The late-day warning on Monday from President Biden and White House national security officials that the Russian government is exploring options for potential cyberattacks against U.S. critical infrastructure targets appeared to turn many heads in the Federal cybersecurity community that is by now long-used to receiving and generating cybersecurity advisories.
The news of the day was captured in a nutshell with President Biden’s renewal of warnings to critical infrastructure sectors “based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.”
President Biden amplified that statement while addressing corporate CEOs on Monday evening, saying that “one of the tools” that Russian President Vladimir Putin is “likely to use … in our view is cyberattacks.”
“The point is that he has a capability; he hasn’t used it yet,” President Biden said. “But it’s part of his playbook.” He continued, “Today my administration has issued renewed warnings that, based on evolving intelligence, Russia may be planning a cyberattack against us. And as I’ve said, the magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming.”
At the same time, Anne Neuberger, the White House’s deputy national security advisor for cybersecurity and emerging technology, said the government has seen “some preparatory activity” for attacks, but still no “evidence of any specific cyberattack that we’re anticipating for.”
The unclassified release of that intelligence came after Federal agencies last week convened more than 100 companies to share both classified and unclassified cyber threat data. Neuberger said Monday’s statements aimed to raise broader awareness of the possible threats from Russia, and the need for all companies to shore up their defenses.
The substance of the latest warning to critical infrastructure sectors matches up with the Cybersecurity and Infrastructure Security Agency’s (CISA) “shields up” advisory to those sectors on Feb. 18 in the run-up to Russia’s invasion of Ukraine. CISA Director Jen Easterly said at the time there were no specific credible threats to the U.S. homeland but reiterated advice to the sectors for defending against possible Russian cyber threats.
Easterly said Monday that President Biden’s new statement “reinforces the urgent need for all organizations, large and small, to act now to protect themselves against malicious cyber activity.”
“As the nation’s cyber defense agency, CISA has been actively working with critical infrastructure entities to rapidly share information and mitigation guidance that will help them protect their systems,” she said. “We will continue working closely with our federal and industry partners to monitor the threat environment 24/7 and we stand ready to help organizations respond to and recover from cyberattacks.”
So what made Monday’s announcement different than the previous warnings? Both the hints of fresh intelligence and the urgency of statements from the cybersecurity policy community.
On the intelligence front, Bill Rucker, president of cybersecurity services firm Trustwave Government Solutions, told MeriTalk today that the stronger attack alert from the White House matches up with activity that Trustwave tracks as part of its services lineup.
“From the heightened alert perspective, I’m not surprised by it,” Rucker said. “The data [from the White House] wasn’t very detailed, but obviously there’s a credible threat about preparatory activity that they’ve seen.”
“We monitor stuff all the time, and you can notice when scanning upticks, or when people are doing additional searches, or moving around,” he said.
“We monitor that globally, and we do a lot of dark web searching ourselves,” he continued. “While we haven’t seen particular attack-based things, we’ve seen an uptick in activity.”
Rucker also referenced “technical difficulties” that Russia is experiencing due to global sanctions placed on the country, and offered, “when you see those folks not able to move as quickly, or buy, or move money as quickly as they used to, you certainly know that that activity is leading to something.”
“I think the fact that there’s an uptick in scanning and hunting for vulnerabilities, it certainly points to the fact that there’s, without a doubt, a credible threat taking place,” he said.
“And given the actions that we’ve seen going back to pre-invasion, there were cyberattacks that were theoretically used from one adversary to another in advance of an actual military strike, where malware was found on systems,” he said. “So it’s not a high coincidence that those systems were meant to confuse and disable things that would have helped them in the early stages of that invasion.”
Rucker also talked about the merits to an attacker of exploits such as distributed denial of service (DDoS) attacks that were observed on some Ukrainian government websites in the run-up to the invasion, and whether they may be more intended to create attack “noise” rather than to ultimately bring down systems.
“That’s one of the things that we’ve seen in cyber for a very long time,” he said. “When you think about a DDoS attack or when they flood systems, it’s typically not the DDoS attack that the adversary really wants to do. Bringing down your systems could be their goal, but typically, it’s to create so much noise, so if every car alarm in the parking lot is going off, you may not see the one in the back that’s stolen, because just that level of noise creates a lot of disruption.”
“There are tools and technology and partnerships out there to really take the noise of DDoS and put it aside, so you can look at what’s actually happening. Those things are actually really important right now,” he said.
For critical infrastructure sectors that may be targeted by Russian or other attacks, Rucker referenced CISA’s directive, saying, “it’s shields up, they have to be prepared.”
“They’ve got to look in all of their closets and drawers and doors beforehand,” he advised. “They’ve got to scan, they’ve got to test, they’ve got to be ready for what could take place because people still don’t do the ABCs real well in cyber. If you look at all the breaches and all the major kinds of incidents over the last month, six months, two years, it’s typically a known vulnerability, and that tells us something, right?
“I think a lot of that comes back to just making sure that we’re doing the basic cyber hygiene,” he said.
Providers of IT and cybersecurity services to the Federal government were quick to weigh in.
“The Biden-Harris Administration has repeatedly said that due to this recent conflict, an increase in potential malicious cyber activity is likely. It’s a reminder that the cyber threat never stops and it’s important to be ever vigilant in strengthening cybersecurity defenses, especially during these worldwide conflicts,” said Matt McFadden, VP of cyber at General Dynamics Information Technology.
“The more we can share and collaborate to elevate our cyber posture, the more it will prevent organizations and entities from becoming victims of these cyber-attacks,” he said. “The White House recommendations show that the private sector has an important role in protecting critical infrastructure and should focus on key steps to mitigate potential threats.
In short, it’s good advice and reiterates what they have been saying all along.”
Jason Oxman, president at the Information Technology Industry Council, said the “warning by the Biden Administration underscores the very real nature of the evolving cyber threats facing all businesses and individuals, but especially U.S. critical infrastructure owners and operators. In an intensifying geopolitical environment, businesses cannot risk being caught off-guard or underprepared.”
“Cybersecurity continues to be a top priority for the tech industry, and we take this notice seriously,” he said. “We will continue to work with the administration, state and local governments, and partners in the business community to help stay ahead of this rapidly changing cyber situation.”
Ellen Sundra, Chief Customer Officer at Forescout Technologies, called the White House comments “a call to action for organizations who have not yet been able to embrace important cyber protections needed to ensure a well-functioning and secure society.” She recommended that public sector organizations double down on reinforcing critical systems and taking basic cyber hygiene steps including knowing the environment, taking inventory of existing security processes, and finding non-compliance devices and quarantining them.