On March 21, President Biden issued an urgent warning to American business leaders to strengthen their companies’ cyber defenses immediately. In recent weeks, experts have been surprised by the lack of full-scale cyberattacks by Russia. But the threat of devastating cyberattacks is still very real and American companies and individuals must remain vigilant, warned Liberty Vittert, professor of practice of data science at Washington University’s Olin Business School.
“With the war in Ukraine seeming to only ramp up, instead of down, and Putin’s aggression against those that would defend the Ukrainian people increases, it only seems appropriate to ask ‘What is an act of war against the United States?’” Vittert said.
The United States was launched into World War II after the Japanese attacked Pearl Harbor, killing 2,403 American soldiers and civilians. That was an act of war that the U.S. could not ignore. It’s unlikely that Russia would attack the U.S. in the same way, though.
“Most assume that nowadays it would be an act of cyber warfare, not an actual physical attack. But what does that mean?” Vittert asked.
“The Russians and the Chinese have been responsible for cyberattacks for years on the United States. From the SolarWinds Russian-linked cyberattack in 2020, and the cyberattack on the Colonial Oil pipeline less than a year ago, we have numerous examples of Russia testing our systems.
“China has been much worse, with multiple Chinese-linked cyber hacks on Microsoft, on Google and even on our news sources like The New York Times,” she said.
Previous cyberattacks have not been treated as acts of war, which begs the question: What sorts of actions would cross that line?
“If Russia targets the U.S. banking system, is that enough? Do they just need to access the systems, do they need to shut it down, do they need to steal? What is bad enough that we would call it an act of war?” Vittert said.
“If pipelines are targeted, how long do they need to be down before it is an act of war? Someone I spoke with recently said it would be an act of war if Americans died. If the U.S. has access to oil pipelines shut down for any period, I can guarantee you there will be deaths. How many is necessary to consider it an act of war?
“The answers to these questions are complicated and frankly unknown. This is a new tool in the new toolbox of war,” she said.
Already, Russia has attacked Ukraine in multiple ways, including hacking business and financial systems in the country. As for an attack in the U.S., Vittert said it is just a matter of time.
“Most would say that the U.S. has the most sophisticated (cyber) defense systems and — on the other side of it — the most sophisticated attack systems,” Vittert said. “But the problem with cyberattacks is that they only need to get in once to cause devastating damage, whereas we have to defend against so many.”
Most large corporations and financial systems likely have in-house cyber protection capabilities but, for smaller businesses, Vittert recommended hiring a cybersecurity company to ensure your company is protected. All businesses — large and small — should review their cyber protection systems to ensure they are up to date and as protected as they believe them to be.
“This isn’t something to take lightly whether it be an attack from a foreign adversary or simply a criminal one,” Vittert said.
As for individuals, Vittert said it’s important to change your passwords regularly and never use the same password for your banking systems as you do for other websites.
“It’s much easier to hack a magazine website, for example, but if you use the same passwords, you’re potentially facing some real trouble,” Vittert warned.