Cybersecurity leaders urge digital defense awareness, preparation in light of Russia invasion

For the first time since World War II, war has erupted on the European continent. Russia’s unprovoked invasion of Ukraine early Thursday morning has sent geopolitical shockwaves rippling around the world, and American cybersecurity leaders are pivoting to address digital defense concerns close to home. 

“We need to be prepared for the potential of foreign influence operations to negatively impact various aspects of our critical infrastructure with the ongoing Russia-Ukraine geopolitical tensions,” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), in a statement about the release of new guidance. “We encourage leaders at every organization to take proactive steps to assess their risks from information manipulation and mitigate the impact of potential foreign influence operations.”

The cybersecurity guidance came ahead of Russia’s invasion. It’s intended to alert awareness among critical infrastructure owners and operators on the risks of concentrated digital operations. The document outlines steps organizations can take to mitigate the effects of cyberattacks, such as by ensuring swift coordination in information sharing and communicating accurate and trusted information to increase resilience. Critical infrastructure includes bridges and tunnels, energy and drinking water plants and disaster response. 

In a separate, joint advisory, CISA, the FBI and the National Security Agency (NSA), outlined activities and tactics used by Russian state-sponsored cybercriminals. Those include brute force techniques; spearphishing emails with malicious links; using harvested credentials to gain access; and maintained persistent access, “in multiple instances for at least six months, which is likely because the threat actors relied on possession of legitimate credentials enabling them to pivot to other accounts.”

Over the last several years, “Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors to get at sensitive information. Armed with insights like these, we can better detect and defend important assets together,” said Rob Joyce, director of NSA Cybersecurity. The advisory urges all government organizations to investigate suspicious activity and, with or without evidence of a compromise, to apply mitigations including enforce multifactor authentication, unique passwords, and implement endpoint detection and response tools, among other steps.

Speaking to press about sweeping sanctions imposed by the United States on Russia in response to the war, Pres. Joe Biden said “It’s going to be a cold day for Russia. You don’t see a lot of people coming to his defense.” 

In cohort with European and Asian allies, the sanctions represent an unprecedented global move to isolate Russia and inflict financial pain. They cut off Russia’s biggest state-owned banks, target other companies across all economic areas and cut off Russia from accessing technological components crucial to advancement. 

Biden recognized the sanctions will impact Americans who may feel “pain” with increases such as gas prices. While the Pentagon ordered an additional 7,000 service members to Europe, Biden said America will not physically engage in war. Rather, they’re being deployed to NATO nations.

Given the advancements in cyberattacks over the last decade, Josh Brodbent, RVP of BeyondTrust’s public sector solutions engineering, said it’s important for organizations to be agile.

“The basic tenants of cyberwar have changed,” Brodbent said. “The transition from traditional security models to a modern zero trust cybersecurity model is more important than ever to ensure that we are ready and prepared to handle threats as they arrive.”

To that end, CISA guidance’s highlights that critical infrastructure operators and managers should identify vulnerabilities, educate staff on proper cyber hygiene and, ahead of a cyberattack, implement an incident response plan. That plan should include the following steps: 

• Designate an individual to oversee the incident response process and associated crisis communications. 
• Establish roles and responsibilities for the response, including responding to media inquiries, issuing public statements, communicating with staff and engaging the stakeholder network.  
• Ensure communication systems are set up to handle incoming questions. Phones, social media accounts and centralized inboxes should be monitored by multiple people on a rotating schedule to avoid burnout.  
• Identify and train staff on reporting procedures to social media companies, government and/or law enforcement.  
• Consider internal coordination channels and processes for identifying incidents, delineating information sharing and response. Foreign actors can combine influence operations with cyber activities, requiring additional coordination to facilitate a whole-of-organization response.