Cyber skirmish

MYRNA BROWN, HOST: Coming up next on The World and Everything in It: ​​bracing for possible Russian cyber attacks.

NICK EICHER, HOST: U.S. sanctions are taking a toll on Russia’s economy. And American-made weapons are giving Ukraine a big boost on the battlefield.

Moscow has promised retaliation, and late last month, President Biden urged U.S. corporations to be vigilant.

BIDEN: Today, my administration issued new warnings that, based on evolving intelligence, Russia may be planning a cyber attack against us. As I said, the magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming.

Joining us now to help us understand the cyber threat is Jason Blessing.

He is the author of the book “The Global Spread of Cyber Forces.” He previously worked with the International Institute for Strategic Studies and in the financial sector he worked as a fraud-operations analyst.

BROWN: Jason, good morning!

JASON BLESSING, GUEST: Hi, Myrna thanks for having me. Great to be here.

BROWN: You say we should not expect a full-blown cyber war with Russia. Tell us what you mean there and why you say that.

BLESSING: Well, sure, we tend to get swept up. And by we I mean, popular media, us analysts, we aren't impervious to this either. But there is the predilection to think that you know, like a Hollywood movie that will see some sort of cyber attack that will shut down our traffic lights, take us offline, shut our economy down. And most of the time, that's just not realistic, given the technology and given the manpower and resources behind that. And just given the ability to wield that as a weapon of statecraft.

What's much more likely is lower sophistication, attacks, that appear really much more like criminal activity. And there's several dynamics behind that. But the basic point is that we get swept up in these ideas of a Hollywood cyber war, when that really just isn't the case.

BROWN: We're going to talk about infrastructure threats here in a moment. But right now, I'd like for you to explain a little bit more about what private companies in general should be worried about, in the short term.

BLESSING: Absolutely. In the short term, there are really two main threats to look out for. And then one more on the long term horizon. So in the shorthand, most importantly, is events that look much more again, like criminal activity. So we're talking about things that, you know, look like ransomware attacks on your networks that look to make a buck by extorting and holding information or networks hostage, things that for instance, can deny service access and delay service provision times for customers. So certain things like taking a financial website offline for a few hours. So customers can’t access their accounts - sort of these low level very, you know, what we would call basic and unsophisticated attacks. The second that we need to look out for really is spillover from Russian operations in Ukraine. And there's precedent for this if we look back to 2017, for example, with the NotPetya malware. This was a worm that self replicated past Ukrainian targets, and spread to over 150 countries and created about $10 billion worth of damage cumulatively. So those are really the two main things to look out for is things that appear like criminal activity, and then we have spillover.

BROWN: Alright, now back to infrastructure. Now you said Russian cyber activity can target critical infrastructure with low cost, low sophistication, just as you mentioned, methods that are indistinguishable from criminal activity. Just drill down a little bit more. What do you mean by that?

BLESSING: Sure. Well, if we look at what it takes for, you know, on one hand, let's say a distributed denial of service, where it's an attack that denies network access, either internally to people working at the company employees, or externally to customers trying to access, let's say, to pay their power bills. The way that they work is that they overload servers and networks with traffic requests, right? A good example of this not being malicious behavior is back when the Affordable Care Act launched its online portal, and it took forever in a day for anyone to be able to sign up for it. That's a benign case of where that's legitimate customer traffic. Now just transplant that to malicious actors who are actively trying to deny network access as a part of a larger goal. And so you can have state operatives carry that out in the case of Russian military intelligence, or you can have criminals carrying that out. And it's the same methods, and they just don't cost that much. So those are generally more low cost options, which are a lot easier to carry out.

BROWN: You mentioned the private sector. So what about the average American? I mean, could good everyday Americans like you or me wind up being targeted in some way?

BLESSING: Well, absolutely. It's, it's a game of numbers. And you have to ask yourself, you know, the conversation I have with most folks, is, “Why should I worry about this, I don't have anything that hackers could want?” And that's just not the case. You have an online persona. If you use social media, if you use Google or another search engine, you have data out there in the world that is valuable to someone, whether it's mapping behavioral patterns, or what. You know, even if I have $100, in my bank account, that's still valuable to someone, because that's 100 more dollars that they didn't have that they could steal. And there are a variety of measures, you know, just because you're you're one person or I'm one person, the greater cyber hygiene needs to be sort of baked into our everyday lives at this point since technology touches on every part of our lives. And there are measures that individuals can take.

BROWN: Now, like the word cyber hygiene, in the time that we have left. Jason, what steps would you recommend to anyone to ensure they're safe online?

BLESSING: Sure. So one is multi factor authentication, either through text message through ads, or hard tokens, which we used to mail out when I was in finance, we'd mail them out physically to customers. And you know, the multi-factor authentication is just you know, that randomly or sporadically produced code that you can put in with your login and password. That's an extra layer of security that you have control over that hackers don't.

Another is just think before you click on a link, you know, it's very easy. But over time, a lot of these hackers and bad actors in cyberspace have gotten much better at making their these links much more convincing, right? You know, back to logins, using a password manager, that is always helpful. You want to have unique passwords for everything. And that can help you keep track of it. So it's it's these everyday sort of low hanging fruit that we need to think about.

BROWN: Important reminders, Jason Blessing has been our guest today. He is a visiting research fellow and cybersecurity expert at the American Enterprise Institute. Jason, thank you so much for your time and expertise.

BLESSING: Thank you again for having me. My pleasure.

WORLD Radio transcripts are created on a rush deadline. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of WORLD Radio programming is the audio record.