The White House on Monday urged American companies to bolster their cybersecurity defenses in the wake of intelligence reports citing possible plans by the Russian government to target critical U.S. infrastructure.
Government officials later clarified that a lack of evidence exists of any imminent attacks.
President Biden warned the private sector that the Russian government is exploring options for potential cyberattacks in a statement released Monday afternoon.
The White House released a fact sheet outlining steps for companies to improve their own cybersecurity ahead of any cyber threat.
Ironically, IT security firm NeoSystems on March 15 announced it would host a panel of experts from the private and public sectors March 22 centered around the cybersecurity implications of the ongoing conflict in Ukraine. It planned discussions on supply chain and critical infrastructure concerns and how to proactively protect against attacks.
“We are doing this at a fairly extraordinary time with the Russia-Ukraine conflict in full swing and the announcements from the White House last night,” said moderator Bryan Ware in introducing the panel of experts.
Ware is CEO and founder of business intelligence and strategic advisory firm Next5 and former director of cybersecurity at Cybersecurity and Infrastructure Security Agency (CISA).
CISA leads the national effort to understand, manage, and reduce risk to U.S. cyber and physical infrastructure.
TechNewsWorld sat in on the Zoom-delivered panel discussion. Here is a summary of the major viewpoints shared by the four panelists.
About White House Warnings
After weeks if not months of general statements, something extraordinary happened last night with President Biden’s cybersecurity statement, offered Glenn S. Gerstell, senior advisor, International Security Program, Center for Strategic and International Studies. He is also a former National Security Agency (NSA) general counsel.
“Credible evidence suggests Russia is preparing to launch a cyberattack against the U.S. This is an extraordinary warning,” he said. “Russia is a sophisticated cyberthreat. We know what they are capable of doing.”
So far in the U.S. we have not seen what we feared — a significantly physically destructive cyberattack. Three reasons account for that, he offered.
The main reason for that it takes time and effort to engage in this type of attack. Add to that the difficulty in seeing a long-term benefit for Russia.
“It would have local devastation but would not have a strategic benefit to Putin and would entail unknown serious responses,” explained Gerstell.
The third reason for Russia not yet conducting a cyberattack against the U.S. is based on rational decision-making. Once the full weight of the unprecedented, extraordinary sanctions kicks in over the next few weeks, he expects to see Russia fall back to the old Soviet Union aggression under the style of leadership used by Nikita Khrushchev, former Premier of the Soviet Union.
Gerstell said his main concern is that Russian President Vladimir Putin will feel he has no choice left but to strike back against what the Russian people feel are unfair sanctions against them.
Modified Cyber Tactics So Far
The type of cyber tactics Russia is using so far in its invasion of Ukraine is a bit surprising to Frank Cilluffo, a commissioner on the Cyberspace Solarium Commission and director of Auburn University’s McCrary Institute. The previous Russian tactics used much more severe cyberwarfare tactics than in Russia’s current run-up to armed conflicts.
“Cyber is going to be a predominant element in warfare going forward in all confrontations between nations,” Cilluffo warned. “Whoever is able to integrate cyberwarfare will hold the upper hand.”
Nation leaders need to be prepared for cyber assaults. But they need to think about this issue a little more broadly.
“We need to expand our thinking,” he added.
Perception management and misinformation are the main goals of non-destructive cyberattacks. Ukraine has been phenomenal in fighting against that attack strategy.
“They are winning in that regard. A lot of that is the result of U.S. companies’ contributions,” observed Cilluffo.
We are still in the early phases of cyberwarfare. The initiative still rests with the cyberattackers, he said.
US Cyber Readiness
In the wake of what has happened, the U.S. is looking at bolstering cyber defenses and recovery of data and systems processes, according to Kiersten E. Todt, chief of staff at CISA. That is a work in progress spurred on by the White House call to action.
“We are looking at resilience and strengthening ourselves. There are so many pieces involved that we have to pay attention to. We are working with the private sector and with local and state governments about shoring up defenses. Now we are reiterating the call for critical infrastructure to adopt a heightened security posture,” she replied in response to the status of the nation’s cyber readiness.
The plan is to be able to prevent what we can and be prepared for recovery. That does not require a lot of sophistication, she added.
“We have to raise the baseline. That is why [we have] the call to action for the basics — patching, encryption, and multi-factor identification. These are still the basics that need to be instituted across the board,” said Todt.
The action plan is for full shields up, she noted, in reference to CISA’s endorsement of an ongoing program dubbed Shields Up. Businesses and agencies can check the CISA website for complete access to cyber advisories and assistance.
“These strategies are all the things industries need to be doing regardless of the Russia war activities. We must raise the bar across the board in peacetime as well,” she urged.
Todt reiterated a point made by other presenters on the panel. Much of the preparation and cyber defenses must be handled by the private and public sectors. Federal authorities can make recommendations and issue guidelines. But individual organizations and businesses must ensure that their IT services put those plans into play.
“The current threat environment really requires all of us to be laser-focused on resilience in doing all that we can to prevent an attack and also ensuring that if one does occur that we are prepared and are minimizing the disruption. This is where the supply chain conversation is so critical,” said Todt.
“We have to focus on minimizing damage and a rapid and coordinated response to mitigate the disruptions of our critical infrastructure.”
How To Manage Supply Chain Cyber Risks
Managing these risks is difficult even for organizations that have the resources. Many of them do not, and the supply chain is made up of many small-and-medium-sized companies, according to Ed Bassett, CISO at NeoSystems.
“Adversaries have figured out that a successful attack can open up access to a wide range of targets. They also have figured out that further down the supply chain are easier targets than the ones sitting at the top. Most likely the attacks will come to the middle or lower end of the supply chain,” he said
Companies today are not thinking about their IT operations, he added. There are numerous examples of breaches to misconfigured apparatus. The fault often lies with the operations services teams and not the cloud provider, Bassett observed.