Welcome to The Cybersecurity 202! D.C. is waking up to rain today. Hope you stay dry.
The message was this: Don’t relax just yet. Far worse could be yet to come if Russian President Vladimir Putin switches tactics or decides to retaliate against the West.
“Cyber is a capability that Russian security forces have used in the past and as the decision calculus changes, that may change what’s in play,” former Cybersecurity and Infrastructure Security Agency director Chris Krebs told me.
Concerns right now about damaging Russian hacks hitting the United States are about as high as they’ve ever been — even though they’ve ebbed somewhat since hacking did not play a major role in the first days of the Ukraine invasion.
Krebs led the briefing, which was closed to the press, with former Facebook chief security officer Alex Stamos. I spoke with Krebs after the briefing and with Rep. Eric Swalwell (D-Calif.) who organized it. Swalwell planned the briefing for Democratic lawmakers and staffers, but one Republican member asked to join, he told me.
Krebs described the Russian cyberthreat as especially elevated now because Putin has already demonstrated he’s willing to cross Western red lines by invading Ukraine.
Putin could launch destructive hacks at critical infrastructure or unleash Russia-based cybercriminals to conduct ransomware attacks on U.S. targets, he warned.
“This is a much different game, a much different situation than we were in even two years ago talking about the 2020 election,” Krebs said. “The stakes are different. The consequences are different. And the outcomes are probably not great for anybody.”
Swalwell said he’s especially concerned that Putin might retaliate against Western sanctions by interfering in the midterm elections.
“We know they have the [cyber] capability and have demonstrated it in the past,” he said. “What we have not seen is Putin as the wounded bear, and that’s the real concern for the upcoming midterms elections. This may motivate him to act out in destructive ways against election infrastructure. That’s a big concern for me.”
U.S. intelligence agencies determined that Putin directed an interference operation in 2016 that included compromising voter rolls in at least two states, but there’s no evidence those efforts changed any votes.
Another big concern for Krebs: Potential hacking victims might lower their guards because major Russian hacks haven’t materialized yet.
“We have been talking with some alarm for weeks, if not months, about the potential Russian threat and fatigue is real and the desensitization to ongoing activities that are happening elsewhere is real,” he said. Krebs said he pressed lawmakers to urge their constituents to make all the advance preparations they can for attacks, including consulting checklists and resources offered by CISA.
Something lawmakers can do now: He also pressed for the House to pass a bill mandating that critical infrastructure firms alert CISA when they’re hacked. The bill, which has already passed the Senate, would make it far easier for CISA to track Russian hacking activity and share real-time information with potential victims about how to protect themselves, he said.
Versions of that measure are included in mammoth government funding bills released this morning, making its passage highly likely.
Warning from top officials: The briefing came the same day that top government intelligence officials hammered on Russian cyberthreats during a hearing before the House Intelligence Committee.
One big concern: National Security Agency Director Gen. Paul Nakasone and FBI Director Chris Wray both warned about the danger of Russia unleashing malicious software in Ukraine that leaks out and causes damage elsewhere. This is effectively what happened with the 2017 NotPetya bug, which caused extensive damage in numerous nations.
“The reality is they’ve shown a history of not being able to kind of manage the effects of [malicious software] as well as they intend, even if you give them the benefit of the doubt, which I tend not to,” Wray said of Kremlin hackers.
The United States has paid close attention to “three or four” Russian cyberattacks in Ukraine during the invasion so far, Nakasone said.
Here’s more from the Record’s Martin Matishak.
China is still the top U.S. cyberthreat, DNI’s Haines says
China poses the “broadest, most active, and persistent cyberespionage threat” to U.S. networks, Director of National Intelligence Avril Haines’s office said in its annual threat assessment. The country is “almost certainly” able to launch cyberattacks that would hit critical infrastructure networks, the report said.
The report also included a harrowing assessment of Russian cyberthreats. Haines discussed the threats with other top intelligence officials during a House Intelligence Committee hearing.
Also, according to the report:
- North Korea “probably possesses the expertise” to cause “temporary, limited” disruptions to U.S. critical infrastructure networks.
- Iran is “more willing than before to target countries with stronger capabilities” in cyberspace.
