The Biden administration on Monday issued another warning that Russia’s government “is exploring options for potential cyberattacks” against the U.S. and called on critical infrastructure operators to “harden your cyber defenses immediately.”
In a statement, the White House cited “evolving intelligence” that links the growing cyber risk to the “unprecedented economic costs we’ve imposed on Russia” through sanctions launched since the country began its invasion of Ukraine in February. The administration did not specify what kind of intelligence officials have observed or what sectors may be most at risk, but it noted that cyberattacks against infrastructure are “part of Russia’s playbook,” referring to attacks against Ukraine, France, Georgia, South Korea and others that U.S. officials have blamed on Russian military intelligence. (See Six Russians Charged for Ukraine Cyberattacks.)
During a media briefing on Monday, Anne Neuberger, deputy national security adviser for cyber and emerging technology, declined to say whether intelligence agencies believe Russia has already attempted a cyber operation against the U.S., instead referring to “preparatory activity” that could include “scanning websites [or] hunting for vulnerabilities.”
However, Neuberger also reminded the audience that cyberattacks have been part of Russia’s ongoing operations against Ukraine, echoing warnings from the Cybersecurity and Infrastructure Security Agency (CISA) and other U.S. agencies early in the conflict about an outbreak of “destructive malware” affecting multiple countries the region.
These attacks have fallen short of the major cyberoffensive that many observers expected would accompany Russian military action against Ukraine, but experts have warned that President Vladimir Putin may be holding his strongest cyber capabilities in reserve as a hedge against a worsening military situation. (See Experts Warn Cyberwar Still Possible.)
Neuberger avoided saying which U.S. critical infrastructure sectors are most at risk, saying that the “steps that are needed … need to be done across every sector. … Even those sectors that we do not see any specific threat intelligence for, we truly want [them] to double down and do the work that’s needed.” But she did confirm that “key entities who need to know have been provided classified briefings” in the last several weeks.
While Neuberger provided few specifics, she did say that many entities still have not performed simple steps that would help mitigate against much of the risk.
“We continue to see known vulnerabilities, for which we have patches available, used by sophisticated cyber actors to compromise American companies [and] companies around the world … and that makes it far easier for attackers than it needs to be,” Neuberger said.
A fact sheet accompanying the White House’s statement listed a number of preparatory steps for private sector organizations to complete “with urgency.” Included in its recommendations are:
- mandate the use of multifactor authentication and deploy “modern security tools” on computers and devices;
- have cybersecurity professionals ensure that systems are patched against known vulnerabilities;
- change passwords across networks and encrypt data so they cannot be used if stolen;
- back up data to secure locations;
- keep up-to-date emergency plans and run regular drills so employees can respond to attacks quickly;
- train employees to avoid common hacking tactics; and
- encourage employees to report unusual behavior from their computers or devices.
“What we’re asking for is: Lock your digital doors. Make it harder for attackers; make them do more work; [and that] will make it significantly harder, even for a sophisticated actor, to compromise a network,” Neuberger said.