US vs Russia: what could provoke Washington’s cyber counterstrike?

The world is used to hearing about attacks by formidable Russian hackers, usually endorsed by the Kremlin – especially since its invasion of Ukraine earlier this year. The United States can retaliate, and massively so, experts say. But will they?

Since the beginning of the war in Ukraine, cybersecurity experts have been warning about possible Russian cyber operations in the West. They do take place, but analysts say a point of Washington’s mass retaliation could be reached, although it’s unlikely.

Ukraine’s allies, specifically the US, have long been discussing the possible measures they could take to disrupt Russia’s ability to wage war.

For example, NBC News reported back in February 24, a few hours after the invasion began, that the US president Joe Biden has been presented with a list of options for Washington to carry out massive cyberattacks and disrupt Russia’s ability to sustain its military operations in Ukraine.

Sources told the news outlet that the US could disrupt internet connectivity across Russia, shut off electricity, or tamper with railroad switches and thus slow down the movement of forces to the battlefields.

Of course, even now, we have no way of knowing if said cyberattacks took or are taking place – either way, the US would not publicly acknowledge such operations. If they did, it would probably mean that the strikes were limited and designed as a warning.

For instance, The New York Times reported back in 2019 that America injected malware into portions of Russia’s power plants – mostly as a deterrent against a potential major Russian attack.

Yet if it was deemed that Russia's destabilizing cyberwarfare is significant enough for a counterstrike, and if it was decided that the economic sanctions have insufficient deterrent value, the Americans, alone or together with other NATO allies, would most likely hit Moscow hard.

However, according to some experts, for now, the West should not change its current posture and keep focusing on efforts like cyberespionage because the nature of cyberattacks is simply much more opportunistic than one would think.

A trove of highly advanced tools

Even when Russia brazenly engages in direct cyberattacks against targets in Western countries, the US “has been exceptionally cautious with offensive cyber warfare in an effort to avoid escalation,” Irina Tsukerman, a geopolitical analyst specializing in information security and cybersecurity, told Cybernews.

That’s because the decision-makers in Washington have not – yet – deemed that Russia’s war in Ukraine directly and sufficiently damages US interests, energy security, or, for that matter, global security.

Then again, the situation might change if Russia decided to up the ante and, in the eyes of the US government, crossed the line.

“Under the Trump administration, the US launched a devastating cyberattack against Iran's cyber infrastructure which controlled the missile launchers used in the context of attacks on and hijackings of oil tankers in the Strait of Hormuz.” Tsukerman told Cybernews.

“The decision was made amidst growing pressure on the Trump administration to curtail a series of attacks which were having a significant impact on the global economy and contributing to energy security concerns, and the growing business risk of operating vessels in a strategic area. Similar calculus will likely apply to Russia.”

Experts say that the US has just as much firepower as the Russians, even though the latter has already been proven as a formidable opponent in the cyber warfare space.

So-called ‘patriotic hackers,’ most probably directed by the Kremlin, were able to disrupt Ukraine’s power grid in 2015 and 2016. Moscow doesn’t document such arrangements, and it allows Russia some plausible deniability for the attacks.

Still, the West, specifically the US, could strike back – and does when it wants to. For instance, American and Israeli cyber agents created a computer worm known as Stuxnet that took out an entire Iranian uranium enrichment facility in 2010.

There’s also a trove of highly advanced US cyberweapons, such as the Equation Group, a threat actor suspected of being tied to the US National Security Agency and described by most experts as one of the most sophisticated cyberattack groups in the world.

Most of its targets have been Iran, Russia, Syria, Mali, and other countries, seen either as US adversaries or affiliated with terrorist organizations.

Tread carefully, or else

Tsukerman says NATO or the US might decide to attack a highly specific target of military value to Russia – for example, the infrastructure used to attack Western allies, missile launchers, and even nuclear-related objects.

US Cyber Command, the National Security Agency, the Central Intelligence Agency, and other agencies would have a role to play in the operations.

But, again, decision-makers in Washington would have to consider Russia’s actions in Ukraine and elsewhere a direct threat to the US and other NATO member states.

Additionally, under the current US nuclear doctrine developed during the Trump administration, the president would be given the military option to launch nuclear weapons at a country if it was determined to be behind a massive cyberattack.

The Washington Post invited readers last year to imagine how such an attack would look: it would not only disable pipelines such as Colonial Pipeline, but also turn off power at hundreds of hospitals, disrupt air-traffic-control systems, or shut down the electrical grid in major cities in the middle of winter freeze.

