5 March 2014

Russia, the Ukraine invasion, and U.S. cybersecurity implications

Summary: ZDNet's resident cyberwar expert, David Gewirtz, presents a SITREP (situation report) analyzing unexpected areas where US interests might be vulnerable in the unlikely event that the Russian invasion of Ukraine generates a response by US or UN forces.

March 3, 2014 

Could America end up in a shooting war with Russia over Ukraine? It's unlikely, but there are precedents that would support such an action.

One of the jobs of geopolitical strategists is to "game out" possible scenarios -- however unlikely -- to help prepare national security officials and the National Command Authority for possible weaknesses in our security and attacks that might come from unexpected quarters.

What's Hot on ZDNet

Russia and the Ukraine are one such scenario. Speaking of unlikely, one of the earliest people to speak of Vladimir Putin's possible invasion of Ukraine was Sarah Palin back in the 2008 presidential campaign. She made the statement as part of one of her many seemingly over-the-top criticisms of then-Senator Obama.

Now, of course, such an invasion is taking place. Russian troops have already taken hold of Crimea and Putin's puppet parliament voted unanimously to deploy troops in the rest of Ukraine.

A matter of precedent

Here we have a case of a stronger, strongman-led country invading a weaker neighbor for the strategic benefits it can provide. Do we have another example of such an invasion -- along with an American response -- that we can use as a precedent? If so, we might be able to predict one way America might respond to Russia's act of aggression.

As it turns out, we do. It was August 2, 1990 at 2am local time that Iraqi tanks rolled across the border into Kuwait, beginning both the occupation of the smaller neighbor country and what would come to be known as the first Gulf War.

Shortly after the invasion, the UN Security Council met and passed Resolution 660, which condemned the invasion. Two other resolutions followed, one authorizing economic sanctions and another authorizing a naval blockade of Iraq.

After four months, when Iraq still did not remove its troops, the UN passed Resolution 678, which set a deadline of January 15, 1991 where, if troops were not removed, a coalition of troops from 12 countries and the UN would invade. Of course, of the 956,600 troops overall, 697,000 were from the United States. So while the US made up 1/13th of the coalition, almost 75 percent of the troops (and presumably money and materiel) came from the US and US taxpayers.

Operation Desert Storm began on January 17, 1991 and ended famously in Iraq, 150 miles from Baghdad.

So there we have precedent. A large, belligerent country invaded its neighbor, the UN condemned it, the invader did not withdraw, and eventually the UN (made up mostly by US troops) got into a shooting war to force withdrawal.
Differences between Iraq and Russia

Given this precedent, it is possible to postulate that a similar course of action might (and I stress "might" rather than "will") happen with Russia and its invasion of Ukraine.

There are, of course, considerable differences in these two situations. Saddam Hussein's Iraq was far more isolated on the world stage than Putin's Russia. After all, the Olympics just took place in Sochi. Russia has embraced an international trade and both exports and imports products actively. Putin has also been a much more deft international figure than Saddam, creating something of a cult of personality outside his nation, rather than abusing the vast majority his citizens within it. Of course, if you're in Russia, it's probably prudent not to get Putin peeved at you.

Further, while Saddam's 1991 Iraq was very well armed, it still wasn't Russia, with its far greater armament and years of Cold War experience staring down Western allies. The bottom line is simply this: going to war with Putin's 2014 Russia is vastly more dangerous and substantially less likely to succeed than going to war with Saddam's 1991 Iraq.

That said, let's say it happened. Let's say the UN repeated its 1990-1991 pattern and passed a series of resolutions that were summarily ignored by Putin. Let's then say that a coalition of forces (mostly the US, of course) was deployed to push back against Putin's troops.

For the purpose of this discussion, I'll leave the ground, sea, and air war to the admirals and generals to plot out. Let's, instead, look at the cyberwar.

First, there wasn't much of a cyber force back in 1990 and 1991. The Internet was around, but only barely, and it certainly didn't underpin everything we do in society and it most certainly didn't connect virtually everyone on the planet.

The technological difference between the cyberwar arena now and the Gulf War of 1991 can be compared to the technological difference between the Civil War and World War II when it came to air battles. In the Civil War, there were no air battles. In the Gulf War, there were no cyber battles. In World War II, there were many famous and deadly air battles. In our as-yet-unnamed Ukraine war, there would most definitely be cyber battles.

