U.S. banks haven’t had a ‘digital Pearl Harbor’ yet. Is one coming?

Despite fears over how Russia would respond to Western sanctions, American and European financial systems have continued humming along with no known major, successful cyberattacks on U.S. banks in the intervening weeks.

Russia has made one counterattack of sorts with its move to sanction President Biden and other top U.S. officials in a largely symbolic clapback this week, but the constant drone of hacking attempts on American targets has remained largely stable.

Even before the U.S. imposed economic sanctions on Russia amid its invasion of Ukraine, the country’s top cybersecurity agency warned of a heightened threat of cyberattacks. Though many experts agree the threat remains, they disagree over its severity and why exactly Russia has not launched any major cyberweapons.

Jason Healey, a senior research scholar and adjunct professor at the School of International and Public Affairs at Columbia University, said the “most important” feature of the war in Ukraine of which American bankers should be aware is that “cyber has not been a major part of this conflict so far.”

“The skeptics emphasize the ‘not been a major part’ while the pessimists stress the ‘so far,’ ” Healey said. “With each day that fortunately passes without an attack, the skeptics’ case feels stronger while the pessimists fear we’re getting overconfident.”

Scholars with the Carnegie Endowment for International Peace argued in 2017 that a “Digital Pearl Harbor” — a cyberattack targeting the weakest points of the nation’s critical infrastructure — was a real and dangerous possibility because governments, militaries, and civil society are widely dependent on cyberspace. Senior executives at several banks recently told the Financial Times they were concerned about Russia attacking Swift, the international payments network.

On the other side, a researcher at the Swiss university ETH Zürich said last year that cyber war operations “tend to fall short of their promise.”

In the weeks since the West announced sanctions against Russia, the tone toward that cyber threat has changed.

The National Interest published an article Feb. 28, four days after Russia’s invasion, that said the lack of cyberwarfare against Ukraine was “hard to understand and should cause us to worry.”

The next week, another national-security publication, Defense One reported that one possible explanation why Russia hadn’t attacked Ukraine’s internet infrastructure was that the invaders were relying on the network amid the attack.

According to Healey, Russians “don’t appear to have made major preparations for a cyber assault on Western interests.” They may well have one in place that “may detonate at any moment,” he said, but the impact could be limited, he said. He pointed to the example of Operation Ababil, a series of denial-of-service attacks on U.S. financial institutions attributed to Iran.

“This would be a bad day for many banks, but most have robust procedures and defenses in place,” Healey said.

But not every observer is convinced, and he added that arguments that a Russian cyberattack would have only limited impact “may underestimate what a bloody-handed tyrant will do when he feels his regime is on its last legs.”

Some pessimists worry that, though Russia has not launched a widely disruptive cyberattack, it may well be in the middle of an ongoing, covert cyber operation against banks. Indeed, one expert argues that an attack that takes place out in the open — like a denial of service attack — would be against Russia’s interests.

“If you're only going to disrupt and annoy, then all you've done is essentially cue the target into its vulnerabilities,” said Thomas Vartanian, executive director of the Financial Technology & Cybersecurity Center, a public policy center advocating for a major overhaul to the regulations that govern fintech and cybersecurity.

Vartanian argued that Russia’s strategy could be one whereby the best course of action is similar to one the Soviet KGB employed before 1986, when it worked through a group of young German hackers to infiltrate a Berkeley lab and military and government agencies across the U.S.

“Fundamentally, the problem is that you don't know what's going on until you know,” Vartanian said. He added that major cyberattacks attributed to Russia, including against Solarwinds and JBS, began as unnoticed intrusions months and even years prior to their public disclosure.

“I guess the question that I would ask myself here is: How do I know that hasn't happened?” Vartanian said.

Even in light of the risks, Healey said, banks are among the most robust in their defenses against a cyberattack.

“Russian attacks may overwhelm some parts of that defense at times if they are particularly brazen, persistent or lucky,” he said. “But I’d personally go long on the finance sector.”

Industry leaders are also projecting cautious optimism about what the weeks of quiet mean for banks, including Teresa Walsh, global head of intelligence for the Financial Services Information Sharing and Analysis Center. She said the center for the past 20 years has been issuing guidance about “proactive measures” financial firms can take to defend themselves.

“Given that the cyber threat landscape has been calmer than anticipated ... this brings some reassurance that the industry is acting on that guidance,” Walsh said.