Current Russian conflict in Ukraine sets up a global game of Cyber Chicken

April 1, 2022
Former U.S. State Department veteran Richard Clarke warns of a potential hybrid war with Putin that could escalate beyond the network if the risk is not understood

In the corporate world, detecting risk is oftentimes easier than getting an organization’s executive team to take that risk seriously and ultimately act on mitigating the threat. The challenge of being a corporate Cassandra is analogous to the mythological Greek goddess who was the daughter of Priam, the last king of Troy. A love interest of the god Apollo, he promised Cassandra the gift of prophecy if she would only succumb to his carnal desires. She agreed to the bargain and was granted the gift but promptly rebuffed Apollo’s advances. As punishment, Apollo decreed that although Cassandra would indeed receive the power of prophecy, none of them would ever be believed, which was unfortunate since her first vision -- the fall of Troy -- went unheeded.

Whether it be a corporate boardroom or a State Department’s war room, risk analysis and business intelligence are only as good as the intention of those who choose to embrace them. That is the premise of Richard A. Clarke, the former Deputy Assistant Secretary of State for Intelligence for President Ronald Reagan, the Assistant Secretary of State for Political-Military Affairs under President George H.W. Bush and the National Coordinator for Security, Infrastructure Protection, and Counterterrorism for the National Security Council during the Clinton administration.

During a recent virtual one-on-one interview entitled, “Threat Briefing: Russia’s War on Ukraine, a National Perspective”, with Andrew Moyad, the CEO of Shared Assessments moderating, Clarke, the current Chairman and CEO of Good Harbor Security Risk Management (a cybersecurity risk advisory firm that serves the C-suite), did a masterful job of correlating how Cassandra events played decisive roles in instigating the Iraq war and the current Russian aggression in Ukraine and how failure to heed intelligence reports have negatively impacted global business operations in Ukraine and Russia for those organizations who are only now attempting to protect their assets.

Don’t Ignore Cassandras When It Comes to Risk

In Clarke’s recent book, Warnings: Finding Cassandras to Stop Catastrophes, he describes how present-day Cassandras clearly predicted the disasters of Katrina, Fukushima, the Great Recession, the rise of ISIS and other impactful events and begs the question; how do we assess which of the warning signs for impending disasters like threats from artificial intelligence, biohacking, mutating viruses, cyber incursions and other are right or wrong and how do we respond to those potential risks?

“Whether you're a nation-state, a conglomeration of nations like NATO, or whether you're a corporation, none of us want to assume the worst-case scenario. People who talk about the worst-case scenario are derided by corporate boards in C-suites. They're also derided in the Situation Room. Because I've done that for a couple of decades. I talked about the worst-case scenario, in the Situation Room,” relates Clarke. “Most of the time, people look askance at you if you do that. But what we found in the book Warnings was that in every case, they were well-established experts who, putting aside their prediction on a particular event that might have been controversial, were well esteemed by their colleagues. We found this across all endeavors. We found it in terms of finance and science and engineering and national security.”

Clarke harkens back to 2016 and the presidential election that began to pick up intelligence chatter of potential Russian interference. But viewed as a case of “first-occurrence syndrome,” meaning that since the Russians had never interfered in an American election before, no one could believe that it might be happening now. But Clarke, who is a Republican and served under two GOP administrations, credits the current Biden administration for believing U.S. intelligence about probable Russian meddling in 2020 and taking proactive risk mitigation approaches to negate any threats.

“They (the Biden administration) looked at the intelligence beginning in November 2020, and said, ‘This looks credible. Let's monitor it.’ Let's see if it progresses in that direction. And as it progresses in that direction, let's start doing the mitigations that we can, and let's start doing the planning scenarios. They had tabletop exercises in the Situation Room where they walked through various scenarios to see what could happen,” Clarke says, pointing out that they strategized the follow-up effects and what moves they might expect then and moving forward so the government was ready to respond. “It shows because they (Biden’s team) were able to get the NATO Alliance united in a very short period of time; having worked with the NATO alliance for years, let me tell you, that really is like herding cats. So yes, there are some lessons here about warnings. There are some lessons here about worst-case scenarios. Let your mind go to the worst-case scenario and don't be afraid to present it. Because frankly, the worst-case scenario happens a lot. I think the key thing here is, Cassandras are not cranks, they're experts that possess empirical evidence.”

Clarke admits that calculating and evaluating risk, especially on a grand scale can be precarious. In the case of the Russian invasion of Ukraine and the subsequent human misery and economic uncertainty that has resulted since late February, the Cassandra effect has been monumental. Both the Ukrainian government and its citizens were reluctant to believe Russia, its sister country, would actually launch such a callous and ferocious attack. However, most NATO governments appreciated the actual risk assessments myriad intelligence agencies were providing and stood prepared to act. But Clarke contends that there was still a false sense of security for global businesses operating in both Russia and Ukraine.

“The world was caught off guard with the exception of the NATO alliance because they were informed beginning in December and in January, including the U.S. and the UK, which also had good intelligence about this. But I think many corporations didn't believe it. I am on the board of a corporation that had a major operation team in Ukraine and when I began talking to that corporation, the CEO and the board at the end of November (2021), I was met with a lot of skepticism.

