russia's submarine activity has recently increased to Cold War levels, signaling concern from the United States and its North Atlantic allies.[xi] With over 99 percent of the world's data and voice traffic[xii]—and approximately $10 trillion in financial transactions per day—traveling via undersea cables, the protection of telecommunications critical infrastructure is vital to U.S. security and the economy.[xiii] These cables are particularly susceptible to espionage attempts via wiretapping and attempts to destroy or disconnect connectivity physically. If severed, significant portions of the U.S. internet infrastructure could be rendered useless until repaired. Financial institutions, government agencies, and private companies could all come to a standstill due to the inability to access pertinent data for everyday operations. If tapped, Russia could gain invaluable information from the United States and other countries connected to the U.S. via undersea cable.
A broad overview of Russia's cyber strategy
Russia has one of the most sophisticated and advanced cyber capabilities in the world. It has "demonstrated a willingness to employ offensive cyber in situations other than war to affect political and economic outcomes in neighboring states and to deter its adversaries."[xiv] Former Director of National Intelligence James Clapper noted, "Russia is assuming a more assertive cyber posture based on its willingness to target critical infrastructure systems and conduct espionage operations even when detected and under increased public scrutiny. Russian cyber operations are likely to target U.S. interests to support several strategic objectives: intelligence gathering to support Russian decision-making in the Ukraine and Syrian crises, influence operations to support military and political objectives, and continuing preparation of the cyber environment for future contingencies."[2]
Officially, Moscow does not use the word "cyber" in its security strategy but rather considers cybersecurity a Western concept.[xv] Instead, it couches its cyber capabilities within a broader strategy of "informationization" or electronification. It conceptualizes cyber operations as a tool for information warfare, or informatsionnaya voyna, that includes electronic warfare, psychological operations, information operations, and computer network operations—both domestically and abroad.[3] According to Ben Nimmo of the Atlantic Council, "Russia's concept of conflict does not distinguish between hybrid and classical warfare—there is simply warfare."[xvi] Cyber is a means for Russia to dominate the information landscape as part of a whole-of-government security approach, along with more traditional weapons of information warfare, including disinformation campaigns and political subversion.
In the 2011 Concept on the Activities of the Armed Forces of the Russian Federation in the Information Space, the Ministry of Defense defines information warfare as "[T]he confrontation between two or more states in the information space with the purpose of inflicting damage to information systems, processes and resources, critical and other structures, undermining the political, economic and social systems, a massive psychological manipulation of the population to destabilize the state and society, as well as coercing the state to take a decision for the benefit of the opposing force."[xvii] This concept of information warfare is of particular relevance to the scope of this paper as it sheds some light on the goals or intentions of Russia's campaigns against U.S. critical infrastructures. From denial-of-service attacks to Twitter trolls, phishing schemes, widespread disinformation campaigns, and even assassinations, Russia has employed a wide series of active measures against the West, and particularly the United States, in the last few decades. According to U.S. and European intelligence officials, these active measures present one of the most significant challenges to the Western world order since the fall of the Berlin Wall.[xviii] To many, it is clear that Vladimir Putin is seeking to destabilize the current power structure in favor of Russia and out of favor of the West.
Russia's active measure playbook is not new. It dates back to before the beginning of the Soviet Union and has been honed over decades of deployment to advance Russian interests, domestically and internationally. The playbook strategy's primary driver is Russia's geopolitical world view, which has long been at odds with the West.[xix] One of the earliest identifiable Russian active-measure operations was the 1903 "The Protocols of the Elders of Zion" pamphlet, a disinformation document used to sow anti-Semitic sentiment as a pretext for anti-Jewish pogroms.[xx] The same playbook was used throughout the Cold War, as Russia's technology and list of adversaries expanded, and again in the 2016 United States Presidential Election. As one researcher for the Foreign Policy Research Institute states of the election interference, "[Russia] just used a digital battlefield instead of an analog one. They didn't do anything in terms of strategic doctrine that was different. It was just much easier to execute in cyberspace and social media than they could have ever done in the 1980s, for example."[xxi] That Moscow has stuck to the same Soviet-era playbook should not come as a surprise because much of the modern Russian government's leadership rose through the ranks during the Cold War—including President Putin.
Russia's cyber campaigns have been widespread in terms of targets and tactics and are increasingly hybrid, involving organized crime and government operatives. Professional criminals such as Evgeny Bogachev, the mastermind behind the GameOver Zeus botnet[4], have perpetrated complex malware schemes to steal hundreds of millions of dollars from U.S. financial institutions and even mine for classified information across numerous Russian adversaries' servers.[xxii] Bogachev allegedly had control over as many as one million computers across many countries, including those belonging to government officials, with access to everything from business proposals to family photos and even highly confidential personal information.[xxiii] Russian government agencies were believed to have piggybacked off of Bogachev's extensive network to gather information on the war in Syria and the conflict in eastern Ukraine. They may have been supervising his actions via the Federal Security Service.
