OneZero: The first major attack by Sandworm — and what you say is the first global example of cyberwar — was a blackout in Ukraine. You say that Russia was using Ukraine as a testing ground. How so?

Andy Greenberg: Sandworm launched one attack on Ukraine after another, targeting every strata of Ukrainian society, including its media, private industry, government agencies, and critical infrastructure — transportation and utilities. Sandworm wasn’t recognized as the most dangerous group of hackers in the world for so long because they largely confined their attacks to Ukraine. Sandworm was a component of Russia’s larger campaign of abuse against Ukraine, which has included waves of physical invasion, disinformation, and ultimately, disruptive cyberattacks. That digital disruption is aimed at trying to make Ukraine look like a failed state. Trying to make its populous lose confidence in their government. And Sandworm also wanted to test out new cyberwarfare capabilities, to build those capabilities, and demonstrate them to show the West that Russia had these capabilities, but also for its own kind of evolution, for its own advancement. Sandworm was using Ukraine as a testing ground to learn and practice doing things that hackers haven’t dared to do anywhere else in the world.

But Sandworm was also about testing out how the rest of the world would respond — and how far Sandworm could push it.

The story of Sandworm shows that we don’t take cyberattacks seriously unless they hit us in the West. The world watched silently as Russia escalated its cyberattacks on Ukraine, and allowed them to continue with impunity. That’s particularly problematic because this is an area where we’re still trying to establish the red lines for acceptable behavior by different countries. It seemed shocking to me that when Russian hackers turned off the power to civilians for the first time, it was treated as somehow just Ukraine’s problem. It wasn’t something that the U.S. government put out a statement about or punished Russia for — despite the fact that that was exactly the sort of red line that the cybersecurity community has been talking about for years. It was exactly the kind of attack on stability and critical infrastructure that we’ve always feared and hoped to prevent. When it actually happened, no one in the West really said anything, because it was “just Ukraine.”

We need to set ethical rules for states on the internet that apply — regardless of who the victim is.

You talked to the cybersecurity heads of both the Obama and Trump administrations about the failure to take action when it came to Ukraine. What was the rationale?

Tom Bossert (Trump’s former homeland security advisor) did act against Sandworm when NotPetya happened, saying it was unacceptable, and sanctions came eventually. But neither administration saw what Russia was doing to Ukraine as something that required a public reprimand. They both argued, essentially, that the invasion of Ukraine was a problem, but there was nothing particularly problematic about Russia hacking the Ukrainian grid. And, in fact, the U.S. would do the same thing if we found ourselves at war. We would do it in a future cyberwar. We should hold both Russia and ourselves to a rule that we simply don’t attack critical infrastructure of civilians anywhere in the world, even in the context of war.

Cybersecurity is not outside of politics. It’s a central piece of foreign policy. It was significant that the Obama administration chose to call out state-sponsored hacking, and punished certain acts, like the Iranians who attacked American banks, and the Chinese cyberspies who were stealing intellectual property from American companies, and North Korea’s attack on Sony. Those were political acts — the Obama administration tried to set the rules for the internet. But they failed when it came to Ukraine. And the Trump administration failed in different ways. They ignored Ukraine until NotPetya made it everyone’s problem. And there was a component that was tied up with Trump’s personal politics — he didn’t want to hear about Russian hackers, for obvious reasons.

The U.S. has accelerated the arms race by… remaining silent.

Members of Sandworm have been linked to election-related hacking — what could happen in America’s 2020 election? How well is the U.S. protected against election hacking?

If Russia decides to mess with the 2020 election, I would expect that Sandworm, the hyperaggressive hacking group, will be involved. They’re just one of Russia’s groups. Fancy Bear, this other group within the [Russian military intelligence agency] G.R.U., is also likely to be mixed up in any possible election meddling, although Fancy Bear has a history of espionage and influence operations, whereas Sandworm has carried out more disruptive attacks.

We remain vulnerable to most of the same kind of attacks that happened in 2016, and probably more. If we were to see another round of Fancy Bear-style attacks, the leaking operations, we have targets that are soft enough that they could be breached. Political campaigns are complicated and often unprotected targets for influence operations, as we saw in 2016. But if Russia were to decide to do Sandworm-style attacks, we’re talking about disruptive attacks on any number of American targets that could be tied to the election. To confuse things, to try to mess with voter turnout. I don’t expect that Russia will, for instance, attack the power grid in the U.S. without serious provocation. But Sandworm has done much simpler data-destructive attacks. If one of those were to hit ahead of, or on, Election Day, it would have serious implications. Reuters has reported that the Department of Homeland Security (DHS) is worried about that. But it’s hard to create a protective shield around all of those targets that could be messed with in an election. It’s not just protecting government agencies or voting machines or political campaigns — it’s protecting the internet, and all of the stuff we depend on for a normal day in America. It’s not something the DHS can get its arms around.

You argue that the U.S. has not been neutral — that it has, in fact, escalated the threat of cyberwar. How so?

On the most basic level, the U.S. has accelerated the arms race by, instead of speaking out and condemning some of the worst actors, remaining silent. And we even seem to be trying to build or maintain the same capabilities ourselves. We don’t punish things that would violate any sort of “Geneva Convention of the internet” because we want those capabilities. We want that power ourselves. We have done disruptive attacks against specific targets like IRA. And the most important precedent for all of this is Stuxnet, where we demonstrated to the world how powerful a cyber-physical attack could be — something no one had ever seen before. By participating in this, and even sometimes going ahead of our adversaries, doing things that even they had never done before, we have given passive encouragement to the escalation of the arms race.

There’s a direct way that we’ve fueled it: The NSA built a massive arsenal of hacking tools, and they were stolen and leaked in 2016 by the Shadow Brokers, a hacker group, and those tools were used against us in multiple cases. But even before those tools were released, the NSA made the choice to use those hacking capabilities, instead of working with software companies to patch the flaws that they exploited. The NSA chose offense over defense. That backfired enormously because the tools were leaked. But even before then, they left the flaws vulnerable.

It’s especially foolish to be amping up cyberwar when we, in some sense, are the most vulnerable to these kinds of cyberattacks.

Sandworm is a Russian group — but the story is bigger than Russia. What other “Sandworms” could be out there?

There are many countries that have the capabilities to do what Sandworm has done. The U.S. could do it, probably more easily than any country in the world. I’m sure China has capabilities, too. The five English-speaking countries in an alliance — the U.S., Canada, U.K., Australia, and New Zealand — they are willing to spy on everything and carry out the very occasional, targeted cyberattack. But that’s not what Sandworm does. Sandworm is vastly broader and more reckless. It’s willing to attack civilians. If there is another Sandworm out there, it would be working for Iran or North Korea. Those are two states that have shown that they are willing to do disruptive attacks. They do things that are irrational and reckless. North Korea, Iran, and Russia often act like insurgents that want to blow up the current global order, instead of rise up, like China has. These governments that thrive on instability and chaos are, absolutely, the most likely to carry out the kind of attacks that break things.