The Future of Russian Cyber: With a Bang or a Whimper

This post is written by Dr. David Bibighaus, Assistant Professor of Cybersecurity and Computer Science at Messiah University.

In many respects, cyber in 2022 has been the year of the dog not barking.  The war in Ukraine has been the most significant story of 2022.  Given Russia previously demonstrated capabilities in cyber and its willingness to use those capabilities, the lack of major cyber events tied to the Ukraine war has been puzzling.  To help think through this issue, we will briefly discuss three questions whose answers could have major implications for the future of Cyber defense.

  1. Why has Putin not launched significant cyber-attacks on Ukraine?

There are several possible answers.  The first is that the cyber forces were not included in the operational planning.  Under this hypothesis, cyber-attacks are most effective in the run-up and initial stages of the war.  If the cyber forces were not included in the initial operational planning, there may not have been a good time to insert cyber-attacks when they would be most impactful.  There is some evidence to this hypothesis.  It seems that planning for this “Special Military Operation” was kept to an absolute minimum.  Even most of the front-line Russian soldiers had no idea that they would be fighting until they crossed into Ukraine.

A second possible answer is that the Russians may have inadvertently undermined the effectiveness of their cyber-weapons in Ukraine.  Andy Greenberg, in his book Sandworm, has done an excellent job documenting the Russian development of cyber weapons against critical infrastructure.  Russia has spent the last six years using Ukraine as a trial run for these capabilities.  However, as Russia has tested these weapons on Ukraine, the Ukrainians have had to learn how to operate their critical systems in the face of a cyber-attack.  It is possible that when Russia unleased its Industroyer malware on the Ukrainian power grid in 2016, it unintentionally hardened that system so that future versions of that malware would be less effective.

A final possibility is that Russia’s cyber-forces were needed elsewhere.  Russian military doctrine makes no distinction between influence operations and cyber operations.  One of the stunning outcomes of the invasion was the spontaneous response by hundreds of multi-national corporations.  Suddenly McDonalds and Visa had a foreign policy that impacted the lives of virtually every Russian citizen.  Under this hypothesis, Russian forces that may have been used to conduct cyber-attacks could have been redirected to perform influence operations at home and abroad.   

2. Will Russia give up on cyber?

Many of the best and brightest young people in Russia with technical skills served in Russia cyber forces. For the men, it is a valid way to fulfill their military obligation without the unpleasantries that can accompany military life (women are not required to serve in the Russian Armed Forces). This loophole has impacted the cyber landscape by training more Russian hackers than would normally be expected for a country of its size. But can this continue? The war has revealed a desperate Russian need for military manpower; and especially intelligent and capable young people who can serve as junior officers.

Unless the tide of the war shifts dramatically in Putin’s favor, Russia may decide to dramatically reduce the number of those serving in the cyber forces. If so, it will have major implications for the future of cyber defense, as a significant pool of talented, well-trained nefarious actors could suddenly dry up.

3. Will Putin Use Cyber-Weapons on the West?

As of this writing, the War in Ukraine continues to go against Russia, to the point where the use of tactical nuclear weapons is being actively discussed. Might Russia elect to use a cyber weapon against the West before it elects to use such a weapon? Russia could use the sabotage of the Nord Stream pipeline as a justification to unleash a cyber-attack on the West’s critical infrastructure. But this course of action would present significant risks. A cyber-attack could cause short-term economic damage to the West. However, it is unlikely to have long-term impact on the Ukrainian battlefield other than hardening western resolve and possibly resulting in the West providing more material aid against Russia. 

No matter what happens, this war will be studied by nation-states for decades to come as a case study for when and when not to use cyber-weapons. How Russia chooses to answer the three questions posed here will impact the cyber landscape for a least a generation.

Image by Philipp Katzenberger, via unsplash.com

Dr. David Bibighaus grew up in upstate New York and completed his bachelor’s degree in electrical engineering from the United States Air Force Academy. He served in the Air Force for twenty-one years as a computer systems developmental engineer. Some of his notable assignments in the Air Force include serving as a Systems Engineer with the Military Satellite Communications division in Los Angeles, as a Crew Commander with the 33rd Information Operations Squadron in San Antonio Texas, as the head of the Cyber Defense Branch of the Air Force Research Laboratory in Rome New York, as an Electronic Warfare Officer with Task Force Paladin in Afghanistan, and as the Deputy Head of the Computer Science Department of the United States Air Force Academy. Dr. Bibighaus worked for Booz Allen Hamilton as a Senior Lead Engineer advising the Air and Space Forces on ways to improve the cyber security of their operational systems. Dr. Bibighaus joined the faculty of Messiah in 2022. He is interested mentoring young people and creating sustainable engineering solutions for the developing world. He enjoys spending time with his wife and three daughters, wood working, role playing games, and traveling.

