The hard truth behind Biden’s cyber warnings – POLITICO

admin on March 27, 2022 Leave a Comment

Security experts have expressed the most worry about hacks on the energy and finance industries. However, each of the nations crucial sectors is at risk in some way.

We should consider every sector vulnerable, said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, during a three-hour call this week with around 13,000 participants from multiple industries on the Russian hacking threat. In some ways, we should assume that disruptive cyber activity will occur.

Inevitably, some attack will break through if an adversary like Russia puts enough resources behind it.

If a nation state brings its A-Team, the ability to be 100 percent effective on defense is not always there, said Senate Intelligence Chair Mark Warner (D-Va.), pointing to concerns around the energy and financial sectors. So how do we stay resilient, even if the bad guys get in?

President Joe Biden warned this week that Russian cyberattacks on American companies were coming, citing evolving intelligence that Vladimir Putin was considering using his nations cyber abilities against targets in the United States.

Those warnings came amid a scramble by CISA and other agencies to urge businesses and other potential targets to harden their defenses, along with continued calls from Congress for tougher deterrence against Russian hacking. Attempting to fill that gap, Biden warned Putin during a summit meeting last summer that we will respond if Moscow attacks the United States critical infrastructure.

But critical covers a ton of territory: The Department of Homeland Security has applied that term to 16 sectors of the economy, including dams, transportation, water plants, health care, energy, the financial industry and government. Both criminal and Kremlin-backed Russian hackers have gone after targets in those fields for more than a decade.

The U.S. hammered that message Thursday, when the Justice Department unsealed indictments against three Russian spies it accused of seeking to breach more than 500 energy-related entities, including the U.S. Nuclear Regulatory Commission and a nuclear power plant in Kansas.

The Biden administrations public alarms about the threats cite the risk of retaliation from a desperate Putin, as victory eludes his forces in Ukraine and Western sanctions devastate Russias economy. But the alerts have focused more on some industries than others.

Were really focusing right now on what we call the lifeline sectors, specifically the communications sector, the transportation sector, the energy sector, the water sector, and then of course the financial services sector, Easterly said during the call this week.

These are some of the areas where the United States is vulnerable:

The U.S. has thousands of power plants, hundreds of thousands of miles of electrical transmission lines and millions of miles of pipelines carrying natural gas, oil or fuels like gasoline. Russia has taken notice, said the FBI, which cautioned in a recent alert to industry partners that hackers there had scanned the computer networks of at least five U.S. energy groups.

Russia has shown its ability to turn out the lights in Ukraine, where cyberattacks in 2015 and 2016 temporarily cut off power in parts of the country. A Russian-based criminal hacking group created similar mischief in the U.S. last spring, when a ransomware attack on Colonial Pipeline cut off gasoline deliveries for much of the U.S. East Coast.

Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure such as disrupting an electrical distribution network for at least a few hours.

U.S. intelligence communitys Worldwide Threat Assessment, 2019

In 2019, the U.S. intelligence community said in an unclassified assessment that Russia has the capability to disrupt electrical distribution centers in the United States for at least a few hours. One of the DOJ indictments unsealed Thursday detailed an unsuccessful effort by Russian hackers to attack a U.S. energy company with a type of malware that would have given them access to certain control systems.

The one to me at the top of the list is energy, said Jim Richberg, a former U.S. national intelligence manager for cyber and current public cybersecurity executive at Fortinet. The reality is if you take away power, none of the other 15 officially designated critical infrastructure are going to work.

Not all parts of the U.S. energy supply face equal oversight of their cybersecurity practices: The electricity sector has long faced mandatory cyber standards, for example, while the oil and gas pipeline industry is sparring with federal regulators over the governments first-ever attempt to impose similar requirements for those companies.

Cybersecurity experts generally consider financial institutions to be ahead of other industries in their defenses against hacking, in part because they are highly regulated. Cyberattacks that significantly harm banks or other financial companies including insurers, stock or commodity exchanges, payments systems or financial market utilities are relatively rare, according to the Financial Services Information Sharing and Analysis Center, a global cyber information clearinghouse for the industry.

But as financial services increasingly shift online, those risks have accelerated. FS-ISAC raised its threat level from guarded to elevated three times in 2021, up from the once-a-year that was typical in the previous five years.

That threat level is once again elevated, but not yet considered high or severe, FS-ISAC chief executive Steven Silberstein said in a statement Thursday.

This means that the financial sector is in a state of heightened cybersecurity awareness and is taking extra steps to strengthen cyber defenses, he said. At this time, the sector is not seeing any significant increase of attack activity directly attributable to any origin.

The Covid-19 pandemic helped shine a light on vulnerabilities in hospitals and other health-care companies.