“But I was able, again, using empirical analysis, to show from open source, what I thought was going on. By the time we were into January (2022), we had a plan in place to pull our Ukrainian employees out and we put the capability in place, and it cost us some money. To be frank, it cost us a little bit of disruption as well. But unlike some other companies, we got our people out and we're now able to restore their operations in another country,” explains Clarke.

Playing out the Kobayashi Maru Scenario

According to Clarke, the defense and intelligence establishments of the world’s top thirty governments had risk scenarios in place to deal with anticipated data breaches and network interruptions, but preparations for economic and energy planning were wild cards that are now doubling down as insurmountable risk challenges. He states that It's interesting how, during the planning phase, strategic preparation is slow and calculated, but then when events begin to unfold, they do so at a rapid pace triggering a domino effect of other events that move extremely fast. Risk managers and organizations, in turn, may find it hard to digest all the incoming data. That's the nature of crisis -- overwhelming amounts of data coming into the decision-makers that may not be properly filtered the way it would be in a non-crisis situation.

“Decision-makers get information that is not filtered, not analyzed and may be wrong, and because of the volume of information, they miss things. This is one of the reasons why I'm a big advocate of training for crisis management, having crisis management exercises that are realistic and putting the actual decision-makers, not their deputies, through the wringer. I do this a lot with companies where I have what Star Trek fans will recall, and what I call, the Kobayashi Maru scenario,” quips Clarke, referring to the Star Trek training exercise featured at Starfleet Academy that was a requirement for graduation.

“It was a no-win scenario, and that was the point of the exercise; to make you sweat. No matter what you did, you failed. I think a lot of senior-level managers and corporations have never really failed, or never had actual blame assigned to them. They need to go through an exercise that makes them sweat and makes them realize the worst-case scenario can happen and that the policies and procedures they have in place may not work,” he adds.

The reality is, says Clarke,  many times risk managers will put remediations in place -- if this happens will I have this backup system -- but they never have asked the following questions: What if the backup system fails? What are the things that make the backup system work? And if there is this general crisis, will some of those requirements for the backup work and will they also be up? These are the scenarios he recommends for executive risk training exercises so that an organization can prepare its risk personnel for this kind of out-of-the-box thinking.

Cyber War and the Game of Cyber Chicken

The most talked-about fallout from the current collision of Russia and Ukraine doesn’t emanate from the rusting hull of Chernobyl’s ominous nuclear plant, it is the looming threat of a full Russian cyber assault against Ukraine and its NATO allies. In another Clarke book published in 2010, Cyber War, he said the U.S. would require sweeping new laws, regulations and policy in order to protect the nation from the emerging cyber threat. He proposed a defense triad strategy that included securing the U.S. cyber backbone, securing the nation’s power grid and mandating security best practices on all government networks. He now maintains that there are prospects of a global cyber war based on current events despite the fact that many experts often concede that cyber and so-called kinetic war are parallel tracks in a conflict where battlefields never really meet.

Since writing Cyber War more than two-decade ago, Clarke stresses there's actually a fairly profound interplay between cyber as a domain and the other domains in which kinetic conflict might occur. He believes Russia and NATO have already been leveraging hybrid war tactics. The term is associated with Valery Gerasimov, a Russian General of the Army and the current Chief of the General Staff of the Armed Forces of the Russian Federation and is defined as a conflict with an interconnected group of state and non-state actors pursuing overlapping goals.

“It means you can achieve your war goals without having to do an invasion like this. Or you can facilitate your invasion by doing other things. What are those other things? Espionage, covert actions, attempting a coup in Kyiv and replacing the government so they wouldn't have to (physically) invade, they could just come in peacefully. Instead of bombing an electric power plant, you could launch a cyber-attack and turn off the power. Instead of putting saboteurs into the country, you pay people to whip up the opposition with lies and propaganda and do it remotely via social media,” adds Clarke. “Leverage disinformation by pretending to be a Ukrainian online and say terrible things about the Ukrainian government. Even go online and organize protests remotely.”

Clarke has seen this tactic work in North America with bold Russian disinformation online campaigns throughout the 2016 and 2020 U.S. presidential elections that targeted right-leaning American voters. And just last month, anti-vaxxer sentiments were stirred by Russian trolls online that led to conspiracy theories in the U.S. and a manufactured Truckers’ Strike in Canada.

“When you look at Russia making hybrid war against the United States, there are two things that they can do. One is cyber-attacks against targeted American companies, or they can be indiscriminate. Russia can introduce a hybrid war of disinformation. It's clear that they are using American identities on the web. Despite the fact that Facebook and Google and others have tried to identify fake personas and bots, it's still happening because it's extremely difficult to stop. I think we should look for them to start doing things in the United States to divert our attention elsewhere. It's not going to be pro-Russia demonstrations; it's not going to be anything to do with Ukraine. The linkage is not going to be obvious,” he says.

Clarke points to the Canadian government which is currently investigating whether the so-called trucker convoys that tied up Canada much of last month and snarled North American supply chains, were inspired by Russian bots, Russian trolls and Russian dark money layered through various filters. He thinks Canada is likely to find that there was a Russian hand there, even though the people who were driving the trucks, many of whom were not truckers since 99% of Canadian truckers had already been vaccinated.

“I think the participants didn’t know they were being utilized by Russia. But they were being utilized by Russia, and we should be on guard for that sort of thing happening in our country,” he warns.

About the Author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology ExecutiveSecurity Business and Locksmith Ledger International and top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]