Meet Our New CYSE Program Faculty

The Cybersecurity Education Program and the Department of Computing, Mathematics, and Physics welcome our newest faculty member, Dr. David Bibighaus, as Assistant Professor of Cybersecurity and Computer Science. Prior to joining the department, Dr. Bibighaus served as Senior Lead Engineer at Booz Allen Hamilton, advising the Air and Space Forces on ways to improve the cyber security of their operational systems.

Dr. Bibighaus grew up in upstate New York and completed his bachelor’s degree in electrical engineering from the United States Air Force Academy. He served in the Air Force for twenty-one years as a computer systems developmental engineer. Some of his notable assignments in the Air Force include serving as a Systems Engineer with the Military Satellite Communications division in Los Angeles, as a Crew Commander with the 33rd Information Operations Squadron in San Antonio Texas, as the head of the Cyber Defense Branch of the Air Force Research Laboratory in Rome New York, as an Electronic Warfare Officer with Task Force Paladin in Afghanistan, and as the Deputy Head of the Computer Science Department of the United States Air Force Academy.

Dr. Bibighaus joined the faculty of Messiah in 2022. He is currently teaching Computer Programming I, Information Systems and Managers, and Network Security. Dr. Bibighaus is interested in mentoring young people and creating sustainable engineering solutions for the developing world. He enjoys spending time with his wife and three daughters, wood working, role playing games, and traveling.

WiCyS Student Chapter Holds First Event

Messiah’s WiCyS (Women in Cybersecurity) student chapter started an exciting new tradition in October! Operating through Messiah’s Computer Science Club, the group held the University’s first CTF event. CTF’s, or Capture-The-Flag events, are cybersecurity competitions that develop participants’ hacking and problem-solving skills. The challenges involve finding a random string of characters, referred to as the flag, hidden inside a computer system. For this event, the competition involved cryptography, breaking password hashes, using basic Kali Linux tools, and more. The event took place in Messiah’s new, state of the art Cyber Center, and the WiCyS club partnered with the Games Club to provide food, a fun atmosphere, and a great community. They hope to continue these events each semester as the club grows.

Compromised Passwords and Turning Off Hackers

Did you know that cyber criminals, aka the “bad guys”, have more than 15 billion compromised passwords[1] to choose from when trying to break into your system?  And where, you may ask, do these compromised passwords come from? 

One infamous password collection—dubbed “RockYou2021”—is thought to be a compendium of passwords cobbled together from data breaches[2].   It is estimated that this list is comprised of over 8 billion legitimate passwords collected from a series of data breaches that included username/password combinations. 

Given the size and scope of the leak, anyone who does anything online should check if their passwords were compromised. To check whether your password is safe, there are several free and easy options you can use. They include:

Since the databases that each of these resources uses are likely not identical, it would be smart to check as many as possible just to cover all your bases.

So, before you grumble about having to use some form of multi-factor authentication (MFA) you may want to make sure your current password hasn’t been hacked.

And for those of you who don’t know what MFA is, here is a quick overview.  As the name implies, MFA blends at least two separate factors. One is typically your username and password, which is something you know. The other could be:

  • Something you have. A cellphone, keycard, or USB could all verify your identity.  Often it is an app on your phone that provides a one-time password, otherwise known as an OTP.
  • Something you are. Fingerprints, iris scans, or some other biometric data prove that you are who you say you are.

MFA is a great “hacker turnoff”. So, even though it means that it might take a second longer to sign in, remember your hacked password and thank your IT Security director for that added little bit of protection MFA provides.


[1] https://www.okta.com/identity-101/why-mfa-is-everywhere/

[2] https://www.consumeraffairs.com/news/new-84-billion-password-hack-breaks-records-060821.html

Post written by Vinny Sakore, Director of Cybersecurity Education at Messiah University. Vinny spent 20+ years in the information technology and cybersecurity field. His industry experience includes serving as Verizon’s HIPAA Security Officer and stints as Chief Technology Officer for two healthcare technology companies. He continues to remain active in the industry by providing consulting services to a number of organizations including NetDiligence, Inc. (www.netdiligence.com).

Photo credit: George Prentzas via unsplash.com

How To Thwart Hackers: Tips From MU’s Information Security Director

This is the final post for Cybersecurity Awareness Month from Messiah University’s Information Security Director, Allen Snook. We appreciate him and the Cybersecurity interns lending their expertise this month for the #seeyourselfincyber campaign, giving us tips and resources for safeguarding our information online.

