Biden’s Russia Cyber Warning Confuses Ill-Prepared Businesses

A day after US President Joe Biden issued a stark warning that a Russian cyberattack "is coming," members of his administration convened a three-hour conference call with approximately 13,000 people representing businesses, government agencies, and other organizations to discuss the potential threat.

Source: Bloomberg | Published on March 24, 2022

Digital security concept

The discussion highlighted the difficulties the Biden administration faces in protecting the country from a potential wave of state-sponsored hacking.

Officials in the United States urged callers to lower the bar for reporting cyber threats, even if it meant reporting unusual phishing attempts. However, a recording of the call shows that many businesses were confused about basic cybersecurity tools and incident reporting procedures. Other lawmakers expressed a desire for the administration to share more information.

The majority of critical infrastructure in the United States is in private hands, including telecommunications, energy, and food production, and operating companies aren't yet required to share such information with the government; cybersecurity regulations are patchy or nonexistent.

Representatives from large corporations such as Barclays Plc and Yahoo, as well as smaller and mid-sized organizations such as the Missoula Rural Fire District and UMass Memorial Health, took part in the call. Several of the smaller participants stated that they lacked the necessary funds and personnel to manage their own cybersecurity.

The call, according to Joe Ford, IT manager at the Missoula Rural Fire District, was hastily arranged the night before by the Cybersecurity and Infrastructure Security Agency, or CISA. He stated that he joined the call because he was concerned that Russian hacking activity might target the communication networks of emergency services in his district. "We are constantly subjected to phishing attacks," he explained.

Another attendee, who requested anonymity, stated that while the government's gesture was well-intended, the information exchange was woefully basic. One business official for a major financial services firm, who also requested anonymity, expressed dissatisfaction with the lack of "actionable" information shared in public briefings earlier this week about the nature of the new threats.

"We're looking for ghosts, which means we're on high alert but not seeing much," the official told Bloomberg.

Two people who attended cybersecurity briefings on the energy sector held at government offices including the FBI last week said no new targets were identified and very little actionable intelligence was provided. However, both attendees praised the outreach and stated that the weeks of back-and-forth had been beneficial.

Saloni Sharma, a National Security Council spokesperson, stated that the administration "has engaged in unprecedented outreach to the private sector – both privately and publicly – with specific classified information and the measures they can take now to shore up defenses."

She added that last week, federal agencies convened more than 200 companies in classified settings to share new cybersecurity threat information. She said they couldn't discuss the specifics of the intelligence because they didn't want to "put a target on any specific sector's back," among other unspecified national security reasons.

Biden warned on Monday of new signs of possible Russian cyberattacks in retaliation for harsh sanctions imposed by the US over the invasion of Ukraine. According to the president, "evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks."

In terms of what prompted the warning, Biden hinted at one possible reason, namely that if Russia's attack on Ukraine continues to falter and severe sanctions bite, cyberattacks may become a more appealing option. "The more Putin's back is to the wall, the more severe the tactics he may employ."

"In my opinion, and in our opinion, one of the tools he's most likely to use is cyberattacks," Biden said at a business roundtable on Monday. Biden stated that it is the private sector's "patriotic obligation" to strengthen cyber defenses.

Furthermore, the FBI sent a bulletin to the US energy sector on March 18 revealing "network scanning activity" stemming from multiple Russia-based IP addresses, according to CBS News. According to the report, the activity is linked to hackers "who have previously conducted destructive cyber activity against foreign critical infrastructure."

On the same day as the advisory, 11 Republican senators and two Democratic senators wrote to Secretary of Defense Lloyd Austin and Secretary of Homeland Security Alejandro Mayorkas, expressing concern that Russia would retaliate and describing US cyber defenses as "wanting." Senators requested a list of recent significant malicious cyber activities carried out by Russia or suspected proxies. According to an aide to Senator John Kennedy, Republican of Louisiana, who led the letter, they have yet to receive a response.

Jen Easterly, CISA's director, stated on the call Tuesday evening, "We believe this preparatory activity is not about espionage." It's very likely to be about disruptive or destructive activity, so we're very concerned about staying ahead of the threat environment." CISA stated in a news release that the call was based on a series of briefings held by the agency with US government and private-sector organizations since late 2021.

Easterly told the attendees that they represented the "lifeline sectors" of the American economy, naming communications, transportation, energy, water, and financial services. She urged businesses to update their cyber defenses and, for those who are short on cash, to take advantage of CISA's free services and tools.

Mark Montgomery, the former executive director of the Cyber Solarium Commission, a congressionally mandated body that recommended the United States beef up its cyber defenses, told Bloomberg that there had been improvements in U.S. cyber defense in recent months, a view shared by some other cybersecurity experts.

He did, however, say that the government needs to vastly improve how it shares warnings with the private sector.

“You can’t just buy cyber resilience in two or three or four weeks because you hear the Russians might target our critical infrastructure,” he said. U.S. businesses “need to move at the speed of data and not at the speed of press conferences and presidential memos,” he said.

According to Ang Cui, chief executive officer at Red Balloon Security, critical services in the United States are particularly vulnerable to attack because much of their firmware — the code embedded in a device's hardware — is eight to ten years behind most general-purpose computer networks.

According to Oren Falkowitz, a former NSA analyst who has also worked at US Cyber Command, the types of cyberattacks that people are most concerned about, such as shutting down the electric grid, interfering with elections, or disrupting the financial sector, do not occur overnight.

"They take years of planning and preparation. They’re either already underway – in which case the warning is a little too late – or they likely won’t have the impact they want,” he said.