Russian cyber operations are not limited to nation-state espionage, however. Moscow has been tied to numerous campaigns targeting critical infrastructure in other countries, including electrical grids, online commercial infrastructure, and nuclear plants. These efforts have largely stayed under the radar of what constitutes overt warfare, which has allowed Russia to advance its geopolitical agenda outside of its borders without warranting a conventional military response.[xxiv] It has also used its cyber capabilities to gather information on dissidents, such as Yulia Stepanova, a prominent whistleblower in Russia's Olympic doping scandal. Russian intelligence agencies have a history of using sensitive information on targets to blackmail them into silence effectively. This practice, known as kompromat, includes doctoring legitimate sources with other materials to produce false products, like the 2009 American diplomat scandal involving a doctored sex tape.[xxv] Collectively, this hybrid mix of real-world and cyber tools—
ranging from honeypots and trojans to social media disinformation campaigns—have been deployed by Russia to varying degrees of success in an attempt to destabilize the West.
Russia's capabilities in the critical infrastructure-cyber space
History of Russian attempts to access U.S. critical infrastructure
Russia has a long history of alleged attacks and attempts against the United States and its critical infrastructure systems. This paper will focus on four distinct instances: Moonlight Maze, the 2014 oil and gas targeting, the 2016 election, and the 2017 nuclear and water facilities penetrations.
Moonlight Maze (1990s)
Nearly 30 years later, Moonlight Maze remains one of the most significant cyberattacks on the United States by a foreign government. A "cybersecurity wake-up call," Moonlight Maze was a series of attacks on U.S. government servers between 1996 and 2003 whereby intruders were able to gain access to computer systems in the Pentagon, Department of Energy, NASA, private universities, and research institutions gathering information on military maps and hardware designs.[xxvi] The attackers accessed thousands of sensitive but unclassified files for at least a year before they were detected, with investigators claiming that a printout of all of the stolen materials would measure three times the height of the Washington Monument.[xxvii] As the first known state-on-state cyber attack globally, attributing Moonlight Maze was difficult because investigators only had a Russian IP address as hard evidence of Moscow's involvement. Up to that point, most high-profile cyber incidents targeting U.S. government networks had been attributed to non-state actors. Moonlight Maze signaled to government leaders the very real risk that Russia or other state-sponsored entities could hack into government systems.
The attackers gained access to the servers using back doors that allowed them to re-enter already infiltrated systems over an extended period and manipulated some network traffic to Russia. The back door was open-source, not proprietary, and was used in later attacks by another Russian advanced persistent threat (APT) group known as Turla in 2011 and possibly 2017.[xxviii] For the most part, Moonlight Maze has evaded open forensic analysis, and the exact technical details remain a mystery to the public.[5] Despite this, Moonlight Maze set the stage for a new decade of state-sponsored hacking and espionage.
Oil and Gas Targeting (2014)
In June 2014, Symantec Security Response released a report detailing a Stuxnet-like[6] attempt to remotely access and control hundreds of Western oil and gas companies by the Russian APT group "Energetic Bear," also known as Dragonfly. The attack's motive was believed to be industrial espionage due to the importance of Russia's oil and gas industry to its economy.[xxix] The attacks affected over 1,000 organizations in more than 84 countries, including the United States, and spanned a few years. Energetic Bear initially targeted U.S. and Canadian defense and aviation companies before switching its focus to U.S. and European energy firms in 2013. The attackers were able to gain access to energy grid operators, major electricity generation firms, oil pipeline operators, and Energy industry control system equipment manufacturers using a multiphase attack method consisting of phishing emails to firm personnel and watering hole attacks that compromised websites likely to be visited by energy sector workers. The individuals accessing the websites were then susceptible to malware. Energy Bear also infected the legitimate software bundles of at least three industrial control system equipment manufacturers with trojans.[xxx] Moreover, the attackers made it difficult for their tools to be identified or attributed by hiding their malware with sophisticated encryption techniques in areas of the computer where patching was impossible.
While the Energetic Bear attack bears a resemblance to the Stuxnet attack on Iran's nuclear weapons system, Energetic Bear aligns more with an espionage goal than sabotage. Symantec Director of Security, Kevin Haley, stated in an interview that there was no evidence that the group intended to use its access to inflict serious damage, like blowing up an oil rig or power facility. Instead, the motive was to learn more about energy competitors' operations, strategic plans, and technology.[xxxi] However, given the widespread access this APT group had to several sensitive networks within the critical energy infrastructure sector, Russia could have caused significant disruption and destabilization across Europe and the United States. The group, which researchers have called aggressive and careful, has since moved on to targeting companies in another critical infrastructure sector, the financial sector.
2016 Elections
Possibly the most widely-known state-sponsored incident against the United States was the series of cyber operations surrounding the 2016 U.S. presidential election. While Moonlight Maze was a stage-setter for state-on-state cyber attacks, the cyber activities during the 2016 election year were an entirely new ballgame. One year before the election, Russian hackers had accessed a series of unclassified government email networks used by the White House, Pentagon, Joint Chiefs of Staff, and the State Department. This access included President Obama's personal email correspondence and exchanges between ambassadors and diplomats regarding personnel moves, legislation, and debates about policy.[xxxii] The attack, which was far more intrusive than originally acknowledged publicly, happened around the same time as when Russia's tensions with Crimea were reignited. Some experts say that it was so significant that government officials held near-daily meetings for several weeks to investigate.[xxxiii] The Department of State even shut down large portions of its unclassified email system to remove the malware.[xxxiv] A curious aspect of the 2015 attack is that the Obama administration refused to publicly attribute the attack—a stark contrast to previous decisions to name other state-sponsored attacks from Iran and North Korea. Some officials believed the decision to keep this specific incident close to the chest was due to the specific breach of the president's emails and was an attempt to avoid tipping off Moscow about what exactly was uncovered during the investigation.[xxxv] Next, Russia set its sights on the Democratic National Committee and the email accounts of staffers on the Democratic candidate, Hillary Clinton's presidential campaign.
Cybersecurity firm Crowdstrike attributed the attacks to two Russian intelligence agencies, the GRU and FSB, dubbed Cozy Bear and Fancy Bear, respectively. The groups carried out phishing campaigns specifically targeting Clinton campaign Chairman John Podesta and various staff within the DNC. An aide to Podesta accidentally identified a phishing email as "legitimate" in an email to a computer technician. This move allowed the Kremlin to access more than 60,000 emails in Podesta's private Gmail account. The emails were cached and delivered to WikiLeaks, igniting a firestorm in the news.[xxxvi] Cozy Bear, the APT group tied to the FSB, had allegedly been operating phishing campaigns since 2015 and was unaware that the GRU was operating similar campaigns.[xxxvii]
Although the GRU and FSB had not directly infiltrated government networks with this attack, government officials were concerned that a Russian APT group tied to the Kremlin had taken steps toward attacking the U.S. political system.[xxxviii] This attack was taken to the next level above previous information gathering missions acted out by Russian groups when the gathered information was dumped widely on the Internet. One former Defense Intelligence Agency analyst stated, "Targeting a political campaign, trying to find out everything you can about the next leader of the free world, is fair game for intelligence services, as much as we hate it. That's a valid intelligence target… Dumping this much information and [leaving] very much the sense that there's more to come, we have to ask different questions about what the Russian objectives are and what they think is going to happen." At the time of the breaches, Russia's intentions were unclear. However, in a secret assessment, the CIA later concluded that the Russian intervention was an attempt not just to undermine American citizens' confidence in the U.S. electoral system but an overt attempt to help Republican candidate—and eventual president—
Donald Trump win the election.[xxxix] The attribution to Russia was confirmed by other U.S. intelligence community members, including the Department of Homeland Security.[xl] President Obama attempted to find bipartisan consensus on Capitol Hill to condemn the hacks publicly but was thwarted by Senate Majority Leader Mitch McConnell and other Senate Republicans.[xli] Despite the ability to find consensus in Congress, the government did address the attack with several actions, including designating election systems as critical infrastructure, which will be discussed in a later section of the paper.
U.S. nuclear power and water facilities (2017)
While many know about Russian hackers influencing the 2016 U.S. presidential election, few are aware of Moscow's attempts to gain control over the American energy grid during the same period. Two years after the election interference, the U.S. government released a report describing a significant campaign by Russian hackers to infiltrate America's critical infrastructure systems. In this report, the Department of Homeland Security and Federal Bureau of Investigation claimed that Russian actors gained access to computers across various targeted industries, including power plants, nuclear generators, and water facilities, to collect sensitive data such as passwords, logins, and energy generation data. This attack is also attributed to Electric Bear or Dragonfly. Like the 2014 intrusion, the threat actors utilized spear-phishing campaigns, watering-hole domains, open-source and network reconnaissance, and targeted industrial control system infrastructure.[xlii] Once inside the systems, the threat actors collected information by capturing screenshots, recording computer details, and gathering information about users on specific computers. The report is vague about the actual impact on infrastructure and generally states that the campaign "affected multiple organizations" across sectors. Although the report doesn't discuss identifiable sabotage, researchers believe that this intrusion could help set up future attacks to do more than just collect data.[xliii] Of the attack, Former Deputy Director of the National Security Agency Chris Inglis stated, "This is not an opportunistic foray on the part of the Russians. They seem to be intent on getting into the crucial infrastructure; they didn't simply get there because they've taken a shotgun approach.". Notably, the report was the first time the United States government explicitly blamed Russia for attacks on energy infrastructure. By doing so, the government laid the groundwork for establishing deterrence in cyberspace by making sanctions possible and increasing the risk associated with future hacks.[xliv]
Although this specific instance of cyber espionage was not a widespread concern, alarms were raised in 2017 when rumors surfaced of Russia possessing a cyberweapon capable of completely disrupting America's electric systems. A malware, known as CrashOverride, was used to shut down the Ukrainian electric grid in 2016 (the specific details of which will be discussed in the next section), signaling huge concerns around Russia's intentions' infiltration of U.S. systems.[xlv]
Notable cases outside of the United States
Estonia (2007)
Considered by many to be the world's first instance of cyber warfare, the 2007 cyberattacks on Estonia completely changed the landscape of international understanding surrounding the use of cyber capabilities against another nation. After the relocation of a controversial Soviet-era monument in Tallinn, Estonia was hit with a widespread cyberattack on more than fifty Estonian websites, including those belonging to the government, banks, and major news outlets. These attacks were distributed via DDoS and spamming. The email inboxes of prominent government officials were spammed, internet websites were defaced, and the country's servers could not handle the sheer weight of the data traffic. Estonian officials attributed the attack to Russia on the belief that it was retaliation for removing the bronze statue. Russia has vehemently denied these claims. Although the attacks have not been officially attributed to Russian state actors, evidence surrounding the timing and outcome suggest that they were part of a larger coordinated campaign by the Kremlin to preserve influence abroad and among Russian minority populations along its borders.[xlvi] Rather than a single, ongoing campaign, the attack consisted of various attacks over a month-long period. According to one report, the attack and its necessary response caused Estonia to lose between 1 and 3.5 percent of its GDP.[xlvii] In A Fierce Domain: Conflict in Cyberspace 1986 to 2012, Andreas Schmidt wrote, "While defacements of governmental websites created embarrassment for the sites' owners and symbolically undermined political institutions, they hardly constitute a major blow to the society and its security. The main causes for concern were the DDoS attacks on the Estonian infrastructure, as they endangered the availability and functionality of services crucial to the functioning of Estonian society."[xlviii]
At the time, there was no universal code of conduct between nation-states on the conduct of the war in cyberspace. As a result of these attacks, NATO created the Cooperative Cyber Defence Centre of Excellence and developed the Tallinn Manual on the International Law Applicable to Cyber Warfare. This report outlined the specific international laws applicable to warfare in the cyber realm, effectively codifying a set of norms in cyberspace. While the manual implies that individual nation-states do not have sovereignty over the Internet as a whole, it does allow that they have sovereignty over the components of the Internet within their territory.[xlix] This report's development was the first instance of any international standard being set on the conduct of war in the digital space.
Ukraine (2015, 2017)
One of the most well-known critical infrastructure attacks happened in 2015 when Ukraine was hit by a supervisory control and data acquisition (SCADA) cyberattack known at BlackEnergy, resulting in a massive electrical blackout.[l] Approximately 230,000 people in western Ukraine, a group size equivalent to one-fifth of the nation's entire population, were left without power for hours.[li] While the attack outcome wasn't devastating, it did highlight a vital issue in the nation's critical infrastructure security. The attack began by using spear-phishing emails—which is typically considered a low-tech approach to cyber intrusion—and escalated to the implanting of malware on Ukraine's electric grid. This malware allowed hackers to access Ukraine's utility networks and manually switch off power to electrical substations. The second-ever known case of malicious code was built specifically to disrupt physical systems, with the first being Stuxnet.
What most alarmed researchers about the Ukraine attack is that it appeared to be a dry-run test for future attacks, signaling the possibility of more substantial and more severe targets down the road. A year later, Ukraine's power grid was taken down again by an evolved version of the malware, the previously mentioned CrashOverride malware. This time, it was fully automated. The full automation meant that the malware could "talk" to the grid equipment directly, which hastened hackers' ability to take the system offline. CrashOverride was able to open circuit breakers and force them into an infinite loop that required manual shutting by grid operators. [lii] Researchers also found that this version of the malware was far more scalable. What previously required more than 20 individuals to attack three regional energy companies was now capable of targeting 10 or 15 more energy companies in the same amount of time and effort.[liii] Furthermore, the second attack was harder to trace. Once it infected a victim's network, it recorded network logs to send back to operators, letting them learn how to adapt and change future malware to control system functions. Lastly, the malware could comprehensively destroy all infected system files, effectively covering up its tracks after the attack was completed.
Researchers found that the malware was not used to its full capacity and functionality, indicating that the attack may have been more of a "proof of concept" than a full demonstration of the malware's capabilities. However, they cautioned that while CrashOverride is "extremely concerning," it should not be taken as a "doom and gloom" type scenario due to the sheer scale that would be necessary to cause a catastrophic event.[liv]
What has the United States done to counter or deter these attacks?
Following the event surrounding the 2016 election, the United States took some new approaches to secure its critical infrastructure by strengthening its defensive and offensive cyber posture. After failing to find bipartisan consensus on Capitol Hill to publicly condemn Russia's attacks, President Obama levied sanctions on Russia, expelled diplomats, and closed three Russian compounds in the United States, including a consulate in San Francisco. It also used Cold War-like tactics to communicate to Russia that any actual election infrastructure attacks would not be tolerated.[lv] Some critics have argued that these measures against Russia did not carry the same weight as the initial attacks, given Russia's reciprocal expulsion of American diplomats.
In 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, directing all federal agencies to abide by the NIST Framework for Improving Critical Infrastructure Cybersecurity, widely known as the "Cybersecurity Framework." The NIST Cybersecurity Framework is a collaborative effort between the government, academia, and industry stakeholders to provide computer security guidance on preventing, detecting, and responding to cyberattacks. In the lead-up to the 2020 presidential election, the Cybersecurity and Infrastructure Security Agency strengthened its information-sharing tactics by creating the "Rumor Control" election security page covering various scenarios to help voters distinguish between rumors and facts on election security issues.[lvi]
The United States also allegedly "stepped up digital incursions into Russia's electric power grid," as both a capacity-building exercise and a warning against Russia conducting further hostile operations on U.S. cyberinfrastructure. It is debatable whether doing so violated international norms during peacetime due to the nature of the attacks being in retaliation for U.S. critical infrastructure attacks.[lvii] This exercise was conducted per the 2019 National Defense Authorization Act and the Department of Defense's 2018 Cyber Strategy, according to the following passage: "[T]he Department seeks to preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident regardless of whether that incident would impact DoD's warfighting readiness or capability. Our primary role in this homeland defense mission is to defend forward by leveraging our focus outward to stop threats before they reach their targets."
What else can be done?
