From Russia With Love: Understanding the Russian Cyber Threat to U.s. Critical Infrastructure and What to Do About it

• Publication year: 2021
• Citation: Vol. 96

96 Nebraska L. Rev. 320. From Russia with Love: Understanding the Russian Cyber Threat to U.S. Critical Infrastructure and What to Do About It

From Russia with Love: Understanding the Russian Cyber Threat to U.S. Critical Infrastructure and What to Do About It

Scott J. Shackelford, Michael Sulmeyer, Amanda N. Craig Deckard, Ben Buchanan & Brian Micic(fn*)

TABLE OF CONTENTS

I. Introduction .......................................... 321

II. A Short History of Russian Hacking of U.S. Government Networks and Critical Infrastructure ..... 322

III. Unpacking the Ukraine Grid Hacks and Their Aftermath ............................................ 324

IV. Analyzing Policy Options to Help Promote the Resilience of U.S. Government Systems and Critical Infrastructure ........................................ 328
A. Contextualizing and Introducing Draft Version 1.1 of the NIST Cybersecurity Framework ............. 328
B. Operationalizing International Cybersecurity Normson Critical Infrastructure .......................... 333
C. Deterrence and a Path Forward ................... 335
1. Publicize Benefits as Applied .................. 337

1

2. Publicize Exercise Results ..................... 337
3. Publicize Updates ............................. 337

V. Conclusion ............................................ 338

I. INTRODUCTION

In December 2016, the U.S. Department of Homeland Security disclosed that malicious software (malware) found on a computer system owned by a Vermont utility called the Burlington Electric Company was the same variant as that used to breach the Democratic National Committee (DNC).(fn1) This admittedly overhyped episode is the latest in a string of cybersecurity incidents that involve U.S. critical infrastructure (CI) and that have been linked to Russia. Already, a number of nations have seen their systems compromised by such attempts, such as Ukraine, which experienced several of its substations crashing in December 2015 in "the first-ever confirmed cyberattack against grid infrastructure."(fn2) Unfortunately, the same type of attack played out again in Ukraine on December 23, 2016.(fn3) This Article examines the most recent of such hacks and investigates the current state of U.S. efforts to advance cybersecurity, including to what extent the recently released draft Version 1.1 of the National Institute of Standards and Technology (NIST) Cybersecurity Framework will contribute to safeguarding vulnerable U.S. CI and what further steps-such as an effective deterrence strategy-are needed going forward.

This Article is structured as follows: Part II briefly summarizes the history of alleged Russian hacking on U.S. critical infrastructure and government networks from the 1990s to 2016.(fn4) Part III builds from

2

the foundation laid in Part II with a comparative case study exploring the 2015 and 2016 cyber attacks on the Ukraine power grid. Part IV explores policy prescriptions to enhance U.S. critical-infrastructure cybersecurity with a focus on unpacking draft Version 1.1 of the 2017 NIST Cybersecurity Framework, exploring international cybersecurity norm building in the CI context and laying out a deterrence strategy for mitigating the Russian cyber threat to U.S. CI and government systems.

II. A SHORT HISTORY OF RUSSIAN HACKING OF U.S. GOVERNMENT NETWORKS AND CRITICAL INFRASTRUCTURE

A comprehensive rendering of Russia's alleged and now decades-long information-warfare campaign against the U.S. government and U.S.-based critical infrastructure is beyond the scope of this Article. Rather, this Part helps inform the following discussion on contemporary challenges and policy prescriptions by briefly summarizing several of the early Russian campaigns and comparing them to what has transpired since. In particular, we focus on two episodes-the late 1990s "Moonlight Maze" campaign and the 2016 DNC hack-to gain a better understanding of how Russian cybersecurity strategy has evolved in the nearly twenty-year span bookending these events.

