US president Joe Biden warned on Monday about new indications of possible Russian cyberattacks, pumping up the volume on weeks of growing concern about a possible Kremlin-ordered response to crushing sanctions over the invasion of Ukraine.
On Monday, Mr Biden reiterated those warnings, prompted by what he called “evolving intelligence that the Russian government is exploring options for potential cyberattacks.” He urged the US private sector: “Harden your cyber defence immediately.”
While the White House provided few details about the nature of the threat, the president’s message underscored the continuing threat in cyberspace for US businesses and organisations. Cyberattacks have played a smaller role in Russia’s invasion of Ukraine than many experts predicted, supplanted by a grinding and bloody ground campaign. Anticipated retaliatory attacks against US businesses and organisations apparently haven’t occurred in the wake of strict sanctions, at least not on a major scale.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said in a briefing that “there is no certainty” of an attack on the US but that Mr Biden’s statement was a “call to action”.
“There are cyberattacks that occur every day,” she said, adding that Mr Biden’s warning was intended to focus attention on “critical infrastructure.” She declined to specify which industries might be threatened.
Mr Biden, in his statement, said, “Critical infrastructure owners and operators must accelerate efforts to lock their digital doors.”
The president later stressed the danger to chief executives at a meeting of the Business Roundtable on Monday evening. “One of the tools he’s most likely to use, in my view and our view, is cyber, cyberattacks,” he said. “He has the capability. He hasn’t used it yet but it’s part of his playbook.”
The White House is limited in just how far it can protect critical infrastructure, which includes everything from dams and electric grids to water systems and food production. Much of it is operated by the private sector, regulatory oversight is patchy, and the level of cybersecurity preparedness varies greatly by industry and by company. Since a string of high-profile assaults last year – including a ransomware attack on Colonial Pipeline Co that snarled fuel supplies along the East Coast in May – the Biden administration has pleaded with operators to bolster cyber defences.
James Lewis, director of the strategic technologies programme at the Center for Strategic and International Studies, said Russia was unlikely to “do something big” in order to avoid US retaliation, but that frustration over its slow military progress against Kyiv might prompt the Kremlin to turn to a smaller cyberattack or ransomware attack.
“This is a wake-up call to people,” he said. “The Russians have explored US critical infrastructure before in very extensive ways.”
Mr Lewis added that private sector cyber defences are better off than they were two years ago, but there’s plenty left to do.
“The number of companies that have not done the best practice is surprising and is much larger than you would have thought,” he said. “If you’re the Russians and you’re looking for one target to make a point, you’ve still got a lot to pick from.”
Federal agencies briefed more than 100 companies on the elevated threat of cyberattacks last week, Ms Neuberger said. That included information about “preparatory activity,” including such things as scanning websites and hunting for vulnerabilities in systems.
Many of the steps the private sector can take are relatively simple, such as requiring two-factor authorisation to access systems and patching their software, she said.
“We continue to see adversaries compromising systems that use known vulnerabilities for which there are patches. This is deeply troubling,” she said. “So we’re urging today companies to take the steps within your control – to act immediately to protect the services millions of Americans rely on.”
Federal officials didn’t outline specific new targets, imminent threats or defence strategies when briefing energy companies and other industry stakeholders during at least two sessions last week, according to a participant who asked not to be named because of the sensitivity of the private meetings. Instead, officials underscored the ongoing need for vigilance amid heightened concern that Russia could launch cyberattacks on critical infrastructure if it felt cornered.
Federal officials had already stepped up communication with critical infrastructure operators since Russian armed forces massed on the borders of Ukraine. The Electricity Subsector Coordinating Council, which represents all segments of the electric power industry, pointed out ongoing information sharing and collaboration with the federal government to ensure “a vigilant and secure posture.”
The oil and gas industry also has been in regular contact with federal officials, said Suzanne Lemieux, director of operations security and emergency response at the American Petroleum Institute.
Steven Silberstein, chief executive officer of the Financial Services Information Sharing and Analysis Center, known as FS-ISAC, which shares cyber intelligence among financial institutions around the world, called the cybersecurity measures outlined by the White House on Monday “critical baseline practices” that should be implemented at all times. FS-ISAC and the financial services industry “remain vigilant to all cyber threats and anomalous activity”. – Bloomberg