Urgent calls from the Biden administration to strengthen cyber defenses amid the Ukraine crisis and overall heightened threat environment underscore the growing concern over the impact a cyber incident would have on U.S. networks and critical infrastructure.
This year’s $1.5 trillion omnibus spending package includes an unprecedented budget increase for the Cybersecurity and Infrastructure Security Agency, as well as tightened cyber incident reporting requirements for sectors like transportation and energy.
To build cyber resilience in this heightened threat environment, agencies must work closely with both international counterparts and industry to align on a proactive, global approach to all cyber threats –– not just state-sponsored attacks. That means understanding the threat landscape, shoring up critical infrastructure and developing a plan to coordinate well before attacks happen.
Understanding an increasingly turbulent cyber threat landscape
In general, the massive state-sponsored cyberattacks many analysts expected on critical infrastructure in Ukraine and elsewhere have yet to materialize. Still, the conflict has given rise to a complex and shadowy landscape of citizen cyber hacktivists, vigilantes and criminal groups taking advantage of the crisis to steal money and working as potential proxies for state actors.
Chatter within ransomware groups indicates some threat actors are siding with Russia, some with the West and some are simply using the theater of war as a smokescreen to facilitate cybercrime. FortiGuard Labs researchers also identified email phishing scams perpetrated by opportunistic criminals posing as trusted organizations like the United Nations to fraudulently solicit donations and potentially infect devices.
History shows the potential for outsized impact when the tools of cyber conflict inevitably proliferate. In 2017, for example, the NotPetya ransomware initially was launched in the update servers for accounting software in Ukraine but quickly and predictably spread worldwide, affecting even large and well-prepared firms and causing an estimated $10 billion in damage.
Many analysts believe that despite having some of the surface charactaristics of ransomware, NotPetya was intended from the outset to be destructive, rather than a tool for criminal profit. And as the conflict in Ukraine continues, threat researchers are encountering increasing amounts of “wiperware”––malicious software designed to disrupt operations or delete data.
Shoring up critical infrastructure
Within the United States, new investments in cybersecurity from both the omnibus bill and the Infrastructure Investment and Job Act offer a unique opportunity to help mitigate the risk of both state-sponsored and criminal cyberattacks on critical infrastructure.
Recent CISA guidance emphasizes the vital importance of including cybersecurity in the design of new infrastructure projects, regardless of the sector or the size of the organization. This is where national cybersecurity becomes a state and local issue as well. This summer, CISA is expected to issue guidelines to help mayors and governors utilize the law’s $1 billion cyber grant program dedicated to building cyber maturity at the state and local level. However, if we spent only $1 billion on cybersecurity out of a $1.2 trillion total, we would be woefully underinvesting in cybersecurity and resilience.
For those state and local governments, it’s better to build in cyber protocols now as the infrastructure upgrades are being planned and implemented than trying to chase down vulnerabilities as they’re being exploited.
Coordinating across borders and sectors
In addition to fortifying our defenses domestically, slowing the success of malicious cyber actors will require robust cooperation beyond our borders, as well collaboration with the private sector.
That means more information sharing before, during and after attacks. President Biden even went so far as to write guidelines into his 2021 cyber executive order, ensuring that IT services providers be able to share information with the government as a whole and require them to share certain breach information. And the recently enacted Cyber Incident Reporting for Critical Infrastructure Act requires that critical infrastructure providers notify CISA of any significant cyber incident within 72 hours or any ransomware payment within 24 hours.
Internationally, governments and the private sector should be aligning cyber defense and mitigation playbooks among NATO allies—a critical first step to mitigate the risk of burgeoning threats. Beyond that, multilateral organizations such as the World Economic Forum Centre for Cybersecurity could convene global public-private partnerships to encourage information-sharing and the development of cyber norms.
This is just a taste of what we’ll need to do in the coming months and years, but it’s a good start.
Delivering more effective cybersecurity to protect our nation’s networks is a complex challenge –– one that will require governments and industry to work together effectively to confront. Progress is necessary and it will take an effort of allies. No single government or organization or cybersecurity vendor can take this on alone.
Jim Richberg is public sector field CISO at Fortinet. He formerly served as the national intelligence manager for cyber in the Office of the Director of National Intelligence, where he set national cyber intelligence priorities.