Biden’s Russia cyber warning befuddles ill-prepared businesses
Bloomberg March 24, 2022
A day after U.S. President Joe Biden issued a stark warning that a Russian cyberattack “is coming,” members of his administration hosted a three-hour call with about 13,000 people representing businesses, public agencies and other organizations to discuss the potential threat.
The conversation highlighted the struggle the Biden administration faces in safeguarding the country against a possible wave of state-sponsored hacking. U.S. officials appealed for callers to lower the bar for reporting cyber threats, even down to anomalous phishing attempts. But many businesses betrayed confusion about basic cybersecurity tools and incident reporting procedures, a recording of the call shows. Other representatives said they wanted the administration to share more information.
Most U.S. critical infrastructure -- such things as telecommunications, energy and food production -- is in private hands, and operating companies aren’t yet compelled to share such information with the government; cybersecurity regulations tend to be patchy or nonexistent.
Participants on the call included representatives from big firms such as Barclays and Yahoo, as well as smaller and mid-sized entities such as the Missoula Rural Fire District and UMass Memorial Health. Several of the smaller participants indicated they only had limited finances and personnel to manage their own cybersecurity.
Joe Ford, IT manager at the Missoula Rural Fire District, said the call was hastily arranged by the Cybersecurity and Infrastructure Security Agency, known as CISA, the night before. He said he joined the call because he was worried Russian hacking activity could potentially target the communication networks of emergency services in his district. “We get phishing attacks all the time,” he said.
Another attendee, who asked to remain anonymous, said the government’s gesture was well intentioned but the information exchange was worryingly basic. One business official for a major financial services firm, who also requested anonymity, said he was frustrated at the lack of “actionable” information shared in public briefings earlier this week on the nature of the new threats.
“We are hunting ghosts, which means we are on high alert but not really seeing anything,” the official told Bloomberg.
Two people who attended cybersecurity briefings devoted to the energy sector last week, held at government offices including the FBI’s, said no new targets were identified and very little actionable intelligence was offered. But both attendees praised the outreach and said weeks of back-and-forth has been helpful.
Saloni Sharma, a spokesperson at the National Security Council, said the administration “has engaged in unprecedented outreach to the private sector - both privately and publicly with specific classified information and the measures they can take now to shore up defenses.”
Federal agencies convened more than 200 companies in classified settings last week to share new cybersecurity threat information, she added. She said they weren’t in a position to speak to the specifics of that intelligence, partly because they didn’t want “to put a target on any specific sector’s back” as well as for other unspecified national security reasons.
Biden on Monday warned about new indications of possible Russian cyberattacks in retaliation for bruising sanctions imposed by the U.S. over the invasion of Ukraine. The president cited “evolving intelligence that the Russian government is exploring options for potential cyberattacks.”
In terms of what prompted the warning, Biden hinted at one potential reason, that cyberattacks may become a more attractive option if Russia’s attack on Ukraine continues to stumble and as severe sanctions bite. “The more Putin’s back is against the wall, the greater the severity of the tactics he may employ.”
“One of the tools he’s most likely to use in my view, in our view, is cyberattacks,” Biden told a business roundtable on Monday. Biden said it was the private sector’s “patriotic obligation” to build up cyber defenses.
In addition, the FBI sent a bulletin on March 18 to the U.S. energy sector revealing “network scanning activity” stemming from multiple Russia-based IP addressed, CBS News reported. The activity is believed to be associated with hackers “who have previously conducted destructive cyber activity against foreign critical infrastructure,” according to the report.
On the same day of the advisory, 11 Republican senators, along with two Democratic senators, sent a letter to Secretary of Defense Lloyd Austin and Secretary of Homeland Security Alejandro Mayorkas citing concerns that Russia would lash out and describing U.S. cyber defenses as “wanting.” The senators asked for a list of recent significant malicious cyber activities conducted by Russia or suspected proxies. They have yet to receive a response, according to an aide to Sen. John Kennedy, Republican from Louisiana, who led the letter.
On the call Tuesday evening, Jen Easterly, CISA’s director, said, “We think this preparatory activity is not about espionage. It’s probably very likely about disruptive or destructive activity, so we are very concerned to make sure we can get ahead of the threat environment.” CISA said in a news release that the call built on a series of briefing the agency had been convening since late 2021 with U.S. government and private-sector organizations.
Easterly told the attendees that they represented “lifeline sectors” for the U.S. economy, specifying communications, transportation, energy, water and financial services sectors. She urged companies to update their cyber defenses and, for cash-strapped entities, to take advantage of CISA’s free services and tools.
Mark Montgomery, formerly executive director of the Cyber Solarium Commission, a congressionally mandated body that recommended the U.S. beef up cyber defenses, told Bloomberg that there had been improvements in U.S. cyber defense in recent months, a view shared by some other cybersecurity experts.
But he said the government needs to vastly improve the way it shared warnings with the private sector.
“You can’t just buy cyber resilience in two or three or four weeks because you hear the Russians might target our critical infrastructure,” he said. U.S. businesses “need to move at the speed of data and not at the speed of press conferences and presidential memos,” he said.
Critical services in the U.S. are particularly vulnerable to attack because much of its firmware -- the code embedded in a device’s hardware -- lags eight to 10 years behind most general-purpose computer networks, according to Ang Cui, chief executive officer at Red Balloon Security.
Oren Falkowitz, a former NSA analyst who has also worked at U.S. Cyber Command, said the types of cyberattacks that people most worried about, such as taking down the electric grid, interfering with elections or disrupting the financial sector, don’t happen overnight.
“They take years of planning and preparation. They’re either already underway - in which case the warning is a little too late - or they likely won’t have the impact they want,” he said.
Bloomberg’s Jennifer A. Dlouhy and Jordan Robertson contributed to this report.