While the White House provided few details about the nature of the threat, the president’s message underscored the continuing threat in cyberspace for U.S. businesses and organizations. Cyberattacks have played a smaller role in Russia’s invasion of Ukraine than many experts predicted, supplanted by a grinding and bloody ground campaign. Anticipated retaliatory attacks against U.S. businesses and organizations apparently haven’t occurred in the wake of strict sanctions, at least not on a major scale.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said in a briefing that “there is no certainty” of an attack on the U.S. but that Biden’s statement was a “call to action.”
“There are cyberattacks that occur every day,” she said, adding that Biden’s warning was intended to focus attention on “critical infrastructure.” She declined to specify which industries might be threatened.
Biden, in his statement, said “Critical infrastructure owners and operators must accelerate efforts to lock their digital doors.”
The president later stressed the danger to chief executives at a meeting of the Business Roundtable on Monday evening. “One of the tools he’s most likely to use, in my view and our view, is cyber, cyberattacks,” he said. “He has the capability. He hasn’t used it yet but it’s part of his playbook.”
And the National Security Agency, through a spokesperson, said that improving defenses against cyber threats now was crucial, and that the organization had publicly conveyed information about possible harmful operations with links to Russia.
The White House is limited in just how far it can protect critical infrastructure, which includes everything from dams and electric grids to water systems and food production. Much of it is operated by the private sector, regulatory oversight is patchy, and the level of cybersecurity preparedness varies greatly by industry and by company. Since a string of high-profile assaults last year — including a ransomware attack on Colonial Pipeline Co. that snarled fuel supplies along the East Coast in May — the Biden administration has pleaded with operators to bolster cyber defenses.
James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies, said Russia was unlikely to “do something big” in order to avoid U.S. retaliation, but that frustration over its slow military progress against Kyiv might prompt the Kremlin to turn to a smaller cyberattack or ransomware attack.
“This is a wake-up call to people,” he said. “The Russians have explored U.S. critical infrastructure before in very extensive ways.”
Lewis added that private sector cyber defenses are better off than they were two years ago, but there’s plenty left to do.
“The number of companies that have not done the best practice is surprising and is much larger than you would have thought,” he said. “If you’re the Russians and you’re looking for one target to make a point, you’ve still got a lot to pick from.”
Federal agencies briefed more than 100 companies on the elevated threat of cyberattacks last week, Neuberger said. That included information about “preparatory activity,” including such things as scanning websites and hunting for vulnerabilities in systems.
Many of the steps the private sector can take are relatively simple, such as requiring two-factor authorization to access systems and patching their software, she said.
“We continue to see adversaries compromising systems that use known vulnerabilities for which there are patches. This is deeply troubling,” she said. “So we’re urging today companies to take the steps within your control — to act immediately to protect the services millions of Americans rely on.”
Federal officials didn’t outline specific new targets, imminent threats or defense strategies when briefing energy companies and other industry stakeholders during at least two sessions last week, according to a participant who asked not to be named because of the sensitivity of the private meetings. Instead, officials underscored the ongoing need for vigilance amid heightened concern that Russia could launch cyberattacks on critical infrastructure if it felt cornered.
Federal officials had already stepped up communication with critical infrastructure operators since Russian armed forces amassed on the borders of Ukraine. The Electricity Subsector Coordinating Council, which represents all segments of the electric power industry, pointed out ongoing information sharing and collaboration with the federal government to ensure “a vigilant and secure posture.”
The oil and gas industry also has been in regular contact with federal officials, said Suzanne Lemieux, director of operations security and emergency response at the American Petroleum Institute. “Companies are also utilizing their own networks, resources and partnerships to posture themselves to best defend against any cyber threats,” she said in an emailed statement.
Steven Silberstein, chief executive officer of the Financial Services Information Sharing and Analysis Center, known as FS-ISAC, which shares cyber intelligence among financial institutions around the world, called the cybersecurity measures outlined by the White House on Monday “critical baseline practices” that should be implemented at all times. FS-ISAC and the financial services industry “remain vigilant to all cyber threats and anomalous activity.”
“The sector continues to share cyber threat intelligence as well as cyber resilience best practices,” he said in a statement.
Russian hacking presents a two-pronged problem for the U.S. and its allies. Hackers working for Russian intelligence are considered among the world’s most sophisticated, and cybersecurity experts have long warned about their potential for disruptive attacks on critical industries.
In its annual report of threats to U.S. national security, released earlier this month, the Office of the Director of National Intelligence wrote, “Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”
In addition, Russia has been accused of harboring criminal gangs that have in recent years unleashed ransomware attacks on businesses, schools, hospitals and other organizations. Researchers at the cryptocurrency-tracking firm Chainalysis found that three quarters of global ransomware revenue went to Russia-linked hackers, earning them $400 million in cryptocurrency from those attacks in 2021 alone.
The Swedish cyber firm Truesec Group recently warned that the Kremlin, as it becomes increasingly isolated from the rest of the world, could call on its criminal hackers to use their skills on behalf of the state.
Russia’s ground war against Ukraine hasn’t gone as the Kremlin expected, with Ukrainian forces mounting a stout defense and retaining control of key cities after three weeks of fighting, including the capital, Kyiv. The Kremlin’s cyberattacks have similarly struggled to successfully target Ukrainian infrastructure since the outset of the war, according to government officials.
“We’re not surprised to learn Russia is exploring cyberattacks against the U.S. in light of the serious pressure the county is now facing,” said John Hultquist, vice president of intelligence analysis at the cybersecurity firm Mandiant Inc., in a statement. “Russia is probably looking to aggressively respond in a manner that won’t lead to a war with the U.S., and cyberattacks are a means for them to exact costs without crossing a major red line.”
Robert Lee, the chief executive officer of Dragos Inc., an industrial control cybersecurity firm, said the warning by the White House didn’t have much actionable information for cybersecurity professionals, but that the announcement itself was significant.
“Cybersecurity personnel are not necessarily the core audience,” Lee said on Twitter. “I’m not sure they had many better options than to publish what they did. “
“This isn’t a time for you to shrug and use the lack of details from the government as a reason to not have a plan.”