Although Russia reports that it has ceased amassing troops along its border with Ukraine and NATO officials are expressing “cautious optimism” for a diplomatic resolution to the simmering conflict, a major concern remains between the two nations: that Russia might attack its neighbor, not only with traditional ground and sea assaults but also with exploitative computer codes aimed at crippling Ukraine’s financial systems and critical infrastructure.
Indeed, a tool developed by Johns Hopkins experts predicts “an extremely high likelihood” of just such an attack.
The Cyber Attack Predictive Index, or CAPI—devised by Anton Dahbura, executive director of Johns Hopkins Information Security Institute and co-director of the Johns Hopkins Institute for Assured Autonomy, along with cybersecurity and global affairs expert Terry Thompson, an ISI lecturer who is also affiliated with the Johns Hopkins School for Advanced International Studies—predicts the possibility of future cyber conflict between nations.
A cyberattack, as defined by CAPI, is an event that damages a nation’s “critical infrastructure, destroys sensitive information, inflicts economic or physical losses generally, or is used as part of hybrid warfare involving cyber as well as more conventional forms of military conflict,” Dahbura says. The tool doesn’t score traditional forms of hacking, cybercrime, or spying by nations, Dahbura notes, unless those actions result in significant loss or destruction, as in the 2017 “NotPetya” attack by Russia against a Ukrainian software company that caused billions of dollars of damage to the global economy.
The CAPI tool examines country pairs and assigns risk scores, with five being the highest risk, in five categories:
- The presence of a knowledgeable, organized cyber force
- Possible motivations for attacking a target
- Lack of fear of repercussions
- The consistency of a cyberattack with a country’s overall national security strategy
- Technological vulnerabilities in the target
The total combined score, Dahbura says, places the country pairs in one of four predictive categories describing the possibility of a cyberattack: Extremely High Likelihood, High Likelihood, Likely, and Low Likelihood. The scores can vary over time depending on evolving geopolitical factors, and the CAPI Advisory Board monitors current events to watch for potential cyber conflicts. Interestingly, country pair scores can differ depending on which country is the potential aggressor. Both Israel and Iran have the potential to execute a cyberattack against each other, for example, but Iran scores lower on the heat index for having a higher fear of repercussions and having fewer vulnerabilities to exploit in its target of Israel.
Recently, the score for Russia and Ukraine spiked to the highest possible level, a score of 25 out of 25.
“The score of 25 is based on the potential Russian incursion into Ukraine and on Russia’s history of successful cyberattacks on Ukraine’s government and critical infrastructure, as well as their continuing practice of experimenting with new hacking techniques on Ukraine,” Dahbura says.
The Hub spoke with Dahbura and Thompson about what CAPI indicators reveal about the situation at Ukraine’s border and what a cyberattack might look like in 2022.
What might a Russian cyberattack on Ukraine look like? Are there hallmarks of how Russia uses cyberwarfare?
Thompson: There are two excellent examples of how a Russian cyberattack on Ukraine would unfold: the 2008 incursion into Georgia and the 2014 occupation of Crimea. In both cases, Russian military operations on the ground were preceded by disinformation in published and social media and by denial-of-service attacks on computer networks. This approach is outlined in Russia’s military doctrine that describes the need for coordinated military and non-military activities including political, economic, and information warfare, and the use of special operations forces to stir up popular opposition to the adversary’s government. This approach has been termed “hybrid warfare” by Western analysts and was employed successfully by Russia in the occupation of Crimea.
Consistent with its overall goal of destabilizing Ukraine’s government, Russia has already begun using disinformation in social media and spotty cyberattacks on Ukraine’s electric power grid. They conducted brief but serious cyberattacks on the power grid in 2015 and 2016, indicating that they know how to exploit the vulnerabilities in Ukraine’s infrastructure. In the run-up to a Russian incursion, cyberattacks causing widespread power outages are likely, as well as attacks on other critical infrastructure supporting Ukraine’s government and economy. Published reports have described Russian efforts to seed popular unrest through various means. All this points to Russia using the same playbook they used in Georgia and Crimea.
What impact or effect would a Russian cyberattack on Ukraine have on American national security?
Thompson: Previous Russian attacks on Ukraine’s power grid and other Russian cyber actions have already had an impact on U.S. national security because we face the same threat. Russian hackers penetrated networks connecting U.S. electric companies in 2017, placing cyber implants that—if not discovered—could have led to severe outages. Cyberattacks attributed to Russia also occurred in 2020 against the U.S. computer industry (“SolarWinds”) and in 2021 against the national energy infrastructure (“Colonial Pipeline”). Russia has been exploiting U.S. networks for purpose of espionage since the mid-1990s, if not earlier. Using similar techniques to conduct cyberattacks against critical government and commercial infrastructure is fairly trivial by comparison.
The U.S. government has taken the Russian cyber threat seriously, establishing U.S. Cyber Command in 2010 to deal with cyber threats against government and military entities and the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security in 2018 to address cyber threats to critical infrastructure. We also updated our national security strategy in 2017 and national cyber strategy in 2018 to include cyberspace as a critical component of national security. We also have a “declaratory policy” stating that the U.S. will respond to cyberattacks with “swift and costly consequences” to any country that conducts “significant malicious cyber activities” against the United States.
What other countries or areas of the world also have high scores now? Why?
Dahbura: Besides Russia vs. Ukraine, the other country pair in the Extremely High Likelihood category in the CAPI Heat Index is Israel vs. Iran. This score is based on a history of cyber conflict between the two countries and the ongoing Israeli concern about the possibility of Iran developing nuclear weapons. While Israel’s recent change in government may soften Israel’s previous rejection of the Joint Comprehensive Plan of Action and may lead to a change in CAPI’s scoring, the possibility of increased cyber conflict among these regional rivals remains high.
Besides your team, who is using CAPI? Who maintains and works on the site?
Thompson: The project is used by students, researchers, and journalists in the U.S. and other countries. We see hits on the CAPI website from countries all over the world, and while we don’t know exactly who the users are, we do know they come from countries in Europe, Asia, and Latin America. The CAPI Twitter feed has nearly 200 subscribers who monitor CAPI on a regular basis.
Dahbura: CAPI started as an undergraduate research project in 2019. The student, Divya Rangarajan, was a Woodrow Wilson Fellow in the Krieger School of Arts and Sciences and selected the topic of cyberwar as her topic. After discussions with me and other JHU ISI faculty, the project evolved into a unique approach to cyberwar: trying to predict future cyber conflicts between countries. We formed the CAPI board in fall 2020 to track and score country-pair potential for cyber conflict.
We designed the structure to be a combination of undergrads in international studies, as well as computer science, to give the students a sense of world affairs as well as the more technical aspects of cyberattacks that need to be understood. The students meet several times per week to prepare and present reports about different regions and we apply our methodology to keep the Heat Index updated as needed. The students also build new features into the website and run our social media campaign. The students tell us that this is a very worthwhile and rewarding experience.