Cyberspace Solarium Commission Report Recommendations
In early 2020, the Cyberspace Solarium Commission released a report reaffirming Congress's support for the Department of Defense's "defend forward" strategy through persistent engagement. This report, organized across six pillars, offered recommendations for shoring up the United States' cyber capabilities from a whole-of-nation approach. These recommendations range from reforming the government's structure and organization for cyberspace to strengthening norms and reshaping the cyber ecosystem toward greater security.[lviii] There are many recommendations under this report that would strengthen America's defensive and offensive cyber posture generally, but this paper will focus specifically on those recommendations that could help deter risk from malicious actors on critical infrastructure systems. These recommendations are presented as outlined directly in the commission report:
(1) Codify sector-specific agencies into law as "sector risk management agencies" and strengthen their ability to manage critical infrastructure risk
"The U.S. government should build the necessary structures and processes to continuously understand, assess, and manage national-level cyber risk across the critical infrastructure ecosystem. Owners and operators of critical infrastructure are not always fully aware of the risk they inherit, their risk, the risk they pass on, and, more relevant to the federal government, the risk they bear for national security, economic security, and public health and safety. Creating an accurate picture of "national risk" has thus far eluded the U.S. government and the private sector working independently, and the United States should focus on strengthening the public-private mechanisms for both understanding and mitigating national risk
in areas where such mitigation is most critical."
(2) Codify the concept of "systemically important critical infrastructure"
"Congress should codify the concept of 'systemically important critical infrastructure,' whereby entities responsible for systems and assets that underpin national critical functions are ensured the full support of the U.S. government and shoulder additional security requirements benefitting their unique status and importance."
(3) Strengthen a public-private integrated cyber center in CISA to support critical infrastructure security
"Congress should direct the executive branch to strengthen a public-private, integrated cyber center within CISA in support of the critical infrastructure security and resilience mission and to conduct a one-year, comprehensive systems analysis review of federal cyber and cybersecurity centers including plans to develop and improve integration."
(4) Strengthen the U.S. government's ability to take down botnets
"Robot networks, or botnets, are networks of computers hijacked by criminals and nation-states to promulgate their malicious activity. Criminals use botnets to spread spam and phishing emails, impersonate users, and carry out distributed denial-of-service (DDoS) attacks.
It is estimated that as much as 30 percent of all internet traffic could be attributable to botnets, and most of that traffic is from DDoS attacks. Currently, law enforcement, working with the private sector, can dismantle botnets when they are used to perpetrate fraud or illegal wiretapping; however, botnets are often used for other nefarious purposes, such as harvesting email accounts and executing DDoS attacks against websites or other computers. In these latter types of cases, the courts may lack the statutory authority to issue an injunction to disrupt the botnet. As the techniques of adversaries adapt (i.e., moving to greater use of virtual private servers), addressing the challenge of dismantling adversary botnets becomes even more complex.
To enable the U.S. government to better work with private industry and international partners, action is needed. In consultation with the Department of Justice, Congress should enact Section 4 of the International Cybercrime Prevention Act.268 This legislation would provide broader authority to disrupt all types of illegal botnets, not just those used in fraud."
(5) Leverage sanctions and trade enforcement actions
"The U.S. government can better punish cyber aggressors and signal U.S. intent toward potential attackers when it leverages its tools of economic statecraft as a component of a multipronged enforcement strategy. However, the efficacy of sanctions depends heavily on a number of factors, including their target and timeline, the degree of international coordination, and the path to lifting them. The European Union (EU) has already begun to bolster its commitment to using sanctions to deter and respond to cyberattacks through the 2019 EU cyber sanctions regime, including banning violators from traveling to the EU and freezing their assets.181 With this framework in mind, the United States should join the international community in strengthening its dedication to using economic sanctions, when possible and appropriate, against those who conduct cyberattacks on the U.S. electoral process and infrastructure."
Domestic resilience
Domestic resilience is an essential component for securing America's critical information infrastructures. As internet service providers, technology manufacturers, and U.S. agencies work to develop secure networks and products, American citizens present a significant vulnerability that cannot be fixed through hardware and software patches. To this end, the U.S. government must ensure user resilience through robust digital literacy campaigns that promote awareness and understanding among everyday citizens. Russia's ability to infiltrate systems within the United States critical infrastructure system relies heavily on social engineering tactics like phishing and water holing. Robust technical protections and regulations cannot fully secure the human aspect of cybersecurity, nor can they effectively deter attacks independently. With humans being the weakest link in the chain of cyber resilience, defending against social engineering by setting up systems users with the appropriate mitigation tactics will be paramount.
As of 2019, 90% of U.S adults—approximately 312 million—are regular internet users.[lix] Theoretically, this means there could be as many 312 million possible vulnerability points for malicious foreign actors to attempt to gain access to or influence America's digital information infrastructure. One digitally illiterate government employee, banker, or hospital worker could be the trigger point for a significant catastrophic breach. Millions of unaware voters could fall prey to sophisticated influence and disinformation campaigns carried out on seemingly innocuous social media platforms.[lx] Simply put, if the U.S. government wants to secure its digital borders, it must ensure that individual Americans have the capability and resources to secure themselves and their networks from malicious actors.[lxi]
Several approaches can help build digital and cyber resilience among the general population. Some steps are already being taken, such as training local election officials to secure election infrastructure and providing fact-checking on social media platforms.[lxii] However, there is much more the U.S. government can do.
