Russia and the Threat of Massive Cyberattack By James Andrew Lewis

Understanding the risks of a cyberattack requires judging what Russia wants from the conflict. Much has been written about this. An optimal goal would be to bring Ukraine back into the Russian orbit (perhaps under new leadership more sympathetic to Putin). Other goals include limiting Ukrainian involvement with the European Union and NATO, reasserting Russian regional dominance, and encouraging nationalist sentiment in Russia to shore up domestic political support for Putin.

Russia will use political, cyber, and perhaps military tools to press Ukraine, the United States, and Europe to move in the direction of concessions to Russian interests, but without greatly increasing the risk of direct military conflict with NATO. One possible scenario would be a swift incursion after the Beijing Olympics to take another slice of Ukraine. A full invasion and a drive to the Polish border would bring Russia up against NATO, risks getting bogged down in a messy insurgency, and increases the difficulty of repairing the damage to Russia’s international position. The Russians would prefer that any action be quick.

Kremlin strategists are not as risk averse as the United States and have developed concepts on how to use cyber tools for coercive effect. They have more than 15 years of experience in using these tools. While they could disrupt U.S. critical infrastructure, they have chosen not to do so. The most successful Russian use of cyber tools against the United States has been in creating false narratives that heighten political turmoil in the United States and Europe (this also explains Russia’s clumsy diplomatic pronouncements intended to increase public pressure on Western governments). There has been almost no cost to the Russians for their earlier political interference, and while heightened exposure of the tactics has reduced their value, continued political fragility in democracies will be a tempting target. Ransomware attacks are motivated by financial gain, not politics, and too granular and insufficiently damaging by themselves to provide Russia an advantage without risk. They are largely unrelated to the Ukrainian situation (other than affecting Russia’s willingness to crack down on criminals).

The best outcome for Russia would be to be able to present any action as a fait accompli, where it could say to the world that its security goals had been met and the international community should put the invasion behind it, as was the case in the 2014 incursion into Crimea. It is possible that some nations might even welcome this. But attacking the United States would undercut this goal. A massive cyberattack against the United States or a NATO ally would make it harder to move on and create risk without benefit.

Any Russian action against the United States would occur under the shadow of nuclear weapons. The risk of nuclear war virtually eliminates the likelihood of a massive cyberattack on the critical infrastructure of another nuclear power in any but the most extreme circumstances. Nuclear states, no matter how bellicose their rhetoric, have been careful to avoid cyber actions against each other that could be considered equivalent to the use of force (e.g., physical damage or casualties), rather than espionage or crime. A major attack on U.S. critical infrastructure would create an unacceptable risk of retaliation, would be impossible for the international community to ignore, and would not support Russian goals to present action in Ukraine as a fait accompli. Russia gains nothing from a cyberattack on the United States that it would not get from actions limited to Ukrainian targets.

Russia does not intend to start a third world war, and it is likely only to take actions that advance its goals for Ukraine while avoiding the risk of greater conflict. As part of this, cyberattacks against Ukraine are highly likely, but very unlikely against the United States or NATO. Russia has the capability to carry out such attacks and has done the necessary reconnaissance of U.S. critical infrastructure targets, but it is unlikely to undertake a cyberattack against elements like the power grid unless in a major conflict with the United States and NATO.

That an attack is unlikely does not mean the United States can ignore its defenses. Critical infrastructure remains vulnerable to cyberattack nearly 25 years after the first presidential directive called for reducing risks, reflecting both the complexity of the systems and the gridlock that has afflicted U.S. governance. Even Iran is not impeded from lurking on our infrastructure networks. The United States may be able to deter the Russians in Crimea, and they are unlikely to attack U.S. critical infrastructure, but this is their choice. In another situation, they could change their minds. Cybersecurity cannot depend on the kindness of strangers.

James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.