Eisenhower Executive Office Building — With Russian President Vladimir Putin accelerating war efforts and threatening to use nuclear weapons, White House Bureau Chief Patsy Widakuswara spoke with Anne Neuberger, deputy national security adviser for cyber and emerging technology at the Biden administration’s National Security Council, on the possibility of increased cyber warfare on Ukraine and her allies. Neuberger also spoke of the recent Iranian cyberattacks on Albania, and the administration’s view of NATO’s collective defense principle in cyber warfare.
This interview has been edited for brevity and clarity.
VOA: Anne Nueberger, thank you so much for joining me all today. I’m going to start with Russia. President Vladimir Putin has significantly increased his war efforts. He’s announced mobilization, referendums, threatening nuclear attacks. Are we also expecting an increase in cyberattacks?
DEPUTY NATIONAL SECURITY ADVISER FOR CYBER AND EMERGING TECHNOLOGY ANNE NEUBERGER: So first, thank you so much for having me here. It’s really great to be here. Throughout the conflict, beginning when Russia first did its further invasion of Ukraine, we’ve seen Russia use destructive cyberattacks as well as intelligence collection to advance its war mission. We saw the initial destructive attacks on satellite systems, then later on Ukrainian government systems and additional critical infrastructures systems. So one would expect that as Russia further redouble its efforts, that will include cyberattacks as well.
VOA: Have you actually seen indications of it starting?
NEUBERGER: Of additional cyberattacks?
VOA: Of cyberattacks, yes.
NEUBERGER: It’s been a consistent part of Russia’s war effort in Ukraine. So it’s something we expect. Do we have particular indications of an increase in that way at this time? We don’t.
VOA: How are you helping the Ukrainians defend themselves?
NEUBERGER: Such a great question. So beginning back when Russia first invaded Ukraine in 2015-16 and conducted disruptive cyberattacks against Ukraine’s energy infrastructure, we began to work with Ukraine to really strengthen the resilience of its critical infrastructure. That partnership continued up through the months as we were concerned about heightened war activity, and that included work on cybersecurity resilience of critical infrastructure, included our sending in a team from the U.S. Cyber Command, again to work on cybersecurity, teams from the Department of Energy working closely to improve resilience, and ongoing information sharing regarding tactics and techniques used to conduct malicious cyberattacks. So that remains an ongoing partnership all the way from resilience efforts to practical information sharing to help defense systems.
VOA: Are you also working in terms of strengthening their counterattack systems?
NEUBERGER: We’re very focused on cybersecurity resilience systems.
VOA: In that sense, whether it’s a terrorist offense or counterattacks, we’re hearing a lot about this volunteer hackers called the Ukrainian IT army, and I want to hear what your sense of how good and how successful they have been in deterring or thwarting or even stopping Russian attacks. And what kind of support is the administration providing them?
NEUBERGER: We’ve seen quite a bit of volunteer hacking activity with regard to Ukrainian activity to defend accounts. I don’t think we have really good insights in terms of understanding what’s Ukrainian government versus volunteer hacking activity. And, of course, our assistance is government to government. With regard to, as I mentioned earlier, some of the cybersecurity activities assisting the Ukrainian government to build and strengthen its resilience and its defense.
VOA: So just to be clear, your support and your interaction is with the Zelenskyy government, not with groups outside who are also supporting them, like the Ukrainian IT army.
NEUBERGER: Yes, our support is really, along with all of our security systems, government to government.
VOA: You mentioned earlier that, you know, the Russian attack has been consistent. And we also heard that there’s been warnings of major Russian cyberattacks on Ukrainian infrastructure – critical infrastructure. At the beginning or before the start of the war, we heard warnings that that’s how the war is going to start. I’m not quite sure that actually did happen. And in fact, throughout the war, we haven’t really heard any kind of major cyberattack that’s actually crippling Ukrainian critical infrastructure. Is that the case or are we just not hearing about it? What are your thoughts on this?
