OHIO — While physical attacks by Russia threaten Ukraine, another threat looms for Ukraine and its western allies — hacking.


What You Need To Know

  • Experts, like C. Matthew Curtin, said companies and consumers need to be prepared for cyberattacks from Russia
  • Companies need to make sure they’re not exposing vulnerable systems that can be exploited
  • C. Matthew Curtin is a computer scientist and cybersecurity expert who founded Interhack Corporation
  • Curtin said people should be careful if using devices connected to the internet that have access to audio and video of their homes

Russia's foreign intelligence service has been linked to cyberattacks in the past, like in April, when the U.S. Treasury Department declared them responsible for the massive Solarwinds data breach, which impacted firms like Microsoft and top government agencies.

The Biden administration also sanctioned a Russia-based cybersecurity company for allegedly providing offensive hacking tools to Russian intelligence services.  A few days ago, Britain warned of potential Russian cyberattacks with worldwide repercussions.

C. Matthew Curtin, a computer scientist and cybersecurity expert who founded Interhack Corporation in Columbus, believes that it is certain that the United States will face cyberattacks from Russia. 

“The possibility is more of a certainty,” Curtin said. “It’s not even something that’s been happening new in the last week. This is a frontier that Russia has been using, and so attacks have been happening — they will continue to happen. So it’s not a question of ‘if,’ it’s a question of ‘how much’ and ‘what the targets will be.’”

Curtin said trying to avoid being attacked is futile for companies. 

“Avoidance is not the issue. You cannot stop someone from attacking you. The question is going to be how you can be prepared to defend yourself in the event of an attack,” he said. “That means that you have to be hard as a target.  You need to be able to understand what the threats are and make sure that your front line people understand how not to be taken advantage of. 

“You need to make sure that your systems that are internet facing are hard, they’re not exposing vulnerable systems that can be exploited and then you need to make sure you follow through with all of the training with the people and with the technology so that they’re working together and continue to update. You can’t just turn something on.  You can’t just install something or create a patch that’s going to fix it.  It’s a matter of maintaining a secure posture.”

But companies are not the only ones that should be vigilant. Curtin cautions people with the use of devices connected to the internet that have access to audio and video of their homes. 

“One of the big things is, just don’t assume that something is necessary just because it’s new,” Curtin said. “The question that you’ve got this great Alexa thing in your house and it’s so wonderful to have it to turn on the TV or whatever.  It’s a bug that you’ve put in your house. It’s an audio feed that you’re giving back to a third party.  If you’ve got a camera that ostensibly using for security and it’s being provided by a cloud service that means that somebody has a view into whatever you’re able to see as well.”

Curtin said people don’t need to have all their devices connected all the time. 

“And it makes a lot of sense for us to think about what kind of posture we want to maintain,” he said. “We can say no and we often should say no when we don’t. So maybe it’s a good idea to think about the way that we’re accessing these systems.  In some cases we’re going to decide no, they’re not worth the risk and we need to stick to that plan. 

He said if a user decides the device or service is worth the risk, they need to protect themselves and take precaution.

“If something is something that we want and we decide that it is worth the risk, we need to make sure that we are protecting it by having good authentication credentials, a good password combined with some kind of a secondary authentication system, a one-time code for example, and we need to make sure that we are behaving in a way that we are not giving away information needlessly,” he said “Which probably means we want to restrict the number of parties that we’re doing business with online, the number of services we connect to, the number of accounts that we have and maybe that means that we manage our relationships a little bit better.”