Washington steels for Russian cyberattacks
The Biden administration and Congress are steeling for cyberwarfare from Russia following its invasion of Ukraine and warning businesses to prepare for potential attacks.
Why it matters: Russia's invasion was coupled with cyberattacks on Ukraine. American officials fear cyber-conflict could escalate if Russian President Vladimir Putin believes the U.S. is responsible for retaliation.
- Wednesday, Sen. Mark Warner (D-Va.) told Axios he's worried that Russian cyber-assaults on Ukraine could spill over to neighboring NATO allies.
The big picture: The U.S. created the Cybersecurity and Infrastructure Security Agency (CISA) in 2018 to protect critical infrastructure from cyber-threats.
- It will play a key role in this crisis, along with other arms of the Department of Homeland Security.
What they're saying: "If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond," President Biden said Thursday.
- "For months, we've been working closely with the private sector to harden our cyber-defenses, sharpen our ability to respond to Russian cyberattacks as well."
- "This is a time for Americans to be vigilant, particularly in the cyber domain," Rep. Bennie Thompson (D-Miss.), chair of the Homeland Security Committee, said in a joint statement with Rep. Ritchie Torres (D-N.Y.), and Rep. Yvette Clarke (D-N.Y.).
The intrigue: CISA has been warning the private sector for weeks about potential cyberattacks and has participated in interagency exercises with other parts of the administration to prepare for various scenarios.
- Possible targets of Russian cyberattacks include grids, pipelines and critical infrastructure that "would not necessarily endanger lives, but cause enough inconvenience to sway public opinion" against U.S. efforts against Russia, Katerina Sedova, research fellow at Georgetown's Center for Security and Emerging Technology, told Axios.
- "If Russia actually did this, it would be a massive escalation that would very likely result in a U.S. response in kind," Sedova said. "And Russia has a lot to lose right now from our cyber response."
Companies are at various stages of readiness for crisis and damage control, Danielle Jablanksi, OT Cybersecurity Strategist at Nozomi Networks, told Axios.
- "Some are in a fortress where their shield is ready to go and others are kind of in crisis mode, not knowing what their shield looks like and what it can actually defend against," Jablanski said.
What's happening: CISA director Jen Easterly tweeted Thursday morning that there are "no specific threats to the U.S. at this time," but that all organizations must be prepared for cyberattacks, whether they are directly targeted or not.
Easterly pointed to CISA's "Shields Up" campaign, which urges companies of all sizes to take specific actions to prepare for cyberattacks, including:
- Reducing the likelihood of a cyber-intrusion by requiring multi-factor authentication, ensuring software is up-to-date and using CISA's free services.
- Taking steps to detect an intrusion, including focusing on quickly assessing unusual or unexpected network behavior, and taking special care to monitor traffic when working with Ukrainian organizations.
- Designating a crisis response team in case of attack.
Yes, but: Gerard Stegmaier, a partner in Reed Smith’s privacy and data security practice, told Axios: “It’s too early to tell whether, when and how this program [Shields Up] functions well, and whether it materially contributes to an improved security posture of the company or organization.”
Meanwhile, lawmakers want to fast-track bipartisan bills that would help with cyber-defense, especially in light of Russia's attack on Ukraine.
- Sen. Gary Peters (D-Mich.) and Sen. Rob Portman (R-Ohio) recently introduced legislation requiring all critical infrastructure owners and operators to notify CISA of ransomware payments within 24 hours and of substantial cyberattacks within 72 hours.
- The goal is to include that package in the upcoming omnibus spending bill. The next deadline for government funding is March 11.
- A Peters aide told Axios the senator is looking for "any pathway forward to get this important and much needed legislation over the finish line."
Also, the bipartisan infrastructure bill passed last year included $100 million over five years toward a Cyber Response and Recovery Fund to be managed by CISA.
The bottom line: "We now have a stronger defense" than in the past if the U.S. is attacked, and CISA appears to be well-prepared, Karen Kornbluh, director of the Digital Innovation and Democracy Initiative at the German Marshall Fund, told Axios. But hyper-vigilance is needed.
- "You can never be cyber-secure, it's always evolving and attackers always have the edge," she said. "The question is, as we get tested more and more, are we continuing to evolve?"