Senior Biden administration officials last Friday warned critical infrastructure entities in the U.S. to up their cybersecurity game as Russian military activity along Ukraine’s borders further heated up, although these officials cautioned that there is no evidence that Russia is targeting the U.S. for cyber-attacks.
Efforts to bolster homeland cyber defenses began before last Thanksgiving and have focused on government outreach to owners and operators of critical infrastructure, including “unprecedented and extraordinary lengths to share sensitive information, and most importantly, to outline specific steps companies can take to make their systems more secure,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies at the White House, said at a press conference.
Neuberger highlighted the power, communications and water sectors as key sectors to be watchful.
Prior to Neuberger’s comments, Jen Easterly, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said at a virtual Aspen Institute event that her agency has been bringing government agencies together to provide information to critical infrastructure entities so they are prepared for “any escalation that might pose a potential threat to the homeland.”
The information has been shared through classified and unclassified briefings, not only with industry, but also state and local partners about the “evolving cybersecurity risk,” Easterly said. CISA and its partners have also been sharing cybersecurity products that include tactics, techniques and procedures that are used by Russian actors, she said.
Amid the heightened military tensions in Eastern Europe, Easterly said that the private sector entities need to share potential cyber threat information before they may have a good read on it because it could serve as an early warning of a cyber-attack. These “early warnings” are most likely going to come from a company first, she said.
“I would say of the guidance that we have been providing, perhaps the most critical is that organizations need to lower their thresholds for escalating anomalous activity and sharing that information with the government,” no matter if its CISA or the FBI, Easterly said, adding that both agencies “are tightly connected.”
Neuberger also said the administration blaming Russia for a number of recent cyber-attacks and compromises of Ukrainian military and critical infrastructure networks for intelligence collection and to position itself for disruptive activities. These include distributed denial of service (DDoS) attacks early last week against the Ukrainian Ministry of Defense and the country’s state-owned banks.
Attribution of cyber-attacks typically takes months at a minimum and usually longer, which Neuberger said Russia “counts on” to aid its operations in the “shadows” for sustained bad behavior in cyberspace as part of potential pre-invasion actions in the Ukraine.
“In light of that, we’re moving quickly to attributed the DDoS attacks,” she said. “We believe that the Russian government is responsible for wide-scale cyber-attacks on Ukrainian banks this week. We have technical information that links the Russian Main Intelligence Directorate, or GRU, as known GRU infrastructure was seen transmitting high volumes of communication to Ukraine-based IP (internet protocol) addresses and domains.”
The U.S. has shared this information with Ukraine and its partners in Europe, Neuberger said. These cyber activities could just be a taste of what’s to come if Russia conducts more disruptive operations as part of a potential military invasion of Ukrainian territory, she said.
Some significant steps to bolster cyber defenses of U.S. critical infrastructures began late last spring, well before Russia began its military buildup around the Ukraine. Following a successful ransomware attack against U.S. petroleum pipeline operator Colonial Pipeline, the Transportation Security Administration began exercising existing authorities to regulate cybersecurity incident reporting and best practices, starting with the pipeline sector and then expanding to the aviation and railroad sectors.
“I cannot stress this enough,” Neuberger said. “We urge our private sector partners to exercise incident response plans and put in place the cybersecurity defenses like encryption and multifactor authentication that make cyber-attacks harder for even sophisticated cyber actors.”
The U.S. the past few months has increased its cyber support to Ukrainian network defenders to build their cyber resilience, she said, and is also sharing intelligence about cyber threat techniques with its allies and partners.
While there is no credible evidence of cyber threats to the U.S. currently, Neuberger said there is a concern that “as a society, we don’t have a level of cyber resilience that we wish too.”