Elisabeth Braw is a senior fellow at the Atlantic Council, the author of the award-winning “Goodbye Globalization” and a regular columnist for POLITICO.
Over the past two years, state-linked Russian hackers have repeatedly attacked Liverpool City Council — and it’s not because the Kremlin harbors a particular dislike toward the port city in northern England.
Rather, these attacks are part of a strategy to hit cities, governments and businesses with large financial losses, and they strike far beyond cyberspace. In the Gulf of Finland, for example, the damage caused to undersea cables by the Eagle S shadow vessel in December incurred costs adding up to tens of millions of euros — and that’s just one incident.
Russia has attacked shopping malls, airports, logistics companies and airlines, and these disruptions have all had one thing in common: They have a great cost to the targeted companies and their insurers.
One can’t help but feel sorry for Liverpool City Council. In addition to looking after the city’s half-million or so residents, it also has to keep fighting Russia’s cyber gangs who, according to a recent report, have been attacking ceaselessly: “We have experienced many attacks from this group and their allies using their Distributed Botnet over the last two years,” the report noted, referring to the hacktivist group NoName057(16), which has been linked to the Russian state.
“[Denial of Service attacks] for monetary or political reasons is a widespread risk for any company with a web presence or that relies on internet-based systems.”
Indeed. Over the past decades, state-linked Russian hackers have targeted all manner of European municipalities, government agencies and businesses. This includes the 2017 NotPetya attack, which brought down “four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency,” as well as a string of multinationals, causing staggering losses of around $10 billion.
More recently, Russia has taken to targeting organizations and businesses in other ways as well. There have been arson attacks, including one involving Poland’s largest shopping mall that Prime Minister Donald Tusk subsequently said was definitively “ordered by Russian special services.” There have been parcel bombs delivered to DHL; fast-growing drone activity reported around European defense manufacturing facilities; and a string of suspicious incidents damaging or severing undersea cables and even a pipeline.
The costly list goes on: Due to drone incursions into restricted airspace, Danish and German airports have been forced to temporarily close, diverting or cancelling dozens of flights. Russia’s GPS jamming and spoofing are affecting a large percentage of commercial flights all around the Baltic Sea. In the Red Sea, Houthi attacks are causing most ships owned by or flagged in Western countries to redirect along the much longer Cape of Good Hope route, which adds costs. The Houthis are not Russia, but Russia (and China) could easily aid Western efforts to stop these attacks — yet they don’t. They simply enjoy the enormous privilege of having their vessels sail through unassailed.
The organizations and companies hit by Russia have so far managed to avert calamitous harm. But these attacks are so dangerous and reckless that people will, sooner or later, lose their lives.
What’s more, their targets will continue losing a lot of money. The repairs of a subsea data cable alone typically costs up to a couple million euros. The owners of EstLink 2 — the undersea power cable hit by the Eagle S— incurred losses of nearly €60 million. Closing an airport for several hours is also incredibly expensive, as is cancelling or diverting flights.
To be sure, most companies have insurance to cover them against cyber attacks or similar harm, but insurance is only viable if the harm is occasional. If it becomes systematic, underwriters can no longer afford to take on the risk — or they have to significantly increase their premiums. And there’s the kicker: An interested actor can make disruption systematic.
That is, in fact, what Russia is doing. It is draining our resources, making it increasingly costly to be a business based in a Western country, or even a city council or government authority, for that matter.
This is terrifying — and not just for the companies that may be hit. But while Russia appears far beyond the reach of any possible efforts to convince it to listen to its better angels, we can still put up a steely front. The armed forces put up the literal steel, of course, but businesses and civilian organizations can practice and prepare for any attacks that Russia, or other hostile countries, could decide to launch against them.
Such preparation would limit the possible harm such attacks can lead to. It begs the question, if an attack causes minimal disruption, then what’s the point of instigating it in the first place?
That’s why government-led gray-zone exercises that involve the private sector are so important. I’ve been proposing them for several years now, and for every month that passes, they become even more essential.
Like the military, we shouldn’t just conduct these exercises — we should tell the whole world we’re doing so too. Demonstrating we’re ready could help dissuade sinister actors who believe they can empty our coffers. And it has a side benefit too: It helps companies show their customers and investors that they can, indeed, weather whatever Russia may dream up.
The post Russia wants to bleed us dry appeared first on Politico.
