President Joe Biden said that the U.S. is prepared to “respond” if Russia reacts to economic sanctions by launching cyberattacks against their private industry and infrastructure.
In a speech Thursday announcing a new round of financial sanctions on the Russian government and economy, Biden expressed confidence that increased coordination between U.S. agencies, the private sector and critical infrastructure entities over the past year will leave the country well positioned to absorb those blows.
“If Russia pursues cyberattacks against our companies or critical infrastructure, we are prepared to respond,” Biden said. “For months we’ve been working closely with the private sector to harden our cyber defenses, and sharpen our ability to respond to Russian cyberattacks, as well.”
Biden’s full comments appear to reference the defensive resilience of the U.S., but they also came less than an hour after the White House publicly pushed back on an NBC News report claiming that Biden had been “presented” with a menu of options to conduct cyberattacks to disrupt Russian military operations in Ukraine.
The NBC News report, which cites four anonymous U.S. and Western officials, claims such operations would be undertaken irrespective of whether Russia itself decides to launch cyberattacks on U.S. infrastructure. The options range from “disrupting internet connectivity across Russia, shutting off electric power, and tampering with railroad switches to hamper Russia’s ability to re-supply its forces.” The story characterizes these options as being “presented” to Biden, but does not describe how seriously the White House may be considering them and noted that no decisions have been made.
Cybersecurity experts have long warned that the U.S., with its open society, open internet and reliance on mostly privately owned critical infrastructure, would stand to lose the most in an open cyber war with countries like Russia or China. National Security Council spokesperson Emily Horne quickly disputed the accuracy of the story in unequivocal terms.
“This report is wildly off base and does not reflect what is actually being discussed in any shape or form," Horne said in a statement released to the media.
While analysts and observers have for months laid out a logical chain of steps that start with a Russian invasion of Ukraine followed by U.S. sanctions and then cyber war between the two superpowers, the actual on-the-ground evidence of impending cyber war between the U.S. and Russia has thus far been muted.
Samples of a malicious wiper malware attack primarily targeting Ukrainian organizations — the second of its kind in the past month — was also found on computers in Latvia and Lithuania, prompting fears from experts who have long warned of potential spillover from the conflict in the cyber domain. The attacks thus far have not been formally attributed and it’s not clear whether the machines outside of Ukraine were intentionally targeted, unintended collateral damage or part of a Ukrainian organization’s larger IT footprint.
US organizations respond to Ukrainian invasion
Federal agencies like the Cybersecurity and Infrastructure Security Agency have warned the public to be on guard for the possibility of Russian-directed cyberattacks, but have consistently prefaced those warnings with an acknowledgement that these threats are, for now, hypothetical and not based on new intelligence of impending attacks.
Private threat intelligence organizations have also pledged to provide cybersecurity services — often free of charge — to Ukrainian and Western organizations if such attacks do occur.
Christopher Ahlberg, CEO of Recorded Future, sent a statement saying that his company is “not neutral” and will be deploying resources to help Ukrainians in the wake of the invasion.
“Our response to Russia’s invasion of Ukraine over the past 24 hours is that we stand with Ukraine…and will apply our full resources, capabilities, and intelligence to support them in their fight against Russia,” Ahlberg said.
Robert M. Lee, CEO of industrial control system cybersecurity firm Dragos, said he was willing to offer smaller critical infrastructure entities in the U.S., U.K. and Australia free incident response and managed services, as well as access to Dragos threat intelligence platform, to help bolster their defenses.
“This is due to the ongoing tension and concerns in Ukraine. We will do what we can and help as many as we can and take folks on a first come first serve basis. Right now we can immediately onboard 20-30,” said Lee, clarifying that he was offering it to these countries “because that’s where we’re able to immediately impact based on our resources/teams and where folks are located.”
Krebs Stamos Group, a cybersecurity consulting firm started by former CISA Director Chris Krebs and former Facebook and Yahoo CISO Alex Stamos, opened up some its client advisories to the broader public, offering security advice in response to the situation in the short term (like implementing “crash” deployment of multifactor authentication and reviewing network and DNS logs for outbound connections) and long-term (loosening budget and authority constraints for CISOs, scrutinizing vendor ties and relationships).
GreyNoise CEO Andrew Morris said his company was automatically upgrading Ukrainian accounts to VIP status and releasing a “free, public, unauthenticated, self-updating feed of all IPs that are exclusively targeting devices geographically located in Ukraine's IP space with scans, exploits” and other potentially malicious activities.
“I understand that cyber products are the last thing on Ukrainian's minds at the moment. This is simply what we have to offer, Morris said.