NEUBERGER: It’s a good question. So first, as Russia began its further invasion of Ukraine, we did see Russia conduct a destructive attack on Ukrainian communication systems, satellite communications systems, the ground parts, as well as on Ukrainian government websites and government systems. That initial attack, the Ukrainians were able to quickly recover and bring back up those systems. The U.S. government, because there was a ripple effect across Europe from their first Russian destructive attack on communication systems, the U.S. government and the European Union called out that activity and said this is irresponsible activity, but the Ukrainian government was able to quickly recover those websites and quickly recover from those destructive attacks, which is really a tribute to all the cybersecurity resilience and focus they put on improving the security of their systems, disconnecting their energy grid from the Russian grid, reconnecting to the European grid and the work they had done to really harden that. So that preparedness and frankly that partnership between various countries assisting the Ukrainians on that work, although the Ukrainians really led that work, was key to their defense. There have been ongoing Russian cyberattacks. The Ukrainians have been very successful at, you know, catching those, and really remediating and addressing them quickly so that they didn’t have significant impact.
VOA: Is the support given to them, government to government, U.S. to Ukraine, or is it also through NATO?
NEUBERGER: The support is from individual governments, the U.S. government, the European individual governments are providing various cybersecurity assistance.
VOA: OK, on the flipside, what do we know about the Russian cyber operations support? I mean to what extent is Russia getting support from other countries? Do we see a strategic alignment in terms of cyber warfare between Russia, China, North Korea, Iran?
NEUBERGER: Russia has a very capable cyber program and one of our focus areas both for the U.S. and for the Europeans has been to really improve our own preparedness, to ensure we lock our doors, lock our digital windows so that we can prepare in case there are heightened Russian cyberattacks as well. So it’s clearly been a focus for us on the U.S. side.
VOA: Have we seen so far that there are strategic alignments or at least tactical alignments between these adversaries in cyber warfare?
NEUBERGER: In the cyber context, no, we haven’t.
VOA: The war in Ukraine is the first conflict where we see some sort of coordination between cyberattacks and kinetic military assault. So in that sense, what are we learning about this hybrid warfare and what are we learning about the Russian capabilities in that realm?
NEUBERGER: I think we’re fundamentally learning that as countries think about their national defense for crisis or conflict, the digital systems they operate at, whether they’re individuals, whether they’re companies, whether they’re governments … need as much to be defended, and the preparation work to understand what are the most important components of your power systems, your water systems, your oil and gas pipelines, and ensuring that they’re up to snuff. The cybersecurity is capable to defend against a capable adversary. And that’s the core message. That doesn’t happen in a moment because these elements of critical infrastructure were digitized in many countries without necessarily considering security baked in at the beginning. And that’s one of the reasons in the U.S. and with partners around the world we’re working to quickly improve the security of critical infrastructure, recognizing that it’s a component of adversaries work in crisis and conflict to either coerce a population, or coerce the government by potentially destabilizing or disrupting digital systems.
VOA: I want to talk some more about what the U.S. is doing in terms of building this responsible state behavior in the cyber realm, but first I just want to talk a little bit on this Iranian cyberattack on Albania. The administration has slapped fresh sanctions on Iran as punishment, yet that didn’t stop them from launching a second attack. Are we not doing enough? Is there nothing else that we can do to deter them and how are we helping the Albanians?
NEUBERGER: It’s such an interesting question. So cyber deterrence is a very new field, and it draws on lessons and the approach we’ve used in other domains, sea, air. How do we build coalitions among countries regarding what’s responsible state behavior in cyberspace and what’s irresponsible because it’s one global commons at the end of the day. Many countries signed up for the United Nations voluntary norms for peacetime, which include a number of norms, and that was signed in both 2015 and 2019. One of those includes not disrupting critical services. And as such, in order to make forms actually be enforced, it requires countries and as big of a coalition as possible to call out behavior that’s not in alignment with those norms, and when possible to impose consequences. So that’s the reason that when we saw the Iranian government’s attack on the Albanian government, really disrupting Albanian government services for quite a period of time to their citizens, we and other countries came together to call out that activity, to say to the Iranians – to attribute it to the Iranians, and then to impose consequences. The Albanian government imposed consequences, we, the U.S., sanctioned the chief and deputy of an Iranian entity as well. And we do that as part of building cyber deterrence. It won’t happen in one or two cases. It happens if repeatedly, quickly, we did this far more quickly than in the past. Also, to achieve those strategic goals of enforcing international cyber norms. But if we do this repeatedly, as a community of countries, we believe that can build cyber deterrence.