Digital WMDs

Although the US has yet to formally admit to the capability, we have every reasonable expectation that America is capable of fielding cyberweapons. Stuxnet is widely considered to be one of the first such weapons and there have been others reported since the original Stuxnet revelations in the news media.

In May through July of 2012, I brought together a team of former White House and Secret Service officials to simulate what would happen if something like Stuxnet were deployed against America. The simulation was disturbing and showed just how vulnerable US infrastructure is to cyberattack.

There is no doubt that Russia would engage in cyberwar if attacked conventionally. As far back as 2008, Russia engaged in both armed and cyber conflict with former Soviet state Georgia in the South Ossetia War. If Russia was willing to kick off cyberwar that early in the evolution of cyber battlespace, we can reasonably expect Putin would be willing to pull the cybertrigger today.

For the past decade or more, Russia has been something of a "frenemy" of the United States. We have cordial relationships and we certainly import the nation's products (and they, ours), but there's also a bit of a cold shoulder between leaders of the two powers.

Of course, add to that the fact that Russia is harboring NSA-thief Edward Snowden, who caused tremendous economic and foreign policy harm to US citizens and US interests.

Russia's software industry and Putin

Another difference between the Russia of today and the Iraq of yesteryear is that many American citizens and corporations are running Russian technology in their most sensitive systems. I've discussed the relationship between Eugene Kaspersky and Putin at length, but it's important to note — to stress — that Kaspersky's software runs on many of our computers. To quite my Counterterrorism article from 2012:

"Kaspersky has an enormous reach. Market analyst Gartner estimates that Kaspersky ranks third in providing consumer antivirus software. It ranks fifth among those companies providing antimalware software for corporate users. Wired says Kaspersky sold nearly as much antivirus software as Symantec and McAfee — combined."

Kaspersky isn't the only Russian company providing software to the American market. I run Parellels as my Windows virtualization solution on my monster iMac. Although the company lists its headquarters as Seattle, Washington, the Russian software industry site Software Russia lists Parallels as a Russian company. It also lists Acronis (the disk imaging company) and Paragon (the disk recovery company), among others, as Russian.

These are each companies whose products many of us in the West have installed and the products function at a very low-level inside our machines. Who needs to sneak a root kit onto "frenemy" machines when you supply the virtualization, antivirus, and imaging technologies used by vast numbers of users?

The Russian IT outsourcing industry

That's not including all of the IT and development outsourcing that goes to the very talented programmers in Russia. According to Software Russia and RUSSOFT, Russia provides more than $2 billion dollars in IT and development outsourcing each year.

We can roughly size that by using another detail provided by Software Russia: the average monthly salary of a Russian developer (converted to US dollars). In 2013, the average monthly salary was "$2,448, or about 80,000 rubles". So let's take $2 billion and divide it by 12 to get about $166 million per month in Russian outsourcing revenue. Dividing that by $2,448 gets us an outsourcing industry of roughly 70,000 Russians.

Wolfram Alpha says there are about 367,000 programmers in the US, which puts Russia's IT outsourcing capability at almost 20 percent of our entire development capability.

Unexpected weaknesses in American defenses

All of that brings me back to Ukraine and a highly unlikely, but plausibly possible shooting war between US and Russian forces. The details above show just how extensive Russia's reach is into our individual computers and possibly into our IT operations. And that brings me back to our original strategy analysis, where we're looking for weaknesses in unexpected quarters.

If you think that rumors of American businesses beholden to US government agencies like the NSA (responding to hidden National Security Letters and all of that) are true, imagine just how beholden Russian software developers and companies are to former KGB operative Vladimir Vladimirovich Putin.

If Americans and others are worried that American companies are putting backdoors and encryption loopholes in Amerrican software and systems at the behest of the NSA and other government agencies (which has yet to be proven), imagine the kinds of demands that Putin might put on his software industry, especially for so-called security software that we Americans are blindly running on our machines.

Therein lies the unexpected risk and potential weakness. We're somewhat prepared as a nation to fight and defend against cyberwar attacks, against malware attacks, and against advanced persistent threats by terrorists, nation states, and enemy actors. But we are completely unprepared to defend against threats from the products and services we buy and welcome into our homes, offices, and data centers.

That's something to think about, isn't it?

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

No comments: