Policy circles in Washington are now debating how Vladimir Putin might respond to a major contraction of the Russian economy and clear signs that Moscow is losing the war in Ukraine. Some posit that a cornered president, furious and facing a near defeat, might indeed respond brutally—moving the proxy confrontation of a new Cold War front to a cyber battlefield, where Russia has a greater advantage, and launching a massive cyberattack against the United States. However, several key factors call this thesis into question.
Similar to Iran and North Korea, Russia is known to be responsible for some of the most aggressive, large-scale cyberattacks. However, these cyber tactics have played a rather peripheral role, either in supporting conventional warfare or through disinformation campaigns that serve to spread chaos and panic among targeted societies. For the first time, a known state-backed attack occurred in 2007 and lasted for twenty-two days when the Russian military intelligence unit, the GRU, targeted Estonian commercial, government, and Domain Name System (DNS) servers, and online banking systems. The attacks fell under the Denial of Service (DoS) and Distributed Denial of Service (DDoS) categories that include methods such as ping flooding, spam distribution, botnets, and phishing emails. In 2008, as a part of hybrid warfare amid the occupation of Abkhazia and South Ossetia, Russia defaced Georgian state websites. In 2015, following the annexation of Crimea and the occupation of eastern Ukraine, a GRU proxy group named Sandworm attacked the Ukrainian power grid and deprived more than 200,000 people of electricity for six hours. In 2017, the NotPetya malware attack directed at Ukraine had an unprecedented impact hitting major Western companies in Europe and the United States such as Mondelez International and Maersk, and even striking back at Russian oil company Rosneft. It paralyzed thousands of networks. The global cost the malware had provoked reached $10 billion—encapsulating the most consequential cyber attack in history. In addition, just a month ago, Russia unsuccessfully attempted to attack the Ukrainian power grid with advanced malware classified as a wiper. Overseas, a Russian group of hackers called FancyBear meddled with the United States 2015 presidential campaigns and 2016 federal elections at the county level. To this point, while the Russian cyber tactics are common and multifarious, they represent a secondary function in hybrid warfare that Moscow conducts along with disinformation campaigns and conventional military operations.
Nevertheless, cybersecurity experts speculate on a range of consequences in a worst-case cyber scenario: Russia might attempt to attack U.S. critical infrastructure, turn off the lights, target the operation of ATMs and credit card systems, attack Amazon’s cloud, disrupt the transportation and supply of clean water, and target pharmaceuticals companies’ manufacturing facilities, power grids, and colonial pipelines. But will such a threat manifest?
Not only would a cyberattack against the United States contradict the historically peripheral nature of Russian cyber warfare, but Russia’s cyber capacity would be insufficient for the task. For the past several years, the West has largely overestimated Russian military capabilities in conventional warfare. U.S. intelligence agencies predicted the 2022 war in Ukraine would be the most destructive the European continent has seen since the end of World War II, expecting the fall of Kyiv to come within days. However, the still ongoing, drawn-out war has revealed weaknesses in the Russian armed forces, its military arsenal, and strategic leadership. Russian officials, for their part, underestimated the strength of the Ukrainian resistance and the united position of the international community. Spending slightly more than 4 percent of the country’s GDP on the military, the Russian president mobilizes domestic support for the military budget by articulating the external threat of NATO. In a relatively undigitized society like Russia, lobbying to spend more on the cyber budget would prove less effective. Taking this into account, it seems possible the West could be overestimating Russian cyber competence as well.
Furthermore, Russia is unlikely to wage a cyberattack on the United States due to fear of retaliation on multiple fronts. Russian society is already experiencing the consequences that the war has wrought: an economic crisis and the psychological pressure of being cast as a global pariah. In case of a Russian cyberattack, the consequences of U.S. cyber retaliation would hit the public first. Given current conditions, depriving people of water and electricity could trigger public discontent on an unprecedented scale. Decades of increasingly authoritarian leadership have undoubtedly engendered public grievances hidden deep within society. At some point, this simmering disgruntlement can boil over into outrage. Putin can ill afford to front further domestic unrest now.
