
Andy Greenberg is a WIRED security writer and author of the forthcoming book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.
Bossert didn't confirm or deny the facts of the Times' grid-hacking report, but criticized current Trump officials for not doing enough to deter cyberattacks from adversaries like Russia with other, more traditional means, such as diplomacy or economic incentives and punishments. While the Trump administration imposed new sanctions on Russia for grid-hacking and its unprecedented NotPetya cyberattack during Bossert's term, it's not clear what if any similar measures the White House or State Department has pursued since. "I do not think they’re sufficiently thinking through our other levers of national power, to explain what’s unacceptable and then to start threatening or imposing consequences or inducements—carrots or sticks—to change [Russia's] behavior." says Bossert, who has since taken a position at an as yet unnamed cybersecurity startup. "I don’t mind escalatory bravado to some degree. But I’d be furious if that’s all we did."Obama administration cybersecurity coordinator J. Michael Daniel echoed that warning, arguing that if Trump administration and Cyber Command are indeed taking a more offensive approach to penetrating Russia's grid, they're doing so without truly knowing the potential consequences. "This is uncharted territory in many ways. Are we setting ourselves up for a pre-World War I situation, where activities that are designed to deter instead prompt a response," says Daniel, now the president of the nonprofit Cyber Threat Alliance. "Are these activities so threatening to countries that they have to take action against them? I think this is still very much an undecided."J. Michael Daniel, Former White House Cybersecurity CoordinatorEven if Cyber Command restrains itself to merely gaining access to Russian networks and placing malware "implants" that could cause disruption without ever pulling the trigger, the threat alone would no doubt convince the Kremlin it had to maintain the same access to American utilities' networks. After all, Russia's hackers have already demonstrated perhaps the world's most aggressive targeting of foreign electric utility networks, triggering blackouts in Ukraine in 2015 and 2016 , and gaining deep access to American utilities' industrial control systems in 2017 ."The idea that we’re going to put implants in the Russian grid and they won't do the same to us is silly," Daniel says, while emphasizing that like Bossert, he has no independent knowledge of such activities beyond the Times' story. Even the notion of trying to deter Russia by hacking their grid to the same degree that they've hacked ours introduces serious potential for unintended consequences. "If the argument is that we’re going to hold each other’s grids at risk, and that’s inherently more stabilizing, I’m not sure the theory holds entirely. I think the possibility for accidents and miscalculation is high here."One very plausible miscalculation would be if US Cyber Command were to penetrate Russian grid networks only to "prepare the battlefield," building the capability to cause a blackout in Russia with no immediate intention to do so, but Russians misinterpreted the intrusion as an immediate threat. Georgetown University professor Ben Buchanan calls this dangerous ambiguity "the cybersecurity dilemma" in his book by the same name. "When you’re on the receiving end of a hack, it’s very hard to determine the intention of the intruders," he says. "Genuinely attacking and building the option to attack later on, which is probably what’s happening here, are very hard to disentangle."The US officials who leaked Cyber Command's Russian grid hacking to The New York Times may in fact have intended to signal to Russia that it could to turn off the lights in Moscow, without actually having to do so. (The Times itself wrote that this might be the case, given that National Security Council expressed no concerns about the report's publication.) But it remains unclear under what circumstances Cyber Command would use its blackout capabilities. And the NYT headline stated simply that the US was escalating "attacks" on the Russian grid, rather than preparations for one. "If you're reduced to that kind of language, it makes it hard for the signal to come through," says Buchanan."I think the possibility for accidents and miscalculation is high here."
Rob M. Lee, DragosGiven those ambiguities, the US should simply refrain from all targeting of enemies' civilian critical infrastructure, argues Rob M. Lee, who once led industrial control systems threat intelligence at the National Security Agency before founding critical infrastructure security firm Dragos. He points to a recent Cyber Command attack on the Internet Research Agency troll farm in St. Petersburg as an example of a more measured and targeted operation: In that strike, US hackers destroyed the servers of the Kremlin-linked disinformation operation, but didn't cause any of the collateral damage inherent in an attack on a power grid. "There are plenty of ways to go after valid military targets and cause some level of discomfort, or just messaging, that would be far more acceptable than jumping straight to civilian infrastructure," says Lee.Lee expressed skepticism of the New York Times' claims, but he says Dragos has already sent out warnings to customers that the story will lead to renewed infrastructure targeting in the US, as Russia or other countries seek to gain parity with what they believe are US capabilities. "Any time we see tensions increase like this, we see more targeting of industrial infrastructure," Lee says.He points out that any grid-hacking techniques the US might use against Russia could potentially be turned back on the US or its allies, providing a blueprint for sophisticated sabotage of the West's far more digitized economy. But even beyond that concern, he argues that callously treating civilians as the collateral damage of a cyberattack that could black out homes, schools, and hospitals is an unnecessary and immoral step for American hackers. "It will blow back. But I don’t oppose it because it will blow back. I oppose it because it’s not ethical," Lee says. "I don't think it's in keeping with the kind of country we want to be.""Any time we see tensions increase like this, we see more targeting of industrial infrastructure."
- Jigsaw bought a Russian troll campaign as an experiment
- You could live forever with this sci-fi time hack
- A very fast spin through the hills in a hybrid Porsche 911
- A search for San Francisco's lost authenticity
- The quest to make a bot that can smell as well as a dog
- 💻 Upgrade your work game with our Gear team’s favorite laptops , keyboards , typing alternatives , and noise-canceling headphones
- 📩 Want more? Sign up for our daily newsletter and never miss our latest and greatest stories