VOA: The fact of the matter is, as you’re trying to build these international cyber regimes, there is no consensus at the U.N. Security Council, obviously Russia and China are a part of it. There are U.N. frameworks that cannot be enforced. So under these circumstances, how do you move forward?
NEUBERGER: So Russia is one of the countries who signed the 2015/2019 Governmental Group of Experts norms. So countries that have agreed to those norms, the key we believe is enforcing those norms. And we believe, as I mentioned, that it’s each time, time by time, pointing to countries when they conduct behavior that’s not aligned with those norms, and then continuing to deepen that coalition so that more countries join it, we do it more quickly, and then we eventually mature to also impose consequences. So we believe it will take some time, but those are the steady steps we’re taking along with partners and allies.
VOA: And so that is behind the strategy of this name and shame that you’re applying?
NEUBERGER: It’s part of a broader strategic effort of moving to where we say, in this global shared space, that is cyberspace, where we need collective defense. One key aspect is, as you noted, improving cybersecurity resilience, locking our digital doors, one key aspect is gaining agreement among countries of what is not appropriate behavior – the framework for responsible state behavior in cyberspace and gaining agreement among more countries to enforce those.
VOA: Beyond your Western allies, is there an understanding of the need to do this from, you know, the rest of the world?
NEUBERGER: We believe so, because in many ways, the weaker countries are the ones who are most vulnerable to being coerced via cyberattacks on their government systems, cyberattacks on companies or theft of intellectual property in that way. So we believe it’s in all countries’ interests, whether large or small, because we’ve all digitized. Clearly, some of us have digitized more than others, but we’ve all digitized to where there’s risk to our citizens if critical services are disrupted or if governments are disrupted in moments of crisis.
VOA: I’m going to go back to Iran and Armenia real quick. Groups associated with Iran penetrated various systems in Armenia, including the prime minister’s emails. Are you concerned that Iran may have gained access to sensitive NATO data via this breach? I mean we also heard about Portugal recently where hundreds of NATO documents may have been stolen as well.
NEUBERGER: So clearly, good cybersecurity practices are needed among all NATO members, right? Every member of NATO has to recognize that they bring risks to the broader member if they don’t put in place adequate cybersecurity practices. That’s one of the reasons that we’ve been working very closely in the NATO context in terms of cybersecurity, and to build incident response capability at NATO to mature NATO cyber capabilities, because, as I mentioned earlier, clearly more work needs to be done. You’ve cited a couple of examples that highlight the need for it. I think there’s now a much deeper recognition at NATO and a much deeper recognition to bring allies together to have in place common thresholds of cybersecurity, for important information.
VOA: And still on NATO, as a NATO ally both Albania and Portugal are technically protected under the collective defense principle. So can you explain what the administration’s view of NATO’s principle, an attack on one is an attack on all, in terms of cyber warfare? At what point does a cyberattack merit a counterattack? Are there any criteria? Is there a red line?
NEUBERGER: So this is an area of evolving policy. It’s a very new area. You’ve seen NATO’s policy that one or more cyberattacks could rise to the level of an armed attack. Clearly, that’s a very high threshold of what that is. The work we’re doing at NATO is focused on, first, cybersecurity resilience. There’ll be a NATO Cyber Defense Pledge conference in Rome that will focus both on what are the standards that NATO members have in place for their critical systems, building an incident response capability at NATO so if an ally is attacked, there is a NATO capability that countries can come together and virtually offer support, as well as then using that as an alliance to enforce international norms, but that’s an area we’re still working to evolve.
VOA: One last question on behalf of the VOA audience who may live in countries where there’s not a lot of internet penetration. Why should they care about cybersecurity?
NEUBERGER: In each of our lives, there’s data that’s really important to us, and there is information related to our work, and our country’s economies that are important to the continued growth of our economies and jobs. So there’s easy steps we can take to ensure that our data is safe and, frankly, our families and our children are safe online as well. And that’s really the core reason: that there’s really more – there is connectivity. Countries want to be connected because of the opportunities, the jobs, the commerce that it enables, so building security in from the beginning is the best way to be safe online.