Russian cyberattacks may be coming. Last month, the White House issued its starkest warning yet that “evolving” intelligence indicates Moscow is planning major cyber operations against the United States in retaliation for the economic penalties that the country has imposed on Russia for its invasion of Ukraine. It may only be a matter of time before these warnings become a reality.
This comes as little surprise. Since before the start of the war, cybersecurity experts—including one of us—have predicted that the likelihood of Russian cyber operations against the West would increase as the United States and its allies placed more severe economic sanctions on Moscow. Now, with the Russian economy beginning to feel the effects of sanctions, Russian President Vladimir Putin appears poised to use his intelligence agencies' significant cyber capabilities to hit back at the West.
As these threats loom, the U.S. government has a critical decision to make: How will it respond to Russia's first wave of major cyberattacks? The most effective response would meet two potentially conflicting objectives: deterring further attacks but not pushing the United States and Russia into an escalatory spiral that could lead to a hot war between the world's two largest nuclear powers. Crafting a response that stops Russia and forestalls further escalation would be a major challenge. But a measured cyber strike against Moscow—accompanied by a clear signal that the United States is willing to take even more dramatic actions if Russia does not back down—could thread this needle.
Russian cyberattacks could prove quite disruptive to the United States and its allies. The Kremlin could target major Western financial institutions as retaliation for the sanctions imposed on Russia's financial sector, a tactic Iran has used against the United States in the past. Putin could also decide to carry out attacks against U.S. energy companies to disrupt the normal operations of oil and natural gas pipelines, refineries and storage facilities. Smaller energy companies are particularly vulnerable, since they often lack the personnel and resources to adequately defend themselves even against hacks by criminals, let alone a tier-one state actor like Russia. As we saw with the ransomware attack on Colonial Pipeline in May, attacks of this sort could lead to significant disruptions to the U.S. domestic energy supply, raising gasoline prices and worsening inflation—both of which are already at historically high levels. Russia could deploy a similar playbook in Europe, targeting the continent's liquefied natural gas terminal operators—which are crucial to Europe's efforts to reduce reliance on Russian gas—to further push up already sky-high prices and cause significant economic pain for European citizens.
Urged by the U.S. government, American companies are already taking measures to shore up their security, but some of Russia's offensive operations are likely to succeed nevertheless. Russia's cyber corps is a technologically advanced and highly experienced group—as they have demonstrated on numerous occasions, including an attack on a Saudi Arabian oil refinery and in 2017 with NotPetya, the most disruptive cyberattack in history.
All that makes it important to develop a playbook to deploy immediately after a potential first wave of successful Russian attacks. There are no formal or even unwritten norms governing cyber conflict, which means there is a real danger that the wrong response could lead to a spiral of tit-for-tat escalations that could eventually spill out of the cyber arena—which, in a worst-case scenario, could result in nuclear war.
But the United States also cannot let a significant cyberattack against its critical infrastructure go unanswered. While U.S. military strategy dictates that it does not need to limit a response to a cyberattack to the cyber domain, this situation might be one of the instances when an initial response in cyberspace might be appropriate. Cyber is a tailor-made tool that can allow for a shock-and-awe demonstration without necessarily creating lasting destruction.
The United States and Europe have already implemented a large-scale campaign of diplomatic isolation and economic pressure against Russia and allocated unprecedented military aid to Ukraine in response to Moscow's unprovoked invasion—yet so far, these steps have not fundamentally changed Putin's calculus. A response to cyberattacks that relies on those same tools to incrementally increase the economic and military pain to the Russians is likewise unlikely to cause the Kremlin to stop.
It would be beneficial to tailor a response that can provide a powerful demonstration to the Kremlin of U.S. capabilities but avoid widespread destruction that could lead to escalation.
Share on TwitterUnlike sanctions or kinetic attacks, a carefully executed cyberattack on specific targets is relatively easy to implement and, more importantly, easy to end without causing lasting damage. Assuming the initial Russian actions do not lead to loss of life—if they did, then expect Washington to take the gloves off—it would be beneficial for the United States to tailor a response that can provide a powerful demonstration to the Kremlin of U.S. capabilities but avoid widespread destruction that could lead to escalation. Combined with a clear public and private message that the United States will go much further in the cyber arena if Russia attacks again, such a move would demonstrate America's resolve while creating an off-ramp for Moscow to end its cyber aggression.
One such measured response could be a cyber operation that causes a widespread—but brief—disruption to Internet service across Russia. Such an attack, which is well within the capabilities of the U.S. Cyber Command, would provide a powerful example of what the United States can do. It would also show Kremlin leadership what life would be like for government officials, businesses and regular citizens alike without Internet connectivity. Like all advanced economies, Russia is dependent on the Internet, and even temporary connectivity disruptions—lasting an hour or two at most—would affect every sector of the Russian economy, from energy to media to national defense. And yet a short disruption that does not cause permanent damage would be less likely to generate further escalation.
This approach is no surefire bulwark against a second Russian attack, which would warrant a broader and more devastating course of action. But it does create an opportunity to avoid an escalation spiral. Because Russia is likely to view its initial cyberattacks as a vindicable counter to Western sanctions, a more destructive U.S. response could prompt Putin to double down.
Russia appears poised to make a first move against the United States and its allies in cyberspace. A savvy U.S. response that is deliberately measured and accompanied by the right message could end this fight after the first round.
Dmitri Alperovitch is co-founder and chair of Silverado Policy Accelerator and co-founder and former chief technology officer of the cybersecurity firm CrowdStrike. Samuel Charap is a senior political scientist at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared on The Washington Post on April 14, 2022. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.