A Warning to Critical Infrastructure: Russia May Launch a Cyberattack Against U.S. Companies
On Monday, March 21, 2022, the White House issued a statement warning of "evolving intelligence" that the Russian government may launch cyberattacks aimed at the United States in response to sanctions arising from Russia's invasion of Ukraine. The statement highlights the specific risks to critical infrastructure sectors and is accompanied by a Fact Sheet with recommendations for hardening companies' cyber defenses.
Most of the recommendations in the Fact Sheet are similar to those included in the White House's June 2, 2021, letter to U.S. corporate executives and business leaders, which DWT covered in a prior blog post.
Key recommendations from the Fact Sheet include:
- Using multifactor authentication;
- Deploying modern security detection tools such as endpoint detection and response (EDR);
- Ensuring systems are patched and protected against known vulnerabilities;
- Backing up data, including with offline backup solutions;
- Running incident response exercises;
- Encrypting data;
- Educating employees to identify common cyberthreats and report potential signs of compromise; and
- Engaging proactively with the local FBI field office or Cybersecurity and Infrastructure Security Agency (CISA) Regional Office to establish relationships in advance of any cyber incidents.
The Fact Sheet also has several recommendations specific to technology and software companies. The Biden Administration has been especially focused on addressing threats to the software supply chain, including in the May 12, 2021, Executive Order on Improving the Nation's Cybersecurity (we discussed this Executive Order in a prior blog post) and through guidance developed by the National Institute of Standards and Technology (NIST).
The Fact Sheet's recommendations for technology and software companies include:
- Building security into products "from the ground up";
- Developing software only on secure, access-controlled systems;
- Using automated code-scanning tools to identify vulnerabilities in software code; and
- Maintaining a "software bill of materials" (SBOM) to help track where open-source code was used to develop the software—if a vulnerability is reported in an open-source library, an SBOM can make it easier for developers to identify and remediate the affected code.
Management of threats to the software supply chain posed by open-source code has been a recurring theme from the Biden Administration. These threats, and the use of an SBOM to help address them, are discussed in the May 12, 2021, Executive Order and NIST's Secure Software Development Framework. The Federal Trade Commission also focused on these threats when it published a blog post warning companies to remediate the Log4j vulnerability within their systems.
In addition to the White House guidance, companies are encouraged to review the various materials and recommendations published by CISA as part of its "Shields Up" campaign. CISA's Shields Up website contains various technical and organizational recommendations related to state-sponsored attacks from Russia, ransomware, and other cyberthreats.
Next Steps
After reviewing the White House and CISA guidance, clients are advised to:
- Work with their IT and security personnel to determine the extent to which they are already implementing the measures recommended in the guidance. In the event of a cyberattack, expect law enforcement and regulators at a minimum to ask whether these measures were adopted or considered;
- Review and refresh your incident response plans;
- Hold tabletop exercises, including those focused on state-sponsored threats to critical systems and operations; and
- Reach out to your FBI field office, CISA regional office, or other government contacts to establish relationships now. Record your government contacts in your incident response plans so that you can quickly engage with law enforcement in the event of a cyberattack.