It’s an unnerving question that has information security and third party risk management (TPRM) professionals knocking on wood. There are several viable answers to the question, the most important of which may be that there are better, more practical questions risk teams should be asking right now. These include: What guidance on war-related cybersecurity risks and actions are oversight groups issuing? And how are rules-makers responding to these risks?
Before addressing these types of questions, risk practitioners should recognize that Russia’s unprovoked invasion of Ukraine has intensified cybersecurity risks.
“Whether it’s to disrupt a company or industry to make a political point or to attack a company expecting a payday, all organizations – regardless of size — need to man their cyber battle stations,” asserts Shared Assessments Vice President Tom Garrubba. “It’s a sure bet that threat actors – whether for, against or neutral on the Russian invasion – see this as an opportunity to capitalize on the chaos and will seek out targets to attack.”
Shared Assessments Senior Advisor Nasser Fattah agrees, noting that organizations “should be on high alert on cyberattacks that are designed to be disruptive, if not destructive…and this includes U.S. critical infrastructure organizations and their dependencies on suppliers.”
Fattah’s point explains why the Cybersecurity & Infrastructure Security Agency (CISA) closely monitors evolving war-related cybersecurity risks. CISA launched a new site devoted to detailing malicious cyber activity affecting Ukraine while continuing to update its Shields Up site that features guidance for organizational leaders and risks professionals. As Shared Assessments Charlie Miller has discussed, CISA also issued warning in mid-February on foreign influence operations that leverage misinformation, disinformation, and malinformation (MDM).
More recently, CISA and the FBI issued a joint advisory on WhisperGate, HermeticWiper, and other malware targeting organizations in Ukraine. The advisory featured a set of immediate actions risk teams should consider taking to fortify cybersecurity, including:
Federal legislators are also responding. The $1.5 trillion spending package that President Biden signed March 15 contains cybersecurity legislation that will soon require critical infrastructure organizations to quickly report data breaches.
The new law mandates that companies report cyberattacks to the U.S. Department of Homeland Security within 72 hours of detecting the incident – and within 24 hours if they make a ransomware payment related to the attack. CISA Director Jen Easterly called the new legislation a “game-changer,” and she told Bloomberg that the new requirements will equip CISA with “the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyberattacks.”
The rules of the game have yet to be finalized, however: soon-to-follow regulations will lay out which critical infrastructure companies must comply.
Bloomberg also notes that the new legislation was signed as “U.S. companies, particularly in the financial sector, are bracing for potential blowback in cyberspace stemming from Russia’s invasion of Ukraine, and the sanctions levied on Moscow as punishment.” While risk teams may continue to knock wood on that count, they and their organizations are better served by taking more practical steps, including monitoring new cybersecurity laws and advisories while recognizing that war-related cyberattacks are likely a long-term risk.
“Although we currently we have not seen as many major cyberattacks between Russia and Ukraine,” Fattah adds, “we need to remain on high alert because cyberattacks are an expected arsenal capability.”