Providing digital literacy education in schools and the broader community is a good first step for ensuring societal resilience. Many American adults have never been formally educated about the risks and vulnerabilities they face on the Internet. This has resulted in generations of users at high risk of manipulation and influence who don't even realize it. The government must fill knowledge gaps for individuals outside of school-age through outreach campaigns and alert systems. Individuals must build the necessary digital and critical reasoning skills to identify and understand the risks presented to them as they use the Internet.
Another area where the government can shore-up domestic societal resiliency is in the regulation space. U.S. technology and social media companies operate largely unregulated or self-regulated, giving them a vast opportunity to create digital atmospheres that are dangerous to digitally illiterate consumers. Data privacy, algorithmic accountability, and online advertising laws can provide standards of operation for technology companies that help mitigate personal data misuse for malicious operations.[lxiii] As the owners of troves of personal user data, it will also be crucial for these companies to operate in an information-sharing environment with the U.S. government to identify known threats and malicious actors.
Conclusion
The threat presented by Russia against U.S. critical infrastructure is multi-faceted. It signals a very real need by the U.S. government and private companies to strengthen the country's defensive posture. Russia has proven a formidable opponent in cyber warfare with the necessary capabilities to destabilize large portions of many of the 16 critical infrastructure sectors with relatively minimal effort. Shoring up resilience will require a robust cross-sector approach on the government, private companies, and citizens alike. While the NIST Cybersecurity Framework offers a solid base for building a stronger defensive posture across sectors, more must be done to centralize deterrence mechanisms within the critical infrastructure system.
The 2020 Cyberspace Solarium Commission report offers recommendations on strategic pillars for shoring up the U.S. "defend forward" posture, calling on both the public and private sector to approach cybersecurity from a whole-of-nation standpoint. Adopting standards of care for owners of critical infrastructure, relevant vendors, and the government agencies responsible for the oversight and security coordination of the 16 critical infrastructure sectors will be a positive step forward in ensuring resiliency. Educating infrastructure operators, general employees, and consumers on digital hygiene best practices will be crucial to stemming the flow of access through phishing and disinformation campaigns.
Addressing the Russian threat to critical infrastructure should not only focus on deterrence, however. As many of the attacks are not discovered until after they have been perpetrated, building a strong framework for holding bad actors accountable for their actions will be critical. The government must work with private sector companies to establish a mechanism for taking these attacks from the investigation stage to attribution and prosecution. Unless it is clear that there will be severe consequences for malicious actions against the United States, Russia is unlikely to be fully deterred. The actions of Russian actors must be met with an equitable scale of punishment within an appropriate timeframe. Russia simply cannot be allowed to operate in this space against the United States with impunity. While avoiding escalation will be key in addressing future acts, the U.S. government must not shy away from holding Russia accountable for its actions, as it initially did in the 2016 election campaign's immediate aftermath.
[1] "Critical Infrastructure Vulnerability Assessments | CISA," accessed November 29, 2020, https://www.cisa.gov/critical-infrastructure-vulnerability-assessments.
[2] James R. Clapper, Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community. Senate Armed Services Committee, February 9, 2016, https://www.dni.gov/files/documents/SASC_Unclassified_2016_ATA_SFR_FINAL.pdf.
[3] Keir Giles, "Russia's 'New' Tools for Confronting the West: Continuity and Innovation in Moscow's Exercise of Power," London: Chatham House, March 2016; Timothy L. Thomas, "Nation-State Cyber Strategies: Examples From China and Russia," accessed at http://ctnsp.dodlive.mil/files/2014/03/Cyberpower-I-Chap-20.pdf; and Wirtz, op cit.
[4] GameOver Zeus is a peer-to-peer malware used to steal bank credentials most often propagated by cybercriminals through spam and phishing messages. Once infected with the malware, infected systems can then be used to engage in other malicious activities against other computers, such as DDoS attacks.
[5] In 2017, Professor Thomas Rid unearthed evidence linking Moonlight Maze to the recent Turla attacks by looking at a server held by a former IT manager consulting with the DoD and FBI during their investigation of Moonlight Maze. While the connection isn't officially accepted, experts at Kaspersky believe that it can be perceived as an indication that Russia's state-sponsored hackers never hibernated being found out.
[6] Stuxnet is a malicious computer worm used to remotely infiltrate and damage the Iranian nuclear program, widely attributed to the United States and Israel. The worm infected over 200,000 computers and physically degraded 1,000 machines, resulting in damage to almost one-fifth of Iran's nuclear centrifuges.
[i] United States Cybersecurity & Infrastructure Security Agency, "Identifying Critical Infrastructure During COVID-19 | CISA," April 2020, https://www.cisa.gov/identifying-critical-infrastructure-during-covid-19.
[ii] Tal, Jonathan, "America's Critical Infrastructure: Threats, Vulnerabilities and Solutions," Security Info Watch, September 20, 2018, https://www.securityinfowatch.com/access-identity/access-control/article/12427447/americas-critical-infrastructure-threats-vulnerabilities-and-solutions.
[iii] Tal, Jonathan.
[iv] United States Cybersecurity & Infrastructure Security Agency, "Critical Infrastructure Sectors | CISA," 2020, https://www.cisa.gov/critical-infrastructure-sectors.