Internet scams are nothing new. Since the 1980’s, hackers have been attempting to gain illegal access to networks and systems in order to obtain sensitive information. They are after your identity, the contents of your email, and your financial data (they don’t need to know how much is in your bank account to want to gain access to it). Phishing emails are one way they attempt to steal this information from you.

If you’ve been following our other blog posts for Cybersecurity Awareness Month, you might recall some of the tips we’ve given for keeping your personal information safe, such as developing strong passwords, updating your apps, and avoiding oversharing on social media. In this post, we wanted to share further measures for safeguarding your information in order to thwart malicious hackers.

  1. Think before you click. More than 90% of successful cyber-attacks start with a phishing email. If you receive an email from a person or a company you are not familiar with, do not click any of the links or attachments (no matter what they’re promising in their message). Pay close attention to the details and verify the sources before you click on anything.
  2. Create and use strong passwords. See our previous post on this.
  3. Try not to connect to public Wi-Fi networks. Although they are convenient, they are often vulnerable to cyber criminals.
  4. Secure your devices. Be sure to update security software, operating system software, internet browsers and apps. You could also install an antivirus software to help combat viruses, malware, etc. 
  5. Back up your data. Make extra copies of your files so that if something happens to one of the files, you still have your backups. One way to do this is by saving information in the cloud or to an external storage device. 

All of this is to say: Be proactive. You can ensure that you and your organization are a secure place online by taking the initiative to safeguard your information. We hope these tips equip you to do that.

#seeyourselfincyber #messiahcyber

Image by Mikhail Fesenko, via Unsplash.com

Think Before You Post: Tips From MU’s Information Security Director

In an age where it’s popular to share many aspects of our lives online, we need to consider the dangers that can occur with freely dispensing information about ourselves. Oversharing online can put any one of us at risk of fraud, as identity thieves and hackers use the information we post to study us or to steal our identity. We should not give out an excessive amount of personal information, especially in a way that might be considered inappropriate or dangerous to us and those around us.

It is important to remember that nothing posted in a public forum is ever truly private. THINK BEFORE YOU POST! Here are a few specific tips to keep in mind:

  • Do not share your current location. This can mean turning off location-based apps.
  • Do not share sensitive information. This makes it easier for individuals to gather information about you. Examples of sensitive information are names of your family members, phone numbers, and birthdays.
  • Be careful what is in the background when you post. Be mature.
  • Not everything needs an account.
  • Sharing too much can result in cyberstalking. 
  • Review your privacy settings. Privacy settings can vary on social media platforms, so be sure to familiarize yourself with the settings on every platform you use. 

Want to know what’s out on the web about you? Simply search for yourself online. Doing this will allow you to see what other people can find out about you. You might be surprised at just how much information about you is public. 

We encourage you to be proactive in protecting your information. One of the ways to do this is to think about what you’re posting online before you post it. Avoiding the popularity of oversharing is a safety principle that can mitigate the risk of being a victim of cyber crime.

#seeyourselfincyber #messiahcyber

Post written by Allen Snook, Director of Information Security at Messiah University, and Cybersecurity interns.

Photo credit: Christina @ wocintechchat.com via Unsplash.com.

Strong Passwords: Tips From MU’s Information Security Director

Passwords are one of the first lines of defense in keeping your information safe online. When it comes to password protection, think in terms of layers. In this post, we want to outline some ways you can double, even triple, your login protection.

When creating a password, try merging three uncommonly used words (example: staple, sentinel, orangutang). Then, add numbers to your newly merged word. Per NCCIC guidance, we suggest a total of 16-30 characters. Avoid using personal data when creating your password. Doing so will give hackers too much information should your password ever show up in a security breach.

You can add another layer of protection to your passwords by not re-using them. Having different passwords for various accounts can help prevent cyber criminals from gaining access, thereby protecting more of your information in the event of a breach.

We recommend that you do not share your passwords with anyone. Every time you share a password it opens more ways with which it could be misused or stolen.

A few more important layers of protection we recommend implementing are:

  • Using multi-factor authentication whenever provided.
  • Using fake, non-personal answers to security-questions.
  • Managing your passwords by saving them in a list that is not on a cloud or in your google-drive. This allows you to make more diverse, creative passwords.

Creating passwords with these tips in mind is an easy way to improve your cybersecurity. This multi-layered approach to password protection allows you to put cybersecurity first across all your devices.

#seeyourselfincyber #messiahcyber

Post written by Allen Snook, Director of Information Security at Messiah University, and Cybersecurity interns.

