In the short span of years in which the threat of cyberwar has loomed, no one has quite figured out how to prevent one. As state-sponsored hackers find new ways to inflict disruption and paralysis on one another, that arms race has proven far easier to accelerate than to slow down. But security wonks tend to agree, at least, that there's one way not to prevent a cyberwar: launching a preemptive or disproportionate cyberattack on an opponent's civilian infrastructure. As the Trump administration increasingly beats its cyberwar drum, some former national security officials and analysts warn that even threatening that sort of attack could do far more to escalate a coming cyberwar than to deter it.
Over the past weekend, The New York Times reported that US Cyber Command has penetrated more deeply than ever before into Russian electric utilities, planting malware potentially capable of disrupting the grid, perhaps as a retaliatory measure meant to deter further cyberattacks by the country's hackers. But judging by Russia's response, news of the grid-hacking campaign may have already had the immediate opposite effect: The Kremlin warned that the intrusions could escalate into a cyberwar between the two countries, even as it claimed that Russia's grid was immune from such threats.
President Trump, meanwhile, quickly denied the Times' report. But officials like White House national security adviser John Bolton have for months hinted at a more aggressive approach to cyber operations against US adversaries, "opening the aperture, broadening the areas we’re prepared to act in,” as Bolton put it in remarks at a Wall Street Journal conference last week. And since 2017, Trump has been elevating Cyber Command's authority and reversing Obama administration rules that required other agencies' sign-off before it launched an offensive hacking operation.
But former White House cybersecurity officials caution against that cyberwar hawkishness. "The idea that we can use cyber offense capabilities to impose sabotage-like effects, and to do so in increasingly large scale and costly ways until they get it through their head that they can’t win, I don’t think that's going to work," says Tom Bossert, who served as White House homeland security advisor and the president's most senior cybersecurity-focused official until April of last year. "I want to make sure we don’t end up in an escalatory cyber exchange where we lose more than they do."
Bossert points out that in many respects the US economy and infrastructure is far more reliant on digitization and automation than Russia's, giving the Kremlin an inherent advantage in any future no-holds-barred cyberwar. He paraphrases former secretary of defense Ash Carter: "If you're doused in gasoline, don't start a match-throwing contest."
Andy Greenberg is a WIRED security writer and author of the forthcoming book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.
Bossert didn't confirm or deny the facts of the Times' grid-hacking report, but criticized current Trump officials for not doing enough to deter cyberattacks from adversaries like Russia with other, more traditional means, such as diplomacy or economic incentives and punishments. While the Trump administration imposed new sanctions on Russia for grid-hacking and its unprecedented NotPetya cyberattack during Bossert's term, it's not clear what if any similar measures the White House or State Department has pursued since. "I do not think they’re sufficiently thinking through our other levers of national power, to explain what’s unacceptable and then to start threatening or imposing consequences or inducements—carrots or sticks—to change [Russia's] behavior." says Bossert, who has since taken a position at an as yet unnamed cybersecurity startup. "I don’t mind escalatory bravado to some degree. But I’d be furious if that’s all we did."
Obama administration cybersecurity coordinator J. Michael Daniel echoed that warning, arguing that if Trump administration and Cyber Command are indeed taking a more offensive approach to penetrating Russia's grid, they're doing so without truly knowing the potential consequences. "This is uncharted territory in many ways. Are we setting ourselves up for a pre-World War I situation, where activities that are designed to deter instead prompt a response," says Daniel, now the president of the nonprofit Cyber Threat Alliance. "Are these activities so threatening to countries that they have to take action against them? I think this is still very much an undecided."
"I think the possibility for accidents and miscalculation is high here."
J. Michael Daniel, Former White House Cybersecurity Coordinator
Even if Cyber Command restrains itself to merely gaining access to Russian networks and placing malware "implants" that could cause disruption without ever pulling the trigger, the threat alone would no doubt convince the Kremlin it had to maintain the same access to American utilities' networks. After all, Russia's hackers have already demonstrated perhaps the world's most aggressive targeting of foreign electric utility networks, triggering blackouts in Ukraine in 2015 and 2016, and gaining deep access to American utilities' industrial control systems in 2017.
"The idea that we’re going to put implants in the Russian grid and they won't do the same to us is silly," Daniel says, while emphasizing that, like Bossert, he has no independent knowledge of such activities beyond the Times' story. Even the notion of trying to deter Russia by hacking their grid to the same degree that they've hacked ours introduces serious potential for unintended consequences. "If the argument is that we’re going to hold each other’s grids at risk, and that’s inherently more stabilizing, I’m not sure the theory holds entirely. I think the possibility for accidents and miscalculation is high here."
One very plausible miscalculation would be if US Cyber Command were to penetrate Russian grid networks only to "prepare the battlefield," building the capability to cause a blackout in Russia with no immediate intention to do so, but Russians misinterpreted the intrusion as an immediate threat. Georgetown University professor Ben Buchanan calls this dangerous ambiguity "the cybersecurity dilemma" in his book by the same name. "When you’re on the receiving end of a hack, it’s very hard to determine the intention of the intruders," he says. "Genuinely attacking and building the option to attack later on, which is probably what’s happening here, are very hard to disentangle."
The US officials who leaked Cyber Command's Russian grid hacking to The New York Times may in fact have intended to signal to Russia that it could to turn off the lights in Moscow, without actually having to do so. (The Times itself wrote that this might be the case, given that National Security Council expressed no concerns about the report's publication.) But it remains unclear under what circumstances Cyber Command would use its blackout capabilities. And the NYT headline stated simply that the US was escalating "attacks" on the Russian grid, rather than preparations for one. "If you're reduced to that kind of language, it makes it hard for the signal to come through," says Buchanan.
"Any time we see tensions increase like this, we see more targeting of industrial infrastructure."
Rob M. Lee, Dragos
Given those ambiguities, the US should simply refrain from all targeting of enemies' civilian critical infrastructure, argues Rob M. Lee, who once led industrial control systems threat intelligence at the National Security Agency before founding critical infrastructure security firm Dragos. He points to a recent Cyber Command attack on the Internet Research Agency troll farm in St. Petersburg as an example of a more measured and targeted operation: In that strike, US hackers destroyed the servers of the Kremlin-linked disinformation operation, but didn't cause any of the collateral damage inherent in an attack on a power grid. "There are plenty of ways to go after valid military targets and cause some level of discomfort, or just messaging, that would be far more acceptable than jumping straight to civilian infrastructure," says Lee.
Lee expressed skepticism of The New York Times' claims, but he says Dragos has already sent out warnings to customers that the story will lead to renewed infrastructure targeting in the US, as Russia or other countries seek to gain parity with what they believe are US capabilities. "Any time we see tensions increase like this, we see more targeting of industrial infrastructure," Lee says.
He points out that any grid-hacking techniques the US might use against Russia could potentially be turned back on the US or its allies, providing a blueprint for sophisticated sabotage of the West's far more digitized economy. But even beyond that concern, he argues that callously treating civilians as the collateral damage of a cyberattack that could black out homes, schools, and hospitals is an unnecessary and immoral step for American hackers. "It will blow back. But I don’t oppose it because it will blow back. I oppose it because it’s not ethical," Lee says. "I don't think it's in keeping with the kind of country we want to be."