[v] Obama White House, "Presidential Policy Directive -- Critical Infrastructure Security and Resilience," whitehouse.gov, February 12, 2013, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
[vi] Tal, Jonathan, "America's Critical Infrastructure."
[vii] Adam Meyers, "Adversaries Set Their Sights on Oil and Gas Sector »," April 8, 2015, https://www.crowdstrike.com/blog/adversaries-set-their-sites-on-oil-and-gas-sector/.
[viii] Tal, Jonathan, "America's Critical Infrastructure."
[ix] Rebecca Liao and Ziyang Fang, "Supply Chains Have Been Upended. Here's How to Make Them More Resilient," World Economic Forum, April 6, 2020, https://www.weforum.org/agenda/2020/04/supply-chains-resilient-covid-19/.
[x] David E. Sanger and Eric Schmitt, "Russian Ships Near Data Cables Are Too Close for U.S. Comfort - The New York Times," The New York Times, October 25, 2015, https://www.nytimes.com/2015/10/26/world/europe/russian-presence-near-undersea-cables-concerns-us.html.
[xi] Michael Birnbaum, "Russian Submarines Are Prowling around Vital Undersea Cables. It's Making NATO Nervous.," Washington Post, December 22, 2017, sec. Europe, https://www.washingtonpost.com/world/europe/russian-submarines-are-prowling-around-vital-undersea-cables-its-making-nato-nervous/2017/12/22/d4c1f3da-e5d0-11e7-927a-e72eac1e73b6_story.html.
[xii] Douglas Main On 4/2/15 at 12:39 PM EDT, "Undersea Cables Transport 99 Percent of International Data," Newsweek, April 2, 2015, https://www.newsweek.com/undersea-cables-transport-99-percent-international-communications-319072.
[xiii] Nadia Schadlow Helwig Brayden, "Protecting Undersea Cables Must Be Made a National Security Priority," Defense News, July 1, 2020, https://www.defensenews.com/opinion/commentary/2020/07/01/protecting-undersea-cables-must-be-made-a-national-security-priority/.
[xiv] Michael Connell and Sarah Vogler, "Russia's Approach to Cyber Warfare" (CNA Analysis and Solutions, September 2016), https://apps.dtic.mil/dtic/tr/fulltext/u2/1019062.pdf.
[xv] B. Lilly and J. Cheravitch, "The Past, Present, and Future of Russia's Cyber Strategy and Forces," in 2020 12th International Conference on Cyber Conflict (CyCon), vol. 1300, 2020, 129–55, https://doi.org/10.23919/CyCon49761.2020.9131723.
[xvi] Garrett M. Graff, "Russia's High Tech Tool Box for Subverting US Democracy, A (Semi-Complete) Guide," Wired, August 13, 2017, https://www.wired.com/story/a-guide-to-russias-high-tech-tool-box-for-subverting-us-democracy/.
[xvii] B. Lilly and J. Cheravitch, "The Past, Present, and Future of Russia's Cyber Strategy and Forces."
[xviii] Graff, "Russia's High Tech Tool Box for Subverting US Democracy, A (Semi-Complete) Guide."
[xix] Graff.
[xx] Graff.
[xxi] Graff.
[xxii] Michael Schwirtz and Joseph Goldstein, "Russian Espionage Piggybacks on a Cybercriminal's Hacking (Published 2017)," The New York Times, March 12, 2017, sec. World, https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html.
[xxiii] Schwirtz and Goldstein.r
[xxiv] Graff, "Russia's High Tech Tool Box for Subverting US Democracy, A (Semi-Complete) Guide."
[xxv] Graff.
[xxvi] Jason Healey and Karl Grindal, A Fierce Domain: Conflict in Cyberspace 1986 to 2012 (Cyber Conflict Studies Association, 2013).
[xxvii] Costin Raiu, Juan Andres Guerrero-Saade, and Thomas Rid, "Penquin's Moonlit Maze," Kaspersky SecureList, April 3, 2017, https://securelist.com/penquins-moonlit-maze/77883/.
[xxviii] "Cyber Attack Protection: Moonlight Maze | Kaspersky," accessed December 2, 2020, https://www.kaspersky.com/cyber-attack-moonlight-maze.
[xxix] Nicole Perlroth, "Russian Hackers Targeting Oil and Gas Companies (Published 2014)," The New York Times, July 1, 2014, sec. Technology, https://www.nytimes.com/2014/07/01/technology/energy-sector-faces-attacks-from-hackers-in-russia.html.
[xxx] "Emerging Threat: Dragonfly/Energetic Bear-APT Group," Symantec Enterprise Broadcom Managed Security Services, June 30, 2014, https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=16fb565a-8297-4641-8105-b5d0d4db3ee1&CommunityKey=30643d26-dab8-4c4b-a34e-5f6f02d58ff6&tab=librarydocuments.
[xxxi] Perlroth, "Russian Hackers Targeting Oil and Gas Companies (Published 2014)."
[xxxii] Michael S. Schmidt and David E. Sanger, "Russian Hackers Read Obama's Unclassified Emails, Officials Say (Published 2015)," The New York Times, April 25, 2015, sec. U.S., https://www.nytimes.com/2015/04/26/us/russian-hackers-read-obamas-unclassified-emails-officials-say.html.
