Senior Vice President for Cyber, Space, and National Security Policy, U.S. Chamber of Commerce
March 23, 2022
Earlier this week, President Biden issued a statement on our nation’s cybersecurity, which was followed by remarks with Deputy National Security Advisor (NSA) for Cyber and Emerging Technologies Anne Neuberger on the evolving intelligence that the Russian Government is exploring options for potential cyberattacks. The White House also released a detailed Fact Sheet on measures organizations can implement now to protect against potential cyberattacks.
The U.S. Chamber has closely followed the rapidly changing cyber threat environment for several months. We have hosted several member briefings with cyber and national security experts. We've posted articles on What Business Need to Know about Ukrainian Cyberattacks and 10 Important Ransomware Questions for Businesses.
Over the last several weeks, entities in Eastern Europe (including Ukraine, Belarus, and Russia) have experienced several destructive and disruptive cyberattacks, which while limited in scope, temporarily impacted public and private entities. It is important to remember that the vast majority of cyberattacks aren't intended to cause physical harm; instead, many are either financial or espionage in nature, and especially concerning Russian threat actors, they are designed to create fear, sow division, and undermine the public confidence in systems of government.
In this conversation with the Chamber's Chris Roberti, senior vice president for cyber, intelligence, and supply chain security policy, we provide important information for the business community.
1. What should organizations know today about the current threat landscape?
As the President and Deputy NSA Neuberger said yesterday, the U.S. government is concerned with evolving intelligence that the Russian Government is planning for cyberattacks on U.S. entities. The White House statement and fact sheet were not released in response to a specific new intrusion, a specific actor, or an action against an entity or sector. The U.S. government is trying to stay ahead of a sophisticated, persistent, and capable adversary planning for potential action against entities in the energy, finance, transportation, or water sectors. However, no sector or business is immune, and every organization needs to take action to protect its networks.
2. What sort of activity do you see on Ukrainian networks, and how is that informing the planning and resilience enhancing measures here in the U.S.?
Since the beginning of this conflict, predating the invasion of Ukraine by the Government of Russia, the U.S. government and leading cybersecurity companies have observed a steady stream of malicious cyber activity. At the same time, we haven't seen widespread destructive or disruptive cyberattacks against Ukrainian entities. From historical activity, we know that malicious Russian cyber actors have targeted critical infrastructure, as was the case with NotPetya in 2015, with significant disruptive and destructive campaigns.
The U.S. government is working with private-sector cybersecurity companies and our international partners to derive intelligence on the relatively low level malicious cyber activity emanating outside of the U.S. and rapidly turn that into mitigations and products. These insights are creating an early warning capability that can help enhance the resilience of U.S. networks to intrusion attempts by malicious Russian actors.
3. Where should organizations go for the latest cyber threat information, guidance, and mitigation from the government, industry, and international partners?
The authoritative source of information for businesses is the Cybersecurity and Infrastructure Security Agency (CISA)’s Shield’s Up website. It is a one-stop shop for cross-sector stakeholders. CISA will continuously publish the latest information on risk mitigation guidance from CISA, its interagency partners like the FBI and NSA, and our international allies.
Examples of information available on the Shield’s Up website include:
- A product on managing risks to satellite communications (SATCOM) for SATCOM providers and end-user customers.
- A product on Russian actors’ attempts to circumvent the default setting for multifactor authentication.
- A list of vulnerabilities that have been historically used by Russian cyber actors on organizations in the U.S. elsewhere.
- The January 11 joint CISA, FBI, and NSA cyber advisory on Russian Cyber Activity generally.
- Risk mitigation measures for information security professionals, corporate leadership, and individuals.
4. How and when should my organization report information?
Congress recently passed, and the President signed into law, a first in the nation national standard for covered critical infrastructure to report substantial cyber incidents to CISA. Until the final rule is written, but especially during the current period of heightened cyber threats, the Chamber has been encouraging members to lower thresholds to report incidents or anomalous activity.
Our members, especially those with robust cybersecurity maturity, cybersecurity incident response firms or threat intelligence providers, large information technology companies, or managed service providers, will likely see some of the first indications of a leading edge of a malicious Russian cyber intrusion campaign against U.S. entities. The good news is that many of these entities are members of the Joint Cyber Defense Collaborative (JCDC) at CISA, and are sharing, fusing, and analyzing this information in real-time. CISA encourages businesses to lower their cyber reporting thresholds and submit an incident or anonymous activity to Report@cisa.gov.
5. How are Chamber members operationalizing their collaboration with CISA via the JCDC, and what does that mean for public-private partnerships over the long term?
For years, the cybersecurity community has discussed the importance of the public-private partnership model, operational collaboration, and information sharing. You see all of that play out in real-time in the current context. There's no single government entity and private security cybersecurity company that can single-handedly protect U.S. critical infrastructure on its own. In this environment, it takes the full authority, capability, and capacity of a host of domestic and allied government partnerships, cybersecurity companies, and critical infrastructure to meet the threat.
While our partners at CISA and members of the JCDC are today focused on delivering reliable, technical, and actionable information to share with businesses at scale, that's one piece of the puzzle. Future iterations of their work will include developing granular analysis of assets where concentrated systemic risk resides, a drive to maximize the protection of those assets, and the development and exercising of scenarios cyberattacks on those assets.
We have a long way to go, but the public-private partnership model is the cornerstone upon which the Nation’s cybersecurity and resilience will be built for future generations.