You know those emails from IT about the cybersecurity training you still haven’t completed? It might be time you started taking those more seriously.
President Joe Biden issued a warning to the American private sector on Monday: Get your digital defenses in order because a Russian cyberattack may be coming. The White House said it has “evolving intelligence” of a cyber reprisal to Western sanctions. It briefed more than 100 companies critical to national infrastructure on the threat last week.
Remember how experts warned us for decades that the U.S. was not prepared for a pandemic? Then COVID-19 hit and … it turned out we were not prepared for a pandemic.
“Same is true for cyber,” said Tatyana Bolton, who researches cybersecurity at the R Street Institute. “Experts have been saying this for years and we’ve got good ideas out there. We just haven’t been able to implement them.”
While big energy and financial firms are better defended than they used to be, Bolton said other critical industries are still vulnerable: “Dams, critical manufacturing, the communications sector, emergency services.”
She said that Russia could take revenge on specific Western companies like Elon Musk’s SpaceX, which is providing satellite-based internet to Ukraine. Although if Putin’s playbook is any indication, the target may be less targeted.
“You could also imagine a strategy that’s: ‘Let’s just take out all these computers running Microsoft Windows,’” said Josephine Wolff, who teaches cybersecurity at Tufts University.
We saw something sort of like that in 2017 when Russia — or, at least, very likely Russia — launched an attack through a widely-used Ukrainian accounting program. Malware rippled across global industries, from the drug firm Merck to the law firm DLA Piper.
Russian cyberattacks will likely be geared toward destroying company data, but sanctions may make hacking for income more attractive, Wolff said. “If there was actually serious financial strain on the Russian government, you could imagine something that did hew to the traditional ransomware model where you’re demanding money.”
It all sounds pretty scary. But Bruce Schneier at the Harvard Kennedy School said he’s not any more terrified than he usually is.
Colonial Pipeline, the Sony hack, SolarWinds — cyber warfare is already here. And unless the U.S. steps up its cyber regulation, it’s a lopsided war for the private sector.
“The government of Russia against pretty much any company in the U.S., it’s not a fair fight,” Schneier said.
Oh, and one last thing to worry you: That SolarWinds hack from 2020, which had ties to Russia? It’s possible many companies are still hacked … they just don’t know it yet.