[xxxiii] Schmidt and Sanger.
[xxxiv] Justin Fishel and Lee Ferran, "State Dept. Shuts Down Email After Cyber Attack," ABC News, March 13, 2015, https://abcnews.go.com/US/state-dept-shuts-email-cyber-attack/story?id=29624866.
[xxxv] Schmidt and Sanger, "Russian Hackers Read Obama's Unclassified Emails, Officials Say (Published 2015)."
[xxxvi] Luke Harding, "Top Democrat's Emails Hacked by Russia after Aide Made Typo, Investigation Finds," the Guardian, December 14, 2016, http://www.theguardian.com/us-news/2016/dec/14/dnc-hillary-clinton-emails-hacked-russia-aide-typo-investigation-finds.
[xxxvii] Harding.
[xxxviii] Spencer Ackerman and Sam Thielman, "Cozy Bear and Fancy Bear: Did Russians Hack Democratic Party and If so, Why?," the Guardian, July 29, 2016, http://www.theguardian.com/technology/2016/jul/29/cozy-bear-fancy-bear-russia-hack-dnc.
[xxxix] Adam Entous, Ellen Nakashima, and Greg Miller, "Secret CIA Assessment Says Russia Was Trying to Help Trump Win White House," Washington Post, December 9, 2016, sec. National Security, https://www.washingtonpost.com/world/national-security/obama-orders-review-of-russian-hacking-during-presidential-campaign/2016/12/09/31d6b300-be2a-11e6-94ac-3d324840106c_story.html.
[xl] "Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security," Department of Homeland Security, October 7, 2016, https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national.
[xli] Entous, Nakashima, and Miller, "Secret CIA Assessment Says Russia Was Trying to Help Trump Win White House."
[xlii] "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors | CISA," accessed November 29, 2020, https://us-cert.cisa.gov/ncas/alerts/TA18-074A.
[xliii] Kelsey Atherton, "It's Not Just Elections: Russia Hacked the US Electric Grid," Vox, March 28, 2018, https://www.vox.com/world/2018/3/28/17170612/russia-hacking-us-power-grid-nuclear-plants.
[xliv] Atherton.
[xlv] Andy Greenberg, "Crash Override Malware Took Down Ukraine's Power Grid Last December," Wired, June 12, 2017, https://www.wired.com/story/crash-override-malware/.
[xlvi] Connell and Vogler, "Russia's Approach to Cyber Warfare."
[xlvii] Healey and Grindal, A Fierce Domain: Conflict in Cyberspace 1986 to 2012.
[xlviii] Healey and Grindal.
[xlix] Stephen Herzog, "Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses," Journal of Strategic Security 4, no. 2 (July 1, 2011), http://dx.doi.org/10.5038/1944-0472.4.2.3.
[l] Tom Ball, "Top 5 Critical Infrastructure Cyber Attacks," Computer Business Review (blog), July 18, 2017, https://www.cbronline.com/cybersecurity/top-5-infrastructure-hacks/.
[li] Andy Greenberg, "Crash Override Malware Took Down Ukraine's Power Grid Last December."
[lii] "CRASHOVERRIDE: Analyzing the Malware That Attacks Power Grids | Dragos," accessed December 3, 2020, https://www.dragos.com/resource/crashoverride-analyzing-the-malware-that-attacks-power-grids/.
[liii] Andy Greenberg, "Crash Override Malware Took Down Ukraine's Power Grid Last December."
[liv] "CRASHOVERRIDE: Analyzing the Malware That Attacks Power Grids | Dragos."
[lv] David E. Sanger, "White House Confirms Pre-Election Warning to Russia Over Hacking (Published 2016)," The New York Times, November 17, 2016, sec. U.S., https://www.nytimes.com/2016/11/17/us/politics/white-house-confirms-pre-election-warning-to-russia-over-hacking.html.
[lvi] "Statement from CISA Director Krebs on Election Security Announcement | CISA," Cybersecurity & Infrastructure Security Agency, October 21, 2020, https://www.cisa.gov/news/2020/10/21/statement-cisa-director-krebs-election-security-announcement.
[lvii] "U.S. Escalates Online Attacks on Russia's Power Grid - The New York Times," accessed December 4, 2020, https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html?login=email&auth=login-email.
[lviii] Angus King and Mike Gallagher, "Cyberspace Solarium Commission Report" (U.S. Cyberspace Solarium Commission, March 2020).
[lix] Monica Anderson et al., "10% of Americans Don't Use the Internet. Who Are They?," Pew Research Center, FactTank (blog), April 22, 2019, https://www.pewresearch.org/fact-tank/2019/04/22/some-americans-dont-use-the-internet-who-are-they/.
[lx] Scott Shane and Sheera Frankel, "Russian 2016 Influence Operation Targeted African-Americans on Social Media," The New York Times, December 17, 2018, https://www.nytimes.com/2018/12/17/us/politics/russia-2016-influence-campaign.html.
[lxi] Angus King and Mike Gallagher, "Cyberspace Solarium Commission Report."
[lxii] "Election Security Preparedness | U.S. Election Assistance Commission," accessed October 6, 2020, https://www.eac.gov/election-officials/election-security-preparedness.
[lxiii] Joseph S Nye, "Protecting Democracy in an Era of Cyber Information War," Belfer Center Paper, February 2019, 32.