More from the hearing:
- Spyware questions: Lawmakers in both parties pressed Wray on the FBI’s purchase of NSO Group spyware that could target U.S. phone numbers. The FBI has acknowledged testing the controversial spyware but never used it in investigations, officials have previously said. Wray described the purchase as the FBI doing due diligence, saying the bureau routinely tests technology “that, if in the wrong hands, can be used against our agents.” He added that “from a counterintelligence security perspective, we need to know what tools are out there that the bad guys can use against our people.”
- Dual hat: The U.S. government continues to “operate toward” splitting the leadership of the NSA and U.S. Cyber Command, Nakasone said. He currently leads both organizations and defended his management, arguing that he has been able to effectively respond to recent threats like election interference, ransomware and Russia’s invasion of Ukraine partly because of the dual hat arrangement.
- Inconsistent messaging on incident reporting bills: Wray continued to push for changes to the cyber incident reporting bill that would loop the FBI in on reports. Haines appeared more supportive of the bill as it stands, though she noted that “there is additional reporting that might be done more generally.”
A second major U.S. Internet carrier pulled out of Russia
Lumen’s departure from the country comes days after a similar announcement by Cogent Communications, Craig Timberg, Ellen Nakashima and Joseph Menn report. It will likely increase Russia’s digital isolation and make it harder for Russians to access international websites and services.
- “We decided to disconnect the network due to increased security risk inside Russia,” Lumen said. “We have not yet experienced network disruptions, but given the increasingly uncertain environment and the heightened risk of state action, we took this move to ensure the security of our and our customers’ networks, as well as the ongoing integrity of the global Internet.”
Lumen played down its footprint in Russia, saying that the services it provides are “extremely small and very limited.” But analysts said it’s one of Russia’s top sources of international data, with Lumen clients including state-owned telecom companies Rostelecom and TransTelekom.
Amazon, the world’s largest cloud-computing business, also moved to limit its cloud services in Russia. The company will “stop accepting new Amazon Web Services customers in Russia and Belarus, which has provided Russian military forces staging areas for attacking Ukraine,” Craig, Ellen and Joseph write. The company said it doesn’t work for the Russian government and doesn’t have any data centers in the country. (Amazon founder Jeff Bezos owns The Washington Post.)
The price tag for protecting election machines from insider threats: more than $300 million
The estimate comes from a report by New York University's Brennan Center for Justice. The actual cost for the security upgrades to protect against insiders could be much higher to account for the costs for larger jurisdictions, the center said.
The risk of sabotage by election officials has become a clear and present election threat recently. Most prominently, Mesa County Clerk Tina Peters allegedly sneaked in an outsider who leaked election machine data online and to conspiracy theory groups.
The Brennan Center’s analysis detailed four major security moves jurisdictions should make:
- $197 million to track key equipment and materials
- $75 million for systems to limit access to sensitive equipment
- $27 million for surveillance systems with multiple cameras
- $17 million to add secure accounts to access election systems and other security features
Such funding could be hard to come by. Election administrators have long asked for more money, to no avail. And as election administration becomes increasingly partisan, it could be even more difficult to convince some lawmakers that the funding is necessary.
Mandiant employees reacted online to Google’s $5.4 billion acquisition of the cybersecurity giant. CrowdStrike’s Blake Djavaherian and Mandiant’s Gabby Roncone:
hard to buy when you also have to pay rent— Gabby Roncone 🌻 (@gabby_roncone) March 8, 2022
Mandiant vice president John Hultquist:
Mandiant's Ursula Cowan and Christie NiDonnell:
Goondiant— Christie níDonnell #vaxxedtothemax (@CompleatProduct) March 8, 2022
Securing the ballot
- The German Marshall Fund of the United States hosts an event on disinformation in the wake of Russia’s war in Ukraine today at 10 a.m.
- The Center for Strategic and International Studies hosts an event on the cybersecurity implications of data localization requirements today at 10 a.m.
- The Senate Intelligence Committee holds its worldwide threats hearing on Thursday at 10 a.m.
- U.S. Cyber Command holds its annual legal conference on Thursday at 10 a.m.
- CISA Executive Assistant Director Eric Goldstein speaks at a Billington Cybersecurity event on Thursday at noon.
Secure log off
Thanks for reading. See you tomorrow.