The Moonlight Maze attacks of the late 1990s became among the most extensive cyber attacks aimed at the U.S. government to that point, involving attackers gaining access to thousands of sensitive files.(fn5) According to U.S. officials, state-sponsored Russian hackers penetrated U.S. Department of Defense (DoD) computers for more than one year, stealing data from U.S. agencies such as the Department of Energy and NASA, as well as from military contractors and universities.(fn6) Damage from the attacks was limited to unclassified networks but prompted a great deal of concern in the U.S. government. Some officials, including then-Coordinator for Counterterrorism Richard Clarke, likened it to pre-war reconnaissance.(fn7)

While Moonlight Maze in many respects introduced the risk of Russian and other state-sponsored hacking into the consciousness of U.S. officials, later events would show how widespread the threat was and continues to be. In 2015, it was reported that Russian hackers had gained access to the unclassified White House email network that was used for scheduling, personnel matters, correspondence with overseas

3

diplomats, and more.(fn8) The same group of hackers was reportedly able to access key networks in the Pentagon, such as the email systems used by the Joint Chiefs of Staff; in the State Department, where remediation proved to be an ongoing challenge;(fn9) and in a wide variety of other targets.

The election year of 2016 brought even greater attention to potential Russian cyber operations. According to CrowdStrike, not one but two Russian intelligence agencies, the nominally domestic FSB and the military-intelligence-focused GRU, gained access to the networks of the Democratic National Committee and to the email accounts of staffers on the Hillary Clinton campaign.(fn10) While much cyber espionage up to this point involved using the stolen secrets out of view, those involved in this hack took a different tack. They splayed stolen data out on social media, on the anti-secrecy site WikiLeaks, and in newspapers.(fn11) While the individual revelations themselves were not enormously consequential-the most significant email forced the ouster of Democratic National Committee Chairwoman Debbie Was-serman Schultz because of the party's perceived favoritism towards Hillary Clinton over primary rival Bernie Sanders-they consumed an enormous amount of media attention.(fn12) Historians will debate the degree to which the hacking and information operation persuaded voters to choose Donald Trump over Hillary Clinton; an assessment by the U.S. intelligence community later concluded that this was the Russians' aim.(fn13)

The ongoing drip of hacked files and emails throughout the summer and fall of 2016 raised the concern about Russian cyber capabilities to a previously unprecedented level. Reportedly, President Obama

4

attempted to achieve bipartisan consensus in condemning the hacks but was rebuffed by Senator Mitch McConnell.(fn14) In lieu of that feat, and wary of Russian operations that might change votes rather than target voters, it is reported that the United States used a Cold Warlike communications mechanism to warn Russia against targeting election infrastructure itself. Specifically, as Election Day came and went without Russian manipulation of vote-counting mechanisms, this warning can be perhaps be viewed as an instance of successful deterrence.(fn15) Nonetheless, towards the end of the Obama presidency, he saw fit to punish the Russians for their reported interference in the electoral process, levying sanctions, expelling diplomats, and closing two Russian compounds in the United States.(fn16) It was a watershed moment, as the intersection of computer hacking and international intrigue emerged more fully than ever before into public view. This sets the stage for other, more explicitly damaging hacks of Ukraine's grid, showing a broader range of possible Russian cyber operations.

III. UNPACKING THE UKRAINE GRID HACKS AND THEIR AFTERMATH

While cyber attacks on critical infrastructure are not unprecedented, the recent penetrations in December 2015 and December 2016 against the electrical grid in Ukraine have gained widespread notoriety given that they show what is possible for unprepared sectors.(fn17) As a result, thoroughly understanding the Ukrainian cyber attacks provides governments a glimpse into the strategies adversarial hackers use and helps to underscore what can be done about it.

To set the stage, the recent cyber attacks on Ukraine's electrical grid were not the first to plague the country. Since 2014, there has been a string of cyber attacks that have targeted-with varying degrees of success-various industries within Ukraine.(fn18) In May 2014,

5

threat actors targeted Ukrainian electricity distributor Prykarpat-tyaoblenergo and all six of Ukraine's state railway transportation-system operators as part of a phishing campaign.(fn19) In August 2014, a similar campaign attacked five Ukrainian regional government sources and state archives.(fn20) This occurred again in March 2015, with the target this time being Ukrainian television broadcasters.(fn21) In October 2015, on Ukraine's election day, BlackEnergy and KillDisk malware were used to hack into numerous government workstations.(fn22) A similar attack was also used to target Ukrainian mining firms.(fn23) These attacks shared similar characteristics in both their methodology of operation and use of certain malware. As such, the cyber attacks in December 2015 may be considered the climax of a chain of exploits that sought to obtain valuable information from, and eventually cripple, specific industry sectors within Ukraine.

In December 2015, adversarial hackers successfully infiltrated workstations within three Ukrainian energy-distribution...