With Vladimir Putin denied the quick victory he hoped to achieve with his invasion of Ukraine, the Russian military is reevaluating its strategy -- which may now include cyber attacks that could broaden far beyond those that the Russians have been waging against Ukraine for months.
Obviously, no one knows for sure what Putin will do next. But Russia has a history of hacking, even against major powers. According to the Mueller report, Russian government hackers stole emails from the Democratic National Committee in 2016 as part of Putin's effort to help elect Donald Trump president. In 2021, a gang of Russian hackers launched a ransomware attack that shut down the Colonial Pipeline and cut off its supplies of gasoline in the U.S. East and Southeast. And Putin has said that even nuclear weapons are on the table if other countries intervene in his war on Ukraine, while listing 13 countries that have been "unfriendly" to Russia, so it's hard to imagine that cyber warfare isn't somewhere in the cards.
Insurers would do well to prepare themselves and their clients for the possibility of cyber attacks, to the fullest extent possible.
Electric grids have been shown to be especially vulnerable to being shut down by cyber attacks. The same is true for pipelines, such as Colonial, and other infrastructure. But the range of targets could be broad. Perhaps banks would be hit because the U.S. and European allies have imposed sanctions that have hobbled the Russian financial system. Perhaps hospitals would be targeted, too, just to impose some misery on countries that have stood up to Russia. Perhaps oil and gas companies, which have announced that they're pulling out of ventures in Russia, would be hit.
Something doesn't even have to be a direct target to potentially be hurt. Cyber attacks that shut down the electric grid, a major oil or gas pipeline, banks or hospitals could have severe ripple effects if they are broad or lengthy. This is my big fear for the insurance industry: I see no reason why insurers should be a primary target, but they will have to deal with any effects from business shutdowns, homes without heat and electricity, etc.
And cyberattacks have a way of hitting more targets than intended. My time covering such attacks goes all the way back to 1988, when a graduate student at Cornell wrote a "worm" that was designed to show vulnerabilities in a commonly used operating system and, because of an error in his coding, pretty much shut the internet down for days. And Russian government hackers aren't immune to such errors: In 2017, they unleashed the NotPetya worm that attacked Ukraine and did billions of dollars of damage -- including to Rosneft, the Russian oil company.
As this article in the Wall Street Journal explains in detail, "Russia, in particular, has a history of unleashing cyber weapons that wreak havoc far beyond the computers and networks that were their original targets." And the reckless collateral damage could be even more extensive if Russia turns vigilantes loose on foreign governments and countries.
The article says that "cybersecurity experts are broadly surprised that Russia’s cyberattacks haven’t up to this point been more effective or devastating," and I dearly hope the low impact continues. But I worry about what will happen if Putin becomes desperate.
Let's hope this column looks silly in a couple of months, a wimpy false alarm. But, as I've seen many people note since this Russian craziness began, "Hope is not a strategy."