President Biden has reiterated his administration’s call to private companies to stay wary of cyberattacks from Russia following the US’ support for Ukraine. These attacks, which according to him, are “part of Russia’s playbook,” can come as retaliation for the crippling economic sanctions the United States and its allies have brought upon the Kremlin as it continues its invasion of Ukraine.
“Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks,” said Biden through a White House press release dated March 21.
“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience,” he said. In urging the private sector to bolster its cybersecurity, he stated that they do so by “implementing the best practices we have developed together over the last year.”
“You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow,” the statement read.
The concern comes after reports of Moscow launching a series of cyberattacks on the Ukrainian government and its key industries. Currently, there has been no confirmation of any attack done on the United States.
“To be clear, there is no certainty there will be a cyber incident on critical infrastructure. So why am I here? Because this is a call to action and a call to responsibility for all of us,” said Deputy National Security Advisor Anne Neuberger in a briefing shortly after Biden’s announcement.
According to the advisor, the administration convened over 100 American companies and encouraged them to share updated information on cyber security threats.
“During those meetings, we shared resources and tools to help companies harden their security, like advisories sourced from sensitive threat intelligence and hands-on support from local FBI field offices and sister regional offices, including their Shields Up program,” Neuberger said.
Neuberger opted not to disclose specific industries under threat but said they belong to the country’s critical infrastructure, a state designation that comprises industries that prove vital to the national economy and defense. This includes the finance, energy, pipelines, and transportation sectors.
The warning may signal a deep concern regarding the preparedness of the American private sector to defend against a Russian digital attack. It may also reflect the struggle to maintain these high alert levels as the war in Ukraine drags on.
“The White House is running out of ways to keep the alert levels up for cyber incident responders,” said former Cybersecurity and Infrastructure Security Agency official Tatyana Bolton. “It’s very difficult to stay on a high level of alert for a long amount of time because we’re humans and alert levels go down as time passes.”
Another US government official described “fatigue” within the cyber defense industry who were clocking in long hours for the past weeks as per the Cybersecurity & Infrastructure Security Agency’s (CISA) “Shield’s Up” initiative.
“Since this heightened threat environment started, it’s been like ‘Shields Up.’ So people ask, ‘When do we put shields down?’” the unnamed official said to The Washington Post.
What can the US government do to improve cybersecurity?
US officials have been going all out to disseminate information on cybersecurity threats and share best practices, but implementing said practices remains at the hands of companies on whether they decide to adopt these guidelines or not.
One possible way to combat this is to expand the government’s reach on the cybersecurity affairs of private enterprises. Congress recently passed a bill that requires firms categorized as critical infrastructure to alert CISA within three days of being hacked. However, the implementation of such a system could take over a year.
In the select industries where the government was able to establish a broader range of cyber authority, which includes pipelines, the guidelines have been met with a mixed response from the top firms.
One prospect among cyber security analysts is that these concerns will usher in a new wave of investment and development towards cybersecurity that will outlive the ongoing crisis.
“My hope is that the Russia crisis will spur long-term investments in cybersecurity and critical infrastructure resilience,” said Executive Director of the Cyberspace Solarium Commission Mark Montgomery. “My fear is it will be treated as it has been [after cyber crises] in the past and forgotten soon thereafter.”
Moscow has since rejected the accusations from the US that it intends to conduct digital attacks as an answer to sanctions from the West on March 22.
“The Russian Federation, unlike many Western countries, including the United States, does not engage in state-level banditry,” said Russian Spokesperson Dmitry Peskov.
The Russian Federation also denies similar allegations that it was responsible for hacking Ukrainian financial and government websites.