In a Russian cyberattack, how does New Jersey fare?

New Jersey might not be high on the Kremlin’s target list, but with the Russo-Ukrainian War sitting front and center in virtual space, the risk is substantial for New Jersey to feel the pain of the conflict.

Businesses, infrastructure and financial institutions in New Jersey have been warned that they need to bolster their existing cybersecurity.

“We have put in place as good a set of protocols as you can hope for,” Gov. Phil Murphy said during a recent interview with the radio station WCBS 880. “But that doesn’t mean we’re not vulnerable in one form or another.”

A series of bulletins has been put out over the past month by the New Jersey Cybersecurity and Communications Integration Cell — an arm of the state’s homeland security department — warning of an escalation on the cyber front.

The attacks can range from distributed denial-of-service attacks, which can crash a server; to ransomware attacks like the ones that shut down the Colonial Pipeline last spring, or “wiper attacks” that can destroy data and digital records on a targeted machine.

Infrastructure like pipelines and the electric grid, as well as state and local governments or private businesses, could all be at risk, state officials warned — be it from the Kremlin themselves or another nation or group.

Intelligence groups including the NJCCIC and the U.S. Department of Homeland Security have laid out a slew of recommendations for businesses centering on preparedness, building out a response plan and implementing the necessary controls and infrastructure.

“As the crisis in Ukraine continues to escalate, it is likely that Russia’s aggressive cyber activity will increase and spread beyond their initial Ukrainian government, military, energy, and financial targets,” reads an NJCCIC bulletin from Feb. 24, the day Russia began its offensive.

“Russia, and those aligned with its efforts, will continue to conduct disruptive and destructive cyberattacks, cyber espionage, and information operations against Ukraine and any governments or groups supporting Ukraine or opposed to Russia’s invasion of Ukraine,” the bulletin adds.

Tensions rising

In 2017, Russia launched a malware attack against Ukranian’s private sector that quickly spread globally, hitting both the Port of Newark and Kinnelon-based global drugmaker Merck.

A Super Court Judge only ruled last month in favor of Merck’s $1.4 billion insurance claim following the attack, known as NotPeya. Merck’s insurers attempted to deny the claim, saying that the cyberattack constituted an act of war and was not covered by their policy, but the courts disagreed.

“The U.S may very well experience a cyber attack surge from Russia state sponsored groups in retaliation of economic sanctions imposed by the U.S. and its allies,” remarked Karen Painter Randall, a partner and chair of the cybersecurity practice at the law firm Connell Foley.

“Reportedly, Russian threat groups have been performing reconnaissance against U.S. electric and natural gas sites for the last few months,” continued Randall, a speaker at a recent NJBIZ cybersecurity panel.

The combination of Russia’s stalling advance into Ukraine — and the cascade of economic sanctions, like the removal of several major Russian banks from the international SWIFT financial system — could prompt more severe responses from the Kremlin, warned some cybersecurity analysts.

“Putin/Russia getting completely isolated economically & diplomatically,” tweeted Dmitri Alperovitch, a former Russian national and former chief technology officer at the cybersecurity firm CrowdStrike. “The danger: Putin has very little to lose now. He is cornered. May go all out on economic and cyber retaliation.”

One possible target: the slew of online coworking products like Zoom and Microsoft Teams that businesses have come to rely on amid the pandemic, suggested Reza Curtmola, a professor and faculty member at the Cybersecurity Research Center at the New Jersey Institute of Technology.

“Pretty much everything is connected on the internet today,” he said. “We are not in a good state. I’m sure if a foreign power would seriously want to cause harm, they would be able to.”

For New Jersey’s banks, and the many financial institutions in New York City and Philadelphia that utilize New Jersey infrastructure, there’s the prospect that a cyberattack could likewise wield a major spillover into the Garden State.

“I know [financial institutions] stress test for cyberattacks, but I think they stress [test] for more like rogue actors,” said Michael Affuso, executive vice president and director of government relations at the New Jersey Bankers Association. “I don’t necessarily think that a rogue actor has the available infrastructure that a nation-state would have.”