While Russia’s war in Ukraine continues, the cyberattacks coming from the invading country have, surprisingly, been rather mild and contained, Senator Mark Warner, D-Va., said today.
Russian President Vladimir Putin has moved a large portion of his forces into Ukraine to support the invasion, but the observed cyberattacks have taken on a smaller part in the theatre, with two widely reported malware attacks being the largest threat vectors to come out of the war thus far.
Why that is, is a question Sen. Warner said he’s posed to leaders in the intelligence community in both public and private hearings recently.
“Why haven’t we seen the GRU [Russia’s foreign military intelligence agency] – or some of the entities that we know have the capacity to frankly shut down entire systems – shut down the internet? The fact that we’re still seeing these videos coming out of Ukraine surprises the heck out of me,” Sen. Warner said at a Center for Strategic and International Studies webinar today. “We don’t have an answer.”
Warner said there is a belief that such large-scale attacks haven’t happened due to a belief by the Russians that they would simply roll over Ukraine, taking over so swiftly that such attacks wouldn’t be necessary.
Christopher Painter, the former State Department coordinator for cybersecurity, said that could be a part of the calculation from Russia but said it is not as open-and-shut as a simple miscalculation.
Painter pointed to the possibility that increased Ukrainian cyber capabilities degraded Russia’s ability to attack critical infrastructure, as well as prior intelligence alerting to a planned Russian coup of the Ukrainian government that would potentially later require the use of the same infrastructure.
“One of the things we haven’t talked enough about is the crucial nature of preparation in order to launch effective cyberattacks, particularly around critical infrastructures,” Painter said. “So, I think it’s a very open question. Clearly, Russia for years has known how to go after critical infrastructure in Ukraine, but … did Ukrainian start to actually degrade that preparation and they may have taken some of that option off the plate from the Russians.”
Warner said another possibility is that Russia is holding those capabilities for the West, but added that he has also not seen any evidence of Russian cyber operations bleeding past geographical boundaries of NATO members. Regardless, he added that it is important for cyber defenders from the United States to stay ready and resilient.
“We, in the United States, need to, as CISA [the Cybersecurity and Infrastructure Security Agency] says, keep our shields up,” Warner said. “We know we can’t be 100 percent effective in our defense; we have to have resilience.”
USICA, America COMPETES, and Emerging Tech Policy
Warner also said that the House and Senate need to get together and pass a conferenced legislation that includes funding for the CHIPS Act.
The Senate passed the United States Innovation and Competition Act in July 2021, which included $52 billion to fully fund the CHIPS Act. After initially passing two other alternatives, the House passed the America Creating Opportunities for Manufacturing, Pre-Eminence in Technology and Economic Strength (COMPETES) Act in February, which would also fully fund the CHIPS Act. The bills have been awaiting conferencing as a full-year omnibus bill for fiscal year (FY) 2022 took priority.
Pressure to conference the bills, pass them, and get them to the President’s desk has picked up this month, with both President Biden and a bipartisan group of 147 congress members each pressing for action to pick up.
“This is so long overdue,” Warner said. “I know in America, we have been appropriately reluctant to do anything that appears to be industrial policy, but we are seeing the semiconductor shortage in this country right now play into inflationary tactics, in terms of inflation in terms of automobiles, the fastest-growing component of inflation our country.”
“Both the House and the Senate have passed it. We need to get our act together and get that bill to the President’s desk,” he added. “That’s national security; that’s jobs; that’s American innovation and leadership. All things that I think, frankly, the world is calling out for at this moment in time.”
Warner added that if the United States is able to take the lead on increased semiconductor production, he sees a pathway for similar investments in emerging tech like artificial intelligence, quantum computing. He also called for the building of technology alliances, similar to the military alliances that were born post-World War II.
R&D and Cyber Funding, plus a wrinkle
“If you look at us on any kind of historic basis, our investment in basic R&D and innovation is dramatically smaller as a percentage of our GDP (gross domestic product) than it was you know, 40-50 years ago,” he noted.
“Whether we take Huawei and 5G or the shortage on chips, it’s kind of our generation’s Sputnik moment,” he added, referencing the Earth’s first artificial satellite, launched by the Soviet Union. “I absolutely believe we need additional investments in basic R&D.”
While he said that investment in cyber R&D is ramping up on the Federal side, more investment needs to be done there, as well. He said that particularly, smaller organizations and state and local governments.
“There’s lots more we can do, especially among smaller governmental entities,” he said. “Some of this funding ought to be coming on the public side at the state and local government. The number of K-12 school divisions that have been cyberattacked; I think most people would flip out if they actually had that number.”
Notably, when talking about the cyber incident reporting legislation included in the FY2022 omnibus, Warner said he thought President Biden has signed the bill into law. However, despite its passage in both chambers, Biden signed the four-day continuing resolution March 11, pushing the deadline to sign the bill until March 15. The bill is still awaiting his final signature before then.