The Biden administration is going full “shields up” to protect key parts of U.S. critical infrastructure – such as pipelines, banks, commercial aviation and hospitals – from a potential Russian cyberattack, top U.S. security officials said Friday.
Anne Neuberger, the deputy national security advisor for cyber and emerging technology, said at a White House briefing that Russia was behind this week’s widespread cyberattacks on Ukrainian banks and military websites, suggesting that it was part of a broader cyber offensive that could be a prelude to a full-scale military invasion.
Neuberger, and top Department of Homeland Security cyber official Jen Easterly, both warned that while Russia is focusing intensively on Ukraine right now, it has a long track record of launching cyber-operations that extend far beyond its borders at times even when it is focusing most of its energy on another target.
“While there are currently no specific or credible cyber threats to the homeland, the U.S. government has been preparing for potential geopolitical contingencies since before Thanksgiving,” Neuberger said.
Easterly, the director of DHS’s Cybersecurity and Infrastructure Security Agency, described similar U.S. efforts to sound the alarm and batten down the nation’s cyber hatches.
Speaking at an Aspen Institute Cyber Threats forum, Easterly said the White House has spent the past several months coordinating an extensive outreach effort with local, state and federal agencies and the private sector to secure their cybernetworks in case of attack.
“We all recognize that threats to our digital infrastructure are, of course, not bound by national borders,” Easterly said, citing a 2017 Russian cyberattack on Ukraine that ended up going viral and causing billions of dollars in damage to private companies around the world.
Border buildup:Is Russia going to invade Ukraine? Satellite images show the latest Russian troop movements
“Our critical infrastructure is integrated into a larger global cyber ecosystem, which means that we all need to be ready, or as I like to say, shields up,” Easterly said. “So given the rising tensions and the potential invasion of Ukraine by Russia, we’ve actually been leaning forward to inform our industry partners of potential threats.”
Easterly said CISA has been leading a national campaign starting in late 2021 to ensure that senior leaders and network defenders were prepared to manage such a threat. That has included outreach, technical assistance and classified and unclassified briefings to the private sector and state and local officials.
More:A Russian invasion could reach farther than Ukraine. How a cyberattack could affect you.
On Friday evening, CISA circulated a new document among infrastructure owners and operators with guidance on how to identify and mitigate the risks of possible Russian cyberattacks and related influence operations.
“Recently observed foreign influence operations abroad demonstrate that foreign governments and actors can quickly employ sophisticated influence techniques to target American audiences with the goal of disrupting U.S. critical infrastructure and undermining U.S. interests,” the CISA document said.
Preparing for, mitigating foreign targeting of critical infrastructure
The problem with the current outreach effort is that U.S. cybersecurity officials essentially have their hands tied when it comes to forcing key sectors of critical infrastructure to take steps to protect their computer networks, experts say.
“As many of you know, the government doesn’t own or operate critical infrastructure that provides critical services to our citizens. For example, our water and power systems,” Neuberger conceded.
Thanks to lobbying and regulation-averse lawmakers in Congress, many of these critical infrastructure sectors can – and have – ignored repeated U.S. government requests to upgrade their security systems, said Michael Hamilton, founder of the Critical Insight security firm and former chief information security officer for the city of Seattle.
As a result, many of them lag far behind where they need to be when it comes to protecting their services and the Americans who use them from criminal hackers and state-sponsored adversaries like Russia and China, Hamilton said.
Neuberger acknowledged that shortcoming during the White House briefing Friday, but said the Biden administration has taken urgent steps over the past year to build a cyber safety network – especially for power, telecommunications and water companies because they so directly affect peoples’ lives.
More:Cyberattacks and disinformation are everyday tactics for Putin’s Russia. Is that the future of war?
In all, there are 16 officially designated sectors of U.S. critical infrastructure, whose assets, systems, and networks – both physical and virtual – are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on U.S. national security, economic security or public health and safety.
That includes chemical manufacturers, water and sewer systems, communications companies, dams and nuclear plants, defense contractors, banks, energy firms and food and agricultural industries.
Most of these sectors have “digitized quickly, and we need to catch up” in making them less vulnerable to a cyberattack, Neuberger said.
‘We need to be resilient’
As the threat of a Russian invasion loomed, U.S. officials at the Department of Energy recently were directed to share with power companies all of the technical nuts and bolts of what kinds of cyber intrusions Russia might launch, she said, based on prior attacks against Ukrainian power grids.
At least twice since 2015, Russian military hackers have knocked out power and electricity to wide swaths of Ukraine, leaving potentially half a million people to freeze in the dead of winter.
The Transportation Security Administration has begun requiring companies overseeing gas and oil pipelines to put in place necessary cyber defenses, Neuberger said.
Russia-based hackers with potential ties to the government are widely believed to have been behind last year’s ransomware attack against the Colonial Pipeline, which caused a gas panic and huge lines at the pump for days.
TSA has issued directives that require oil and gas pipelines to report any and all cyber incidents, to conduct vulnerability assessments and to update their incident response plans. “TSA is now working to expand that to both the aviation and railroad sectors,” Neuberger said.
And in recent days, the Department of Homeland Security and FBI have issued numerous warnings to other key U.S. sectors that could be targeted, including financial institutions and defense contractors. Another warning was sent to utility companies and nuclear plants, she said.
Sandra Joyce, head of Global Intelligence for Mandiant, praised U.S. officials for reaching out to critical infrastructure, and said her cybersecurity firm has also been warning its many corporate customers in the U.S. and abroad.
“If there has been anything good that’s come from years of Russian cyber activity aimed at the United States, it’s that we’ve enumerated a good portion of the Russian cyber capability,” Joyce said at the Aspen event. “We have a lot of information about their threat actors, and businesses and cyber defenders know what they need to do in order to defend themselves.”
“And if not,” Joyce said, “they can look at what Director Easterly has put out. … We need to be resilient and push forward and not panic, but certainly be prepared.”
Leave a Reply