Photo Credit: Christina @ wocintechchat.com via unsplash.com

Make Your Apps More Secure: Tips from Messiah University’s Information Security Director

When it comes to safeguarding your information, don’t forget about all the information stored on your apps. Here are a few simple steps you can take to increase your cybersecurity when it comes to app usage.

  1. Update often: Updates are important. Not only do they provide new features for the app, but they ensure you are using the most current security technology.
  2. Review your app settings for privacy changes after updates: Sometimes new data and information are being accessed without your permission. Therefore, take a moment to review the privacy and security settings of your apps after updates.
  3. Be aware of apps requesting one or more of these “dangerous” permissions.
    • Body sensors
    • Calendar
    • Camera
    • Contacts
    • GPS location
    • Microphone
    • Calling
    • Texting
    • Storage

When it comes to app permissions, you should avoid permissions that aren’t necessary for an app to work. If the app shouldn’t need access to something, such as your camera, location, or contacts, don’t allow it. Consider your privacy when deciding whether to avoid or accept an app permission request. Check your app permissions and use the “rule of least privilege” to delete what you don’t need or no longer use.

These are just a few cyber smart practices you can adopt right now to increase your cybersecurity when it comes to app usage. Taking simple steps such as the ones listed here can help you secure your personal information, thereby reducing your risk of cyber attacks.

Post written by Allen Snook, Director of Information Security at Messiah University, and Alanah Innis, Cybersecurity Senior.

Photo Credit: Gilles Lambert

#seeyourselfincyber #messiahcyber

Staying Safe on Social Media

The goal of this year’s “See Yourself in Cyber” campaign is to raise awareness about how each one of us is responsible for our own behavior online.

Today, we wanted to resource you with a few ways to stay safe on social media, since it is such a huge part of our lives. Here are some tips we’ve gathered from CISA, along with a few additions of our own:

  • Use discretion when you post on social media. Once your words, hashtags, and photos are on the Internet, they’ll be there forever.
  • Limit the information you share online. Do not share personal information (birth dates, anniversaries, neighborhood or street names, etc.).
  • Turn your location notifications off.
  • If you want to share a picture that has someone else in it, ask for their permission first.
  • Connect only with people and networks you know.

These suggestions may seem either too simple (“If I do these things, will it actually help?”) or too complicated (“I don’t have time to think about this”). However, the reality is that when it comes to your cyber presence, you play the main role in securing your personally identifiable information (PII).

In the end, the security you place around your devices is only as strong as you. Our hope is that by providing easy-to-use tools and tips like the ones above, we will all see the value in tightening our security at home and at work.

Stay tuned for more tips and resources all month long. For more information about undergraduate degree in Cybersecurity, get in touch with us!

#seeyourselfincyber #messiahcyber

Photo Credit: dole777 via Unsplash.com

CYSE Program Announces the “See Yourself in Cyber” Campaign, In Partnership with CISA and the NCA

Cybersecurity Awareness Month 2022 - Messiah University Cybersecurity Education Program

Welcome to our blog! This is where you’ll find cybersecurity-related posts written by the faculty and students of the Cybersecurity Education Program at Messiah University.

Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, and the Cybersecurity Education Program is partnering with the “See Yourself in Cyber” campaign created by the Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance. Cybersecurity Awareness Month was started in 2004 at the behest of the President of the United States and Congress, in an effort to help individuals protect their information online.

The goal of this year’s “See Yourself in Cyber” campaign is to raise awareness about how each one of us is responsible for our own behavior online. All month long, we’ll be offering blog posts written by our faculty and students related to keeping your personal information safe online, as well as insights into global cybersecurity issues.

Wait, Why Does This Matter To Me?

Today we are connected to our smartphones or a computer wherever we go. Because of that, our world is becoming increasingly dependent on cybersecurity. Cyber attacks are frighteningly versatile, challenging to identify, and painfully difficult – sometimes close to impossible – to remove.

Always try to keep track of where your storage devices have been, and do not plug “lost-and-found” USB drives into your computer. Keep your personal and workplace data storage and other devices separate to avoid transferring malware from one system to another, just like washing your hands to prevent the flu from spreading!

You can greatly increase your cybersecurity online, at work and at home by taking a few simple steps: Enable Multi-Factor Authentication, Use a Trusted Password Manager and Strong Passwords, Recognize and Report Phishing, and Update Your Software.

More To Come

Stay tuned for more posts and insights from our team. For more resources, classes, and even live events this month, go to CISA’s Cybersecurity Awareness Month website www.cisa.gov/cybersecurity-awareness-month. And if you’re interested in being part of one of the most exciting fields of study, get in touch with us at https://www.messiah.edu/undergraduate/cybersecurity-major.

#seeyourselfincyber #messiahcyber

Photo Credit: Adi Goldstein