Russia and Critical Infrastructure: We “Should Not Threaten a Nuclear Power”

The quotation in the title comes from the Russian Foreign Ministry, brushing off UK demands for an explanation of why Russia poisoned Sergei Skripal. That the Russians said this is a good sign that they have not entirely forgotten the risks of attacking the United States.

Before yielding to panic because Russia has been probing the computer networks of U.S. critical infrastructure, remember that Russia has probed critical infrastructure many times in the last five years. What is different this time is that the United States has been much more forthright in its public identification of Russia as the culprit.

Russia has had the capability to destroy critical infrastructure for decades. Russia has been able to launch a nuclear attack that would destroy American infrastructure since the 1960s. In the 1970s, it planted caches of weapons and explosives in the United States to let its agents undertake sabotage operations in the event of war. Now, groups of Russian agents have entered the country for other purposes and could easily undertake an attack.

Capability is different from intent, however, and simply having the capability to cripple critical infrastructure does not mean that Russia will do this. Russian behavior is shaped by its assumptions about benefits and consequences. Clearly the Russians have been able to get away with unprecedented action in the United States and allied countries intended to coerce and, in the case of Skripal and Alexander Litvinenko before him, to punish. Russia may have a sense of invulnerability in these efforts, and from his statements, it appears that Russian president Vladimir Putin despises the West.

A true attack on critical infrastructure, one that disrupted services or caused destruction, is a very different matter however. Russia may feel that it can manage the risk murdering its own citizens in another country, but it faces the same constraints on damaging cyber attacks that it faces on using nuclear weapons—that an attack could precipitate a violent and perhaps existential conflict with the United States. So far, Russia’s coercive actions have stayed below the use-of-force threshold (roughly defined in international law) that could trigger a crisis. Russia expects, with reason, that its “gray area” coercive actions that do not cross this threshold do not hold much risk, in part because it has been two years since the actions against the U.S. election, and we have done very little in response.

But the cyber equivalent of an armed attack on critical infrastructure, one that disrupted services or caused physical damage, is much riskier than interfering in an election (whether it should me much risker is another matter). No U.S. administration would ignore an armed attack. Russia knows the U.S. commitment to international law and how this complicates responding to election interference, but the same complications would not stand in the way of retaliation for an attack on critical infrastructure. The Russians are at least as vulnerable as the United States to this kind of cyber interference, and there is no guarantee that a U.S. response would be confined to cyber.

For the same reasons that Russia has not used nuclear weapons or Spetsnaz to attack the power grid, they should be reluctant to use cyber attack. Despite their rhetorical excesses, the Russians are cautious about entering situations where the risk of punishment is great. This means that the intrusions into critical infrastructure catalogued by the Federal Bureau of Investigation and the Department of Homeland Security are intended for other purposes. This Russian probe and the U.S. response mean that each side is signaling the other, sending an indirect warning about the potential for conflict.

In the Cold War, the United States and Russia flew reconnaissance satellites over each other’s territory to identify targets for nuclear attack. Cyber reconnaissance against infrastructure is similar in that it identifies targets and sends a warning. One nuclear power does not actually damage another nuclear power’s critical infrastructure; the risk is just too great. Russian probing of critical infrastructure in the United States resembles actions against Ukrainian power facilities, which were intended to warn and coerce Ukraine. But the actions against the United States are more subdued. A broad attack on civilian targets in the homeland of a nuclear-armed state creates existential risk for the attacker.

The Russians will only attack if they have decided on war or if they miscalculate the U.S. response (a growing possibility given their recent actions in the United Kingdom and elsewhere). It is more likely, however, that the Kremlin is playing a game of chicken to see who backs down first, and they assume that it will again be the Americans. They probe U.S. infrastructure; in response, the United States goes public on the Russian actions to warn them that they are not invisible and that we are not (completely) defenseless. This is a new kind of conflict created by cyber capabilities, which give countries the ability to manipulate, coerce, and perhaps attack. In this new style of conflict, the issue is not will Russia attack, but how we push back harder to ensure that they do not.

James Andrew Lewis is a senior vice president at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2018 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program