As Russia’s invasion of Ukraine escalates tensions with the U.S. and its allies, economists at Goldman Sachs are warning either side could resort to malicious cyber activity targeting companies and critical infrastructure as a means to inflict significant economic damage while avoiding direct military conflict, though there are indications the U.S. may have an economic upperhand that helps deter risk.
Though no Russia-based cyberattacks targeting the U.S. have been identified since Ukraine was invaded last month, Goldman economists led by Jan Hatzius said in a Monday research note that growing tensions have “raised the risk” of malicious cyber activity between the two nations, particularly since almost 60% of state-sponsored cyberattacks last year were attributed to Russia.
Of the 16 sectors the Department of Homeland Security has identified as critically important to the U.S. economy and national security, Hatzius says the energy, financial services and transportation sectors are particularly at risk of Russian attacks given their high economic importance.
Government-led cyberattacks have historically sought to steal intellectual property, sensitive financial plans and strategic information, but there have also been instances of attacks on critical infrastructure, according to Goldman, which adds that Russia last month hacked Ukraine’s largest financial institutions in the country’s biggest-ever cyberattack.
While improbable, criminal cyber activity aimed at critical U.S. infrastructure is still technologically possible and could be “extremely destructive,” Goldman notes, pointing out an attack that targets the Northeast U.S. power grid and plunges the region’s 15 states into darkness could cause between $250 billion and $1 trillion in economic damages.
A “high degree of dependence on digital technology” makes the U.S. particularly susceptible to cyberattacks, but there are reasons to be optimistic: High private-sector investment in cybersecurity, strict regulation and a strong higher education system help reduce the nation’s vulnerability, Hatzius said.
Additionally, the threat of U.S. retaliation is “likely a strong deterrent” to a Russia cyberattack, and frequent attacks in the past, both by criminal organizations and state actors, have also bolstered the nation’s ability to weather adverse behavior.
“The U.S. is less vulnerable to cyberattacks than most countries because it invests more in cybersecurity and has stricter regulatory requirements, especially in the financial sector,” Goldman said Monday, adding that Russia’s attacks last month, including spam text messages falsely claiming ATMs were down, left no lasting damage. “However, the U.S.’s high degree of dependence on digital technology increases the opportunities for disruptive cyberattacks, and experts say it would be difficult or impossible to fully defend against an extreme escalation of cyberattacks.”
Part of the decades-long conflict between Russia and Ukraine, the most destructive individual cyberattack to date happened in 2017, when malware dubbed NotPetya infiltrated a widely used accounting program in Ukraine, destroying tens of thousands of computers belonging to companies like pharmaceutical giant Merck. The attack, blamed on the Russian government, is estimated to have inflicted over $10 billion in damages—just over 10% of Ukraine’s gross domestic product at the time, according to Goldman.
$945 billion. That’s how much the Center for Strategic and International Studies estimates malicious cyber activity costs the world annually.
Goldman joins a growing chorus of experts and government officials cautioning that cyberattacks are now among the biggest threats to U.S. national security. Federal Reserve Chair Jerome Powell has long warned the central bank is concerned cyberattacks could trigger a market collapse similar in magnitude to the Great Recession if financial institutions’ ability to track payments is compromised—a risk the International Monetary Fund estimates may cost banks about $100 billion annually. Meanwhile, President Joe Biden’s national security team has reportedly made an effort to deter such attacks a top priority following reports that software vulnerabilities were being used to potentially compromise U.S. organizations.
What To Watch For
Though the White House last month denied reports that Biden had been presented with a menu of options to execute cyberattacks against Russia, the president later told reporters that the nation is “prepared to respond” if Russia pursues its own cyberattacks against U.S. companies or critical infrastructure. “For months, we’ve been working closely with the private sector to harden our cyber defenses, [and] sharpen our ability to respond to the Russian cyberattacks as well,” Biden said.