The White House has issued its strongest warning yet about a potential cyber attack from Russia against targets in the United States, advising private businesses to harden cyber defenses in response to intelligence indicating “preparatory activity.”
White House deputy national security adviser for cyber and emerging technology Anne Neuberger stressed to reporters that there was no evidence of a specific cyber attack plan at this point, but that companies and sectors expected to be targeted received a classified briefing last week.
Cyber attack from Russia anticipated by White House
Neuberger said that there is “no certainty” that there will be a cyber attack from Russia, but that the country is exploring options to target US critical infrastructure. When pressed on what “preparatory activity” constitutes, Neuberger refrained from going into details but indicated that it involved scanning websites and probing cyber defenses for vulnerabilities. The FBI has since added that five energy companies were probed by cyber actors with Russian IP addresses.
The White House framed the announcement as a general call to action and “responsibility” in the face of a potential threat from Russia that it believes is increasing in likelihood, even if it cannot point to intelligence about specific actions. The warning was paired with a fact sheet giving general advice about bolstering cyber defenses: implementing multi-factor authentication, ensuring security patching is up to date, running emergency drills to familiarize staff with cyber attack response plans, getting a set of security tools in place to keep up with threats, and backing up and encrypting key data regularly.
Though the US has had little direct involvement in the Ukraine war aside from providing some material aid, the Biden administration indicated it believed Russian cyber attacks were a possibility in response to the strong sanctions it has levied since the invasion began. This has included the removal of its largest banks from the SWIFT international banking system and restrictions on imports from a broad variety of industries.
With most of the US critical infrastructure managed by private companies, it is vital that these organizations be on top of their own cyber defenses. The Biden administration has been in the process of bolstering requirements for critical infrastructure companies, but this project is still far from complete. Cyber incident reporting was just recently revised for the industry, but that measure focuses on ransomware attacks. Some companies are facing tighter reporting windows for all types of cyber attacks, however, and will receive more support from federal agencies.
Mike Hamilton, former Vice-Chair for the DHS Coordinating Council and CISO of Critical Insight, provided some thoughts on the language the White House has chosen to use and what Russia’s current motivations might be: “The language in the announcement by the White House is beginning to edge up on ‘specific and credible’ threats, although it involves “evolving intelligence”. Notably, prior to the issues in Ukraine the Administration was prepared to call China our number one cyber threat. While true that China attacks the US using cyber methods more than every other country combined, espionage is not war … Part of this may be driven by the pretext that has been provided by an army of volunteers. After Anonymous has gone after pipelines, the Russian space agency, electric vehicle charging stations, broadcast television, and unsecured printers it is credible to claim that this is an aggressive action by the United States and retaliation may be under consideration.”
Cyber defenses go to wartime footing
Some cyber attacks have been executed in Ukraine that have been linked to Russia, but cyber has not been as central a factor as some might have expected in the war. Russia has also thus far seemed to largely refrain from aggressive actions against countries that have sanctioned it, but the White House is encouraging the raising of cyber defenses to a high level as this could quickly become a reality.
However and whenever the Ukraine situation is resolved, 2021 demonstrated that critical infrastructure will still face attacks from criminal operators and that there is no better time to consider long-term cyber defenses. To that end, the White House has also issued some advice for companies that extends beyond the near term: building security into products from the ground up, doing development work only on systems that are highly secure, using automated tools to review code, and implementing a “software bill of materials” approach for open source software components.
Jason Rebholz, CISO at Corvus Insurance, points out that this advice is not anything new, but the current situation has stepped up the sense of urgency considerably: “The White House’s best practices echo security fundamentals – something every organization should strive for. For many organizations, the time to implement was several years ago, as the frequency and severity of attacks began to escalate. Like planting a tree, the best time to secure your organization was ten years ago. The next best time is today. This includes implementing some basic fundamentals like mandating multi-factor authentication, investing in resilient backup systems and closing any gaps in IT system defenses. Organizations that have not addressed the key items and hardened their cyber defenses are at a significantly greater risk of compromise.”
There are a number of reasons why Russia might be keeping cyber attacks on the back burner in the current war, including a desire to not accidentally escalate with countries outside of Ukraine or perhaps a feeling that it is not needed based on the progress of the conventional war. Some speculate that Russia’s government-backed cyber war capability might actually be something of a paper tiger, reliant on basic distributed denial of service (DDoS attacks) and scenarios in which the country already has privileged information (such as shared information on the Ukraine power grid that dates back to the Soviet Union).
For NATO’s part, the organization issued a statement in 2021 indicating that the possibility of a cyber attack triggering the collective defense clause (Article 5) would be considered on a “case by case basis.” Cyber attacks are notoriously difficult to attribute with complete confidence, however. Russia (and other nations) regularly hide behind at least some sort of layer of plausible deniability in this arena.
As to what a Russian cyber attack on the US mainland might look like, the incidents with critical infrastructure in 2021 provided a small preview. Russia appears to have bigger designs, however, actively probing the nation’s power grid (and its cyber defenses) likely for over a decade now.
Rajiv Pimplaskar, CEO, Dispersive Holdings, warns that they should never be underestimated: “Nation state toolkits are especially dangerous as they are highly effective against Industry standard IPsec VPN as well as TLS encryption. Russia and other Nation state actors have a vast amount of compute resources as well as well coordinated teams to play a long game against targeted Western governments, enterprises and MNCs. Also, that motivation in such situations is not just economical but also strategic means sensitive data that is detected can be used to reverse engineer source and destination relationships as well as identify flows of interest. Furthermore, Nation state toolkits can use public cloud as a gateway to get underneath the encryption layer and capture the data flow itself for future analysis … Traditional zero trust approaches stop at the network and are largely ineffective against Nation state actors. Critical infrastructure companies should bolster their cyber defense posture with advanced communications security that can obfuscate resources, as well as leverage data multipathing to present a harder target for such threat actors.”
Bill Rucker, President of Trustwave Government Solutions, provided this advice to organizations that expect to be impacted: “The Biden administration has been taking a proactive approach to engage both the public and private sectors on cybersecurity to keep critical data and infrastructure safe from rising foreign and domestic threats. The recommendations from the Biden administration echo what all organizations need to keep in mind during this time – the cyber fundamentals are absolutely paramount. Organizations need to take ownership of their cyber posture outside of regulations and mandates by actively assessing their security gaps and seeking experts who can help them mitigate cyber risk and increase their cyber defense capabilities. Organizations must do the cyber basics well and do them consistently while taking a proactive approach to threat hunting and data protection. One area that we frequently see organizations deficient in is database security. Databases that are not properly secured with risk mitigation and compensation controls are particularly susceptible to attack or infiltration. The longer that organizations continue to treat databases like a traditional workstation or server, the more susceptible they are to compromise or ransom.”
