Russia’s invasion of Ukraine and the response by the United States and other Western allies has prompted fears of a massive cyberwar with American businesses as potential targets.
“The Russian-Ukraine conflict could trigger a massive cyberwar, "New Scientist" surmised. An unprecedented cyberwar is likely, Senator Marco Rubio warned,” wrote The Atlantic in February. “Cyberwar sounds bad – and it is.”
The U.S. Cybersecurity & Infrastructure Security Agency says that “every organization – small and large – must be prepared to respond to disruptive cyber incidents.”
Russia Cyber Units: Increased Capabilities
Russia has at least three military units within the GRU, Russia’s military intelligence agency, that are capable of launching cyberattacks, according to research produced for members of the U.S. Congress.
The Congressional Research Service Report said, “Over the past 20 years, Russia has increased its personnel, capabilities, and capacity to undertake a wide range of cyber operations.”
The Biden Administration is concerned that U.S. economic sanctions against Russia over its invasion of Ukraine will trigger cyberattacks against American targets.
“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook,” President Joe Biden said in a statement March 21, 2022.
U.S. Government Tells Businesses to Act Now
Small businesses are not exempt from cyberattacks and the U.S. government is urging businesses of all sizes to act now for potential coming Russian cyberattacks.
“If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year,” read Biden’s statement. “You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.”
The federal government has launched public-private action plans to beef up cybersecurity of key infrastructure such as electricity, pipelines, and water services.
On the private front, the Biden Administration says that companies can take the 8 following steps with urgency to protect themselves from potential cyberattacks:
- Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system.
- Deploy modern security tools on your computers and devices to continuously look for and mitigate threats.
- Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities and change passwords across your networks so that previously stolen credentials are useless to malicious actors.
- Back up your data and ensure you have offline backups beyond the reach of malicious actors.
- Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack.
- Encrypt your data so it cannot be used if it is stolen.
- Educate your employees to common tactics that attackers will use over email or through websites and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.
- Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.
Bolstering America’s Cybersecurity Defenses Long-Term
The Biden Administration is also asking technology and software companies to help bolster America’s cybersecurity defenses in the long run by doing the following:
- Build security into your products from the ground up — “bake it in, don’t bolt it on” — to protect both your intellectual property and your customers’ privacy.
- Develop software on a system that is highly secure and accessible only to those working on a particular project. This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.
- Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them. There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.
- Software developers are responsible for all code used in their products, including open-source code. Most software is built using many different components and libraries, much of which is open source. Make sure developers know the provenance (i.e., origin) of components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it.
- Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity. Pursuant to that EO, all software the U.S. government purchases is now required to meet security standards in how it is built and deployed. We encourage you to follow those practices more broadly.
Businesses should consider ongoing cyber security training for employees as well as onboarding steps that include training for new team members. Let us know how we can help you.