Current U.S. cyber capabilities could also contribute to the fear of retaliation. For the past few years, the United States has developed an impressive cyberinfrastructure, restructured its system of governance, and invested in cyber training and education. As Richard Clarke and Robert Knake emphasize in their book, The Fifth Domain, following the Cold War strategy of deterrence and containment, the United States has largely restrained itself from involvement in cyber counter activities. Although for a long time America has focused on defensive cyber policy, today, the U.S. Cyber Command prioritizes offensive measures. As such, in 2019, the United States successfully targeted the Iranian intelligence service and missile launch system as a response to an Iranian strike against an American drone and U.S. oil tankers. Earlier in 2012, the Stuxnet computer worm, designed in cooperation with Israel, successfully infiltrated nuclear facilities in Iran.
In addition to an offensive preference, a more consolidated system of governance and a set of regulations have advanced U.S. cybersecurity. A clear allocation of roles and responsibilities between the Department of Homeland Security and U.S. Cyber Command and the relevant leadership improved the system of reporting incidents and information sharing. It facilitated communication within federal agencies and between the government, the private sector, and the public. U.S. private enterprises now spend billions of dollars on cybersecurity, employee training, and encrypted channels. The United States also takes a leading role in collaborating with strategic allies on sharing best practices, detecting flaws in networks, and promoting cyber hygiene.
International cooperation to this degree is not an asset that Russia benefits from. With the support of NATO Cooperative Cyber Defense Center of Excellence’s research and development projects, expertise, and training, U.S. retaliation to a potential Russian cyber attack could be not only detrimental but even more profound as a multilateral response. Based on all this, the fear of retaliation could indeed prevent Putin from engaging in offensive cyber operations against the United States.
Finally, Putin has lost the upper hand in launching an attack by surprise. For instance, Russia invaded Georgia during the Olympics Games in Beijing in 2008, and Ukraine during the Sochi Winter Olympics in 2014. When Putin waged war on Ukraine in 2022—incidentally, immediately following the Beijing Winter Olympic Games—the West anticipated it. Putin invaded Ukraine anyway. He is unlikely to act recklessly in this way again, considering the failures the Russian military has experienced since the invasion. Furthermore, knowing that the United States and European allies have shielded up, Putin has no incentive to strike. Nevertheless, would Putin wait for a more favorable moment? Or scale back a potential attack, for instance, by meddling in the U.S. midterm elections in November?
It would be misleading, however, to underestimate Russian cyber capabilities or Putin’s mind games and lose vigilance. In 2020, despite denying its involvement, Russia evidently hacked U.S. software company SolarWinds. By installing malware into the company’s updated Orion software program, the attack affected thousands of customers, a hundred companies such as Microsoft and Intel, and some federal agencies like the Treasury Department, the Pentagon, and the Cybersecurity and Infrastructure Security Agency. Cyber experts acclaimed the code used as phenomenal. More astonishingly, if not for a performance assessment and proper investigation, the attack could have easily gone unnoticed. For over six months, Moscow tracked emails and other traffic of sensitive information. Could there already be a similar malware in U.S. networks?
Now, on the brink of a new Cold War, the United States must keep its guard up on cybersecurity. Although there are significant factors that challenge the probability of an imminent Russian cyber-retaliation, the United States should not disregard the potential for malicious activity in the near future. It needs to keep a sober view and not act hastily. Setting priorities for the long run, the United States needs to continue advancing cyber mechanisms that detect sensitive activity like the Solar Winds hack, and invest more in training and education about cyber hygiene for government agencies, private companies, and the public. It should not neglect to regularly test offline backups, run software updates, report incidents, use multifactor authentication, block unusable domain IP addresses, and assess third-party risks.
Although Putin’s intentions are far from clear, his decision to pursue a cyberattack on the United States’ critical infrastructure that would instantly shut down electricity or disrupt clean water supply, the offense might come unexpectedly, and soon. Cornered with sanctions and burdened by the bitterness of defeat, Putin might act furiously. The United States and Western allies need to be vigilant and maintain strong lines of communication about any malicious activity. With a strong multilateral front in the West, Russia will have fewer incentives to engage in cyber warfare.