When it comes to cybersecurity vigilance, Dmitri Alperovitch wants to see more focus on resiliency of IT systems — and less on doing "surges" around particular dates or events.
For instance, whatever Russia is doing at the moment.
In an interview with Protocol, Alperovitch, a Russian-born cybersecurity and geopolitics expert, said he doesn't want to see the U.S. oscillating between moments of high alert and lesser states of readiness on cybersecurity.
Instead, "every organization needs to have the mindset that today could be the day when they get hit," said Alperovitch, who previously co-founded and served as the CTO of cybersecurity powerhouse CrowdStrike. He is now the co-founder and executive chairman of Silverado Policy Accelerator, a Washington think tank.
Alperovitch also spoke with Protocol about the reasons why a Russian cyber escalation against the West might still occur; why we don't have many details on the successful cyberattacks against Ukraine; and the importance of being clear about what the U.S. is doing on offensive cyber operations.
This interview has been lightly edited for clarity and brevity.
Do you see a possibility that Putin would try to use cyberattacks to get Western sanctions lifted?
I would say there are much more effective tools in his arsenal to pressure us. He has used a few of them. He's banned the export of fertilizer, for example, which obviously is exacerbating the food crisis. But he has not banned the export of a lot of critical materials: aluminum, nickel, titanium, palladium and others that are critical for our industry. So there's still a lot of leverage that he has that he has not used. That will probably be the first thing that he tries to do, before he's going to resort to cyberattacks.
How likely is it that things will get to that point? And when could that be?
If they feel like the sanctions that are most impactful to the Russian economy — the financial sanctions on the banks, as well as on the imports of semiconductors that are shutting down much of Russian industry — if those sanctions have no prospect of being lifted, or being mitigated through other mechanisms, then yes, I think he would look to increase pressure on the West through cyber.
He may not necessarily have a lot of hopes that cyberattacks alone would change our mind — and I don't think they would — on sanctions relief. But combined with other tools that he may have to further increase inflation, to further drive economic instability in the West, he may decide that it's a tool worth pursuing.
[In terms of timing] Moscow is looking at a lot of political polls here in the United States, and the prospects of a Republican takeover of Congress in the midterms. So I don't think that they'll do anything before all of that gets resolved. And then they'll reevaluate where they stand and what their chances are.
So not before the U.S. elections in November, at the very least?
Yeah, and probably not until early [winter] to mid-winter.
[Putin] is also not in a rush, because he can sustain this for quite some time. Over the long term, if he doesn't get those sanctions removed, the Russian economy will be a basket case. But he has time to try to fix that.
What do you think a Russian cyber escalation against the West might look like?
If there are those attacks launched, they'll be done by Russian intelligence services — most likely GRU, as they have the mandate overall for disruption and disruptive cyberattacks.
Are Russian data-wiper attacks against the West possible at some point?
Yes, absolutely.
Could the ransomware groups have a role to play?
I don't think there will be direct tasking. There might be signals that will be sent to groups that it's a free-for-all, and if you target Western interests, there'll be no repercussions. But I don't think that they will use them in a direct fashion against specific targets.
Do you think that cybersecurity vigilance in the U.S. is still as high as it was earlier this year, when the "Shields Up" warnings were first issued? Or do you think it's subsided at all?
You can't be on high alert for four or five months, [which is how long] this has been going on. That's just not sustainable. People have to take vacations. People have to resume normal operations.
I do wonder if putting people on high alert was the right decision, because the reality is that every day in cyberspace has the potential to be a really bad day. Every organization needs to have the mindset that today could be the day when they get hit. And they need to focus on resiliency. They need to focus on rapid detection and response. And that needs to be just a normal part of the operations. Doing "surges" on particular dates, or related to particular events — that's not sustainable.
When it comes to resiliency, what are the most important areas for organizations to prioritize?
Focus on assuming that your network can get destroyed — assume that it can go down — and practice rebuilding it. Practice operating without it. That's what U.S. government folks should be focused on, as far as their purview is concerned. That's what industry should be focused on as well.
The Ukrainians have had a lot of practice — eight years of practice — at responding to Russian wiper attacks on their networks. And so they have gotten very good at minimizing the damage, being resilient and rebuilding networks when they're destroyed. That's not necessarily something that many organizations in the United States practice. They focus very much on the prevention piece of it, but do not spend enough time looking at what happens when prevention fails.
So for U.S. businesses, what is the biggest lesson on cybersecurity from Ukraine?
The lesson from Ukraine is that cyberattacks don't need to result in a disaster. Because if you're prepared, you can survive through it. And practice makes perfect. There's no reason why organizations, particularly those in critical infrastructure, shouldn't be doing those types of practice rounds themselves right now.
Speaking of the cyberattacks against Ukraine, why do you think it is that we're not hearing many details about the cyberattacks that have succeeded?
The Ukrainians are so good at operational security, about not revealing what's going on — not just in cyberspace, but throughout the whole war. We know so little about the casualties that they've sustained, very little about the damage that's been done — both in the course of the war and through cyber. They've just been very, very tight-lipped about that. And understandably so, because they don't want to demoralize their own population that is under siege. But also, they want to present themselves in the best possible light to the West. So they're obviously not interested in publicizing their own misses and losses.
What are your thoughts on the recent comments by General Paul Nakasone [who heads the Cyber Command and NSA] signaling that the U.S. has engaged in some type of offensive cyber operations in support of Ukraine?
I think we just have to be very clear when we talk about cyber operations that we're waging — to the extent that we're going to talk about it publicly — about that means. Because offensive cyber operations can mean an entire range of things. [It can range] from purely intelligence collection, to trying to take action against some of their servers that they may have overseas, that can be used in cyberattacks that they're launching against Ukraine, to actually taking action inside Russia itself, [such as] destructive actions.
I don't think there's any evidence that we're doing the latter. And not being clear on that, I think, can provoke the Russians to retaliate unnecessarily.
