You’re Not Scared Enough About Sandworm

It’s a two-headed nail-biter: A coarse, unpopular former businessman without much loyalty to his party leadership refuses to concede an election, citing “irregularities.” Meanwhile, the opposing party—not to mention all supporters of democracy—anxiously await the results, which threaten to irreversibly undermine faith in the voting process.

In this case, what’s present may be prologue. Kentucky Governor Matt Bevin’s refusal to concede is both natural (the margin is razor-thin) and worrisome (he hasn’t been specific about those “irregularities,” and even his campaign hasn’t followed up). And it’s the exact sort of behavior that might damage the legitimacy of both that election and the entire democratic process.

So imagine if the 2020 presidential election turns into a similar nail-biter—and another coarse, unpopular former businessman raises the same questions.

Now add Russian government hackers.

That’s the scenario lurking beneath the surface of a recent Future Tense event on Andy Greenberg’s new book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. Based on his 2018 Wired article, the book traces the devastating impact of Sandworm, the Russian government hacking team that launched the most destructive cyber attack in history.

The NotPetya attack, which cost $10 billion in damage, affected a breathtaking range of industries across the globe—including Maersk, the world’s largest shipping company. When I first read Greenberg’s article, it was one of those moments where the scale is so huge that it actually overwhelmed my fear receptors. It’s not me—it’s shipping companies. It’s terrible—but incomprehensible. Supplies of medicine going bad, computer monitors going black, black, black, just like dystopia porn from Hollywood. Can that really happen? (It just did). But that’s literally too scary. Can I think about something else now?

Actually, I did think, “This is the same gang that tried to hack the 2016 U.S. election with Facebook ads and other shenanigans. And now they’ve created a weapon that can take down the world’s biggest shipping company, leaving their IT team powerless to stop it. How is the Broward County Election Board gonna prepare for that?!”

Greenberg’s narrative shows just how prepared Maersk was. The virus was able to take down terminals across the company, blowing through even planned redundancies and backup systems. The company got “lucky” when it finally tracked down a remote computer in Ghana that had been off-grid during the attack, thanks to a fortuitously-timed power outage.

As for how devastating an attack like that could be on society, Greenberg described during the event a previous Russian attack on Ukrainian systems—from the perspective of an ordinary citizen of Kiev who couldn’t get money from an ATM, couldn’t load up the fare on his subway card, and couldn’t use his credit card at the grocery store.

“There was a disorentiation,” Greenberg said, “like he’d lost a limb of his body. He described it as an end-of-the-world movie scenario.”

The attack, noted Greenberg and fellow panelist Peter Singer, a senior strategist at New America, illustrated the sheer inadequacy of any international system of accountability. Greenberg pointed out that well before NotPetya, previous Russian attacks on Ukraine had gone largely unpunished—even as the Obama administration broadcast warnings and called out cyber-attackers in other contexts.

“The first generation of cybersecurity thought we could build up global norms to scare people away from attacking on scale or attacking certain kinds of targets [à la the Geneva Convention],” said Singer. But that didn’t come to pass. The story of NotPetya, observed Singer, was “not that they did it, but that they got away with it.”

Both Greenberg and Singer analogized it to the Spanish Civil War, where Germany was able to both test out military tactics and affirm the reluctance of international players to rein it in. How’d that turn out?

As for U.S. election systems, there’s good news: The technology and responsibility are distributed to myriad states, counties, and election boards, with multiple companies and networks responsible for handling all that data. While this makes it extremely difficult to scale an attack, there’s also bad news: There are a lot of weak points in the system, and if one fails, a politician could easily point to it as, well, an “irregularity”—thus throwing the system in doubt in the eyes of his supporters.

Furthermore, said Singer and Greenberg, even if there existed a system of international norms and accountability, this kind of attack is available to non-state actors—everything from terrorist groups to some random kid with a laptop just looking to make trouble.

So, sure, pay attention to the polls. Be a fan of democracy and hope for a high voter turnout. But remember, somewhere out there, someone might be trying to hack our elections—maybe for profit, maybe because they prefer one candidate over another, or maybe just to screw with democracy. That kind of mindset is genuinely scary when you confront it, and we’ll need more than sophisticated tech to confront it. Here’s hoping we build a system of ideological resilience—one that can do the work an international set of norms has yet to accomplish.