Despite fears over how Russia would respond to Western sanctions, American and European financial systems have continued humming along with no known major, successful cyberattacks on U.S. banks in the intervening weeks.
Russia has made one counterattack of sorts with its move to
Even before the U.S. imposed economic sanctions on Russia amid its invasion of Ukraine, the country’s top cybersecurity agency
Jason Healey, a senior research scholar and adjunct professor at the School of International and Public Affairs at Columbia University, said the “most important” feature of the war in Ukraine of which American bankers should be aware is that “cyber has not been a major part of this conflict so far.”
“The skeptics emphasize the ‘not been a major part’ while the pessimists stress the ‘so far,’ ” Healey said. “With each day that fortunately passes without an attack, the skeptics’ case feels stronger while the pessimists fear we’re getting overconfident.”
Scholars with the Carnegie Endowment for International Peace
On the other side, a researcher at the Swiss university ETH Zürich
In the weeks since the West announced sanctions against Russia, the tone toward that cyber threat has changed.
The next week, another national-security publication,
According to Healey, Russians “don’t appear to have made major preparations for a cyber assault on Western interests.” They may well have one in place that “may detonate at any moment,” he said, but the impact could be limited, he said. He pointed to the example of
“This would be a bad day for many banks, but most have robust procedures and defenses in place,” Healey said.
But not every observer is convinced, and he added that arguments that a Russian cyberattack would have only limited impact “may underestimate what a bloody-handed tyrant will do when he feels his regime is on its last legs.”
Some pessimists worry that, though Russia has not launched a widely disruptive cyberattack, it may well be in the middle of an ongoing, covert cyber operation against banks. Indeed, one expert argues that an attack that takes place out in the open — like a denial of service attack — would be against Russia’s interests.
“If you're only going to disrupt and annoy, then all you've done is essentially cue the target into its vulnerabilities,” said Thomas Vartanian, executive director of the Financial Technology & Cybersecurity Center, a public policy center advocating for
Vartanian argued that Russia’s strategy could be one whereby the best course of action is similar to one the Soviet KGB
“Fundamentally, the problem is that you don't know what's going on until you know,” Vartanian said. He added that major cyberattacks attributed to Russia, including against Solarwinds and JBS, began as unnoticed intrusions months and even years prior to their public disclosure.
“I guess the question that I would ask myself here is: How do I know that hasn't happened?” Vartanian said.
Even in light of the risks, Healey said, banks are among the most robust in their defenses against a cyberattack.
“Russian attacks may overwhelm some parts of that defense at times if they are particularly brazen, persistent or lucky,” he said. “But I’d personally go long on the finance sector.”
Industry leaders are also projecting cautious optimism about what the weeks of quiet mean for banks, including Teresa Walsh, global head of intelligence for the Financial Services Information Sharing and Analysis Center. She said the center for the past 20 years has been issuing guidance about “proactive measures” financial firms can take to defend themselves.
“Given that the cyber threat landscape has been calmer than anticipated ... this brings some reassurance that the industry is acting on that guidance,” Walsh said.