Federal hearing highlights Russian cyberthreat, vulnerabilities to U.S. critical infrastructure

Even before Russia’s unprovoked invasion of neighboring Ukraine, addressing an emerging cyberthreat and bolstering the digital defenses of America’s critical infrastructure was a top priority, brought into the national spotlight in recent years following notable incidents like the Colonial Pipeline ransomware attack. 

With all that’s taken place internationally over the last month or so, that focus has heightened. 

“Over the past decade, Russia has demonstrated its capability and willingness to deploy cyber (attacks),” said Rep. Ritchie Torres (NY-15), chair of the House Committee on Homeland Security, at a hearing Tuesday with private industry cybersecurity experts titled “Mobilizing our cyber defenses: Securing critical infrastructure against Russian cyber threats.” 

Throughout the hearing, lawmakers questioned experts about the vulnerabilities of critical infrastructure and the cyberthreat posed by Russia given the international situation. 

To meet the globalized digital threat faced by administrators overseeing critical infrastructure—whether publicly owned, privately operated or investor managed—the Biden Administration, according to Torres, has engaged in “unprecedented intelligence sharing,” alerting agencies to threats as they arise. This endeavor has been led by the Cybersecurity and Infrastructure Security Agency and its Shields Up initiative, which was launched ahead of Russia’s invasion.  

Steve Silberstein, CEO of the Financial Services Information Sharing and Analysis Center, applauded the measure as effective, calling it a “paradigm shift from reactive to proactive sharing.” 

To that end, the federal agency regularly posts cybersecurity threat assessments through its known exploited vulnerability catalog and information to help IT better professionals secure their servers.  

“There has never been a more important for our businesses, our state and local governments … to be prepared,” said Rep. John Katko (NY-24), ranking member on the House Committee on Homeland Security. Quoting a previous address from President Joe Biden, he added: “There is, ‘evolving intelligence that the Russian government is exploring options of cyberattacks.’” 

To this point, with the rise of cybercriminals-for-hire and ransomware attacks, “The motives have either been financial gain or intelligence gathering—not pure destruction. But what if the goal was pure destruction?” he asked, citing a cyberattack last year on a water treatment plant in Oldsmar, Fla. An unknown hacking group was able to gain access to the plant’s system and poison the water supply by raising the sodium hydroxide levels—known as lye—tenfold. 

An operator noticed the rising chemical levels and quickly reverse the action. 

“Across the country, cybersecurity professionals are on a high alert, monitoring—preparing for attacks against critical U.S. infrastructure,” said Adam Meyers, senior vice president for intelligence at Crowdstrike. “As Russia began to amass forces on the Ukrainian border, cyberattacks increased in turn,” he continued, noting defacements of Ukrainian websites and wiper attacks. Internationally, the war has perhaps “reshaped the technological landscape.” 

Across critical infrastructure sectors, different areas are better prepared for the global cyberthreat than others. The financial sector, for example, is well equipped, given its interface with private organizations. Industrial sectors, on the other hand, “are much more deliberate; their infrastructure moves much more slowly,” said Amit Yoran, CEO of Tenable Inc., a Maryland-based cybersecurity company. And while the sector as a whole has been moving toward digital security recently, “The pace of risk these sectors are facing has really increased in recent years, so I think” they are at huge risk. 

He noted this deliberate pacing is intentional “to prevent large outages. … It’s important, when we talk about these efforts, to remember there are such distinct differences between critical infrastructure,” and different approaches make sense for different sectors. 

But cybersecurity measures can only be effectively implemented in response to a cyberthreat by someone who understands it in a technical sense. And in this lies the problem, said Yoran. U.S. critical infrastructure is operated through a patchwork of systems, highly connected, “with each operating with various degrees of cybersecurity,” he noted. 

Until the Biden Administration’s executive order last year, setting down standardized cybersecurity guidelines and best practices, there was not a collective set of rules that could be rallied around. Instead, organizations implemented different measures as they understood them. 

Thus, those organizations that have invested in digital defenses over the past decade are prepared to meet the threat. But those operating with sometimes two-decade-old technology and, in some cases, without a cybersecurity manager, the intelligence-focused approach that’s been taken as a response to the Russian invasion isn’t as helpful. 

“Advisories and alerts are highly technical and may be hard to implement by facilities that don’t have a dedicated cybersecurity (division),” said Kevin M. Morley, Ph. D, manager of federal relations for the American Water Works Association. Because of that, Morley told Homeland Security Committee members it would be best to simplify notifications. 

“Most organizations just want two things: What is the vulnerability? What do they have to do to (remedy) it?” he said.