It’s #DisinfoWeek in Washington. Expert panelists are discussing multi-pronged efforts to delegitimise democratic governments, and considering what is to be done in response. As if on cue, Ukraine, a flashpoint for European proxy struggles since its independence, suffered its third major cyberattack in the last two years yesterday. In contrast to the previous attacks, which targeted power grids and utility services, this one took down the national bank, multiple government sites, and public transportation networks, as well as the state power company. The “Petya” attacks on Ukraine occurred concurrently with “NotPetya” attacks elsewhere in Europe and around the world.
The incident highlighted two risk factors: the advancing sophistication of hackers, and their willingness to target entire sectors, cities, and even countries. This is not just a political problem, although Russia-backed hackers have aimed to embarrass Ukraine’s beleaguered government. It is also a growing business risk. Sunil Vyas, Head of Global Markets at Axco Insurance Information Services, observed that “The attacks have big implications for insurers, apart from all the other chaos. [New cyber weapons] could make the [WannaCry ransomware thefts in May] seem lightweight.”
Ukraine is not the only victim, with the UK, Australia and the US experiencing electronic assaults in recent months. Wired Magazine also reports that next generation malware can be embedded like sleeper cells in networks, and direct systems to turn upon themselves at will. Hackers have already experimented with penetrating voting systems and computers at utility companies in the US, prompting concern for countries with weaker digital protections.
Meanwhile, policy has lagged behind technology, although the US Senate passed a bill that would codify sanctions against Russia in June. The proposed legislation penalises Russian industries for the country’s activities in Ukraine as well as its targeted leaks during the 2016 US presidential election. If approved by the House of Representatives, the bill will require that the executive submit a report to Congress to justify requests for sanctions relief, increasing scrutiny of any parties that stand to benefit.
If confirmed, the sanctions will allow Congress to argue that it is addressing Russian aggression. They will not deter independent or state-sponsored hackers. In the meantime, check your insurance policies and log off before going home.
If you’re interested in learning more about cyber risk, the @Atlantic Council and @Wired Magazine offer comprehensive coverage of recent attacks and the professional hacking class. The latest piece from Wired, linked below, reads less like a codebook than a thriller, describing Ukraine’s bout of digital seizures as a “proof of concept” that could be replicated elsewhere.
But many global cyber security analysts have a much larger theory about the endgame of Ukraine’s hacking epidemic: They believe Russia is using the country as a cyberwar testing ground—a laboratory for perfecting new forms of global online combat.