For now, the US, at least publicly, is downplaying the threat of a major cyber tit-for-tat. Russia’s attack on Colonial Pipeline did not result in a counterstrike, and the US has even assigned blame for the incident to the Russian cybercrime group DarkSide.

Besides, even if attacks were now ordered, they would be designed to disrupt but not destroy, falling short of a declared act of war. The idea is to harm networks, not people.

According to Tsukerman, the Biden administration is cautious, though, and would not engage without extreme urgency being a factor.

“It probably would not engage in any offensive strikes unless the US was in a state of protracted engagement already or unless the cyber threat from Russia was persistent or unless a nuclear threat became particularly pronounced,” Tsukerman said.

“An act of war would need Congressional approval and for that reason would be highly unlikely unless Russia carried out what would amount to an act of war. The trajectory by the US administrations has been to avoid formal declarations of war or operations that are interpreted as such.”

A degree of opportunism

Other experts also say if the US launched a cyberattack against Russia, it would be a targeted attack meant to prevent a full-scale panic among everyday civilians. Specific military and ruling elite-related individuals or institutions would be targeted.

Tom Kellermann, senior Vice President of cyber strategy at Contrast Security, who served on the Commission on Cybersecurity for President Obama’s administration, told Cybernews a NATO cyberattack on Russia would always be a proportionate response to Russian aggression.

“The response would abide by the Geneva Convention and not target industries like healthcare or education. That being said, much of the recent activity by NATO has been laser focused on disruption of ongoing Russian destructive cyber-attack campaigns. Since January 13, we have endured nine such campaigns,” Kellermann said.

“I firmly believe NATO should take the gloves off and strike critical Russian military and transportation infrastructure used for mobilization.”

Anyhow, according to Melissa Griffith, a senior program associate at the Woodrow Wilson International Center for Scholars’ Science and Technology Innovation Program, even a powerful cyberattack against Russia might not be what you would expect.

Attacks supposedly would still have to do more with espionage and counterintelligence rather than major warfare – unless, of course, they would be done in an attempt to create a larger conflict. So far, neither side seems to want that.

"If you have a missile, you can test it on your own soil. You can trundle it through the Red Square so that everyone can see how impressive it looks. But malware? The moment you use it, it’s out in the wild,"

Mark Galeotti told Cybernews

Mark Galeotti, an honorary professor at the UCL School of Slavonic & East European Studies in London, who is considered to be one of the world's leading experts on Russia, transnational crime and military affairs, told Cybernews the West is actually better off focusing on cyber espionage for now.

“Of course, Western countries want to be preparing for the potential strike at Russia through cyber means – either because they’re going to want to retaliate to Russian attacks, or because it’s going to be a part of asymmetric escalation, if, for example, the Russians use a non-strategic nuclear weapon in Ukraine,” Galeotti said.

However, he calls cyberattacks much more opportunistic than kinetic, active warfare – and that’s where things, according to Galeotti, get complicated.

“It’s all very well having a wishlist of targets you’d like to be able to hit or interfere with, but in practice, you will explore all sorts of options and see where you have points of vulnerability you can exploit,” Galeotti said.

“So, yes, the West might like to be able to implant some malware into the systems controlling Russian railways. But it all depends on whether or not those systems were actually well protected or not, so we might see we can’t do anything like that – but we can mess with these other systems.”

Escalation management

Galeotti says he is sure both sides have been waging a campaign of probing for weaknesses, looking for exploits, and storing them for the future. But he also thinks deterrence is problematic in the cyber realm.

“If you have a missile, you can test it on your own soil. You can trundle it through the Red Square so that everyone can see how impressive it looks. But malware? The moment you use it, it’s out in the wild – the other side can counter it, or, indeed, adopt it themselves. No one can really know who has what until it gets used,” Galeotti told Cybernews.

That, in turn, means that neither side knows the true capabilities of the other – everything depends on perceptions, Galeotti says. He sees cyber warfare somewhere in between the stage of economic pressure and sanctions and the stage of direct military conflict.

“Cyber provides one additional step in the escalation ladder before you actually get to direct conflict. And plausible deniability – even though the Russians are not even denying they’re at war with the West – allows both sides to manage the escalation,” Galeotti said.

“It’s as if they say, ‘We know what you’re doing, you know what we’re doing. But, given that, at present, you haven’t got a tank with a Russian symbol on it shooting at a tank with an American symbol on it, we can still manage the situation. The paradox is that cyber is actually a useful tool for escalation control, as well as an escalation instrument.”