The sector is an attractive target for hackers given its trove of valuable information, and because the need to remain operating means that hospitals facing a ransomware attack feel the pressure to pay.

Our organizations are continuously being probed and scanned from Russia, China, Iran and North Korea thousands of times a day, literally, whether its a small critical access hospital or the largest systems.

John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association.

Amid a hacking surge, nearly 50 million people in the U.S. saw their sensitive health data breached in 2021, more than triple 2018s total, according to a POLITICO analysis of data from the Department of Health and Human Services. In addition to being overwhelmed with patients during the pandemic, health care organizations often have meager cybersecurity budgets, according to the most recent Healthcare Information and Management Systems Society cybersecurity survey.

Our organizations are continuously being probed and scanned from Russia, China, Iran and North Korea thousands of times a day, literally, whether its a small critical access hospital or the largest systems, John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association, said last month.

A direct attack on U.S. health care organizations which could threaten patients lives would be more likely if more countries get involved in the war in Ukraine, or if sanctions cripple Russia, experts say.

If NATO gets involved, or if somehow the U.S. gets involved, thats going to change the whole dynamic, said Mac McMillan, CEO of the cybersecurity firm CynergisTek. Russia is being careful not to do anything overtly to the United States at the moment.

These essentials are also vulnerable, as shown in an unsuccessful cyberattack last year on a Florida water treatment plant, in which unidentified hackers tried to inject poisonous levels of lye into a citys water supply. Months later came a ransomware attack on JBS Foods, the worlds largest meat processing company, which contributed to a spike in U.S. consumer prices for pork and other meats. The company eventually agreed to pay $11 million to the hackers, whom authorities identified as a Russian criminal hacker gang.

The JBS attack came after years of warnings that food and agriculture companies werent keeping up with proper cybersecurity protocols, even as the industrys day-to-day operations increasingly relied on the internet and automation. Cybersecurity measures have been mostly voluntary across the massive sector, with virtually no federal rules in place. And while other industries that have formed information-sharing collectives to coordinate their responses to potential cyber threats, the food industry disbanded its group in 2008.

Russias ongoing invasion of Ukraine is a stark reminder that we must protect our ag producers from outside threats that could interrupt the United States food security and critical supply chains, said Sen. Steve Daines (R-Mont.). We need to be doing everything we can to proactively support and defend Americas producers which in turn strengthens our national security.

Air, transit, train, ship and even car travel have also shown themselves vulnerable to various forms of hacking, some more plausible than others.

For aviation, the possible targets include airports flight information display boards, vendor payment systems, parking meters or any technology that can connect to public Wi-Fi, according to a recent report from the Institute for Critical Infrastructure Technology. Airlines booking systems or flight manifests are particularly vulnerable, as shown by repeated computer failures that lead to mass flight cancellations, while hackers have also stolen personal passenger data.

As technology makes planes more interconnected, the Government Accountability Office warned in a 2020 report that critical data used by cockpit systems could be altered, and that malevolent hackers could seek to disrupt flight operations with various types of attacks on navigational data.

In 2017, the giant Danish shipping company Maersk was one of many businesses around the globe crippled by a massive cyberattack later blamed on Russia. And as car manufacturers look toward a future of self-driving cars, the lack of federal regulations around the security of autonomous vehicles could become a security hazard.

The most at-risk targets include small businesses and local governments, which often have little funding for cyber defenses and lack the expertise to counter large hacking outfits. A spree of ransomware attacks in 2019 mired the governments of almost two dozen small towns in Texas, while a Small Business Administration survey found that 88 percent of companies believed they were vulnerable to a cyberattack.

We have a major challenge ahead, and that is to help businesses, particularly small businesses, local governments that are small get prepared for this, Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, said Wednesday.

But a determined adversary can penetrate even large companies and federal agencies. That became apparent after the discovery in late 2020 of a sophisticated cyber-espionage campaign blamed on Russian foreign intelligence, which compromised at least 12 federal agencies and 100 private companies.

If you have 3,000 servers if youre a large organization, its easy to gain access to a low-value server or something thats unpatched, said Jonathan Reiber, a top Pentagon cyber official during the Obama administration and current senior director for cybersecurity strategy and policy at AttackIQ. You cant patch every vulnerability right now, today, its not possible.

You have to assume the adversary is going to break past the perimeterso the first step is to assume breach and plan for known threats, Reiber said.

Kate Davidson, Ben Leonard, Meredith Lee, Tanya Snyder, Oriana Pawlyk and Alex Daugherty contributed to this report.

Continue reading here:
The hard truth behind Biden's cyber warnings - POLITICO

Related Posts
Posted in Internet Security

Comments are closed.