Biden's Russia cyber warning befuddles ill-prepared businesses

United States officials appealed for callers to lower the bar for reporting cyber threats. PHOTO: AFP

NEW YORK (BLOOMBERG) - A day after US President Joe Biden issued a stark warning that a Russian cyberattack "is coming", members of his administration hosted a three-hour call with about 13,000 people representing businesses, public agencies and other organisations to discuss the potential threat.

The conversation highlighted the struggle the Biden administration faces in safeguarding the country against a possible wave of state-sponsored hacking.

United States officials appealed for callers to lower the bar for reporting cyber threats, even down to anomalous phishing attempts.

But many businesses betrayed confusion about basic cybersecurity tools and incident reporting procedures, a recording of the call shows.

Other representatives said they wanted the administration to share more information.

Most US critical infrastructure - such things as telecommunications, energy and food production - is in private hands, and operating companies aren't yet compelled to share such information with the government; cybersecurity regulations tend to be patchy or nonexistent.

Participants on the call included representatives from big firms such as Barclays Plc and Yahoo, as well as smaller and mid-sized entities such as the Missoula Rural Fire District and UMass Memorial Health.

Several of the smaller participants indicated they only had limited finances and personnel to manage their own cybersecurity.

Joe Ford, IT manager at the Missoula Rural Fire District, said the call was hastily arranged by the Cybersecurity and Infrastructure Security Agency, known as CISA, the night before.

He said he joined the call because he was worried Russian hacking activity could potentially target the communication networks of emergency services in his district.

"We get phishing attacks all the time," he said.

Another attendee, who asked to remain anonymous, said the government's gesture was well intentioned but the information exchange was worryingly basic.

One business official for a major financial services firm, who also requested anonymity, said he was frustrated at the lack of "actionable" information shared in public briefings earlier this week on the nature of the new threats.

"We are hunting ghosts, which means we are on high alert but not really seeing anything," the official told Bloomberg.

Two people who attended cybersecurity briefings devoted to the energy sector last week, held at government offices including the FBI's, said no new targets were identified and very little actionable intelligence was offered.

But both attendees praised the outreach and said weeks of back-and-forth has been helpful.

Saloni Sharma, a spokesperson at the National Security Council, said the administration "has engaged in unprecedented outreach to the private sector - both privately and publicly with specific classified information and the measures they can take now to shore up defences."

Federal agencies convened more than 200 companies in classified settings last week to share new cybersecurity threat information, she added.

She said they weren't in a position to speak to the specifics of that intelligence, partly because they didn't want "to put a target on any specific sector's back" as well as for other unspecified national security reasons.

Biden on Monday (March 21) warned about new indications of possible Russian cyberattacks in retaliation for bruising sanctions imposed by the US over the invasion of Ukraine.

The president cited "evolving intelligence that the Russian government is exploring options for potential cyberattacks."

In terms of what prompted the warning, Biden hinted at one potential reason, that cyberattacks may become a more attractive option if Russia's attack on Ukraine continues to stumble and as severe sanctions bite.

"The more Putin's back is against the wall, the greater the severity of the tactics he may employ."

"One of the tools he's most likely to use in my view, in our view, is cyberattacks," Biden told a business roundtable on Monday.

Hacker activity

Biden said it was the private sector's "patriotic obligation" to build up cyber defenses.

In addition, the FBI sent a bulletin on March 18 to the US energy sector revealing "network scanning activity" stemming from multiple Russia-based IP addressed, CBS News reported.

The activity is believed to be associated with hackers "who have previously conducted destructive cyber activity against foreign critical infrastructure," according to the report.

On the same day of the advisory, 11 Republican senators, along with two Democratic senators, sent a letter to Secretary of Defence Lloyd Austin and Secretary of Homeland Security Alejandro Mayorkas citing concerns that Russia would lash out and describing US cyber defences as "wanting."

The senators asked for a list of recent significant malicious cyber activities conducted by Russia or suspected proxies.

They have yet to receive a response, according to an aide to Senator John Kennedy, Republican from Louisiana, who led the letter.

On the call Tuesday evening, Jen Easterly, CISA's director, said, "We think this preparatory activity is not about espionage. It's probably very likely about disruptive or destructive activity, so we are very concerned to make sure we can get ahead of the threat environment."

CISA said in a news release that the call built on a series of briefing the agency had been convening since late 2021 with US government and private-sector organisations.

Easterly told the attendees that they represented "lifeline sectors" for the US economy, specifying communications, transportation, energy, water and financial services sectors.

She urged companies to update their cyber defences and, for cash-strapped entities, to take advantage of CISA's free services and tools.

Mark Montgomery, formerly executive director of the Cyber Solarium Commission, a congressionally mandated body that recommended the US beef up cyber defences, told Bloomberg that there had been improvements in US cyber defence in recent months, a view shared by some other cybersecurity experts.

But he said the government needs to vastly improve the way it shared warnings with the private sector.

"You can't just buy cyber resilience in two or three or four weeks because you hear the Russians might target our critical infrastructure," he said.

US businesses "need to move at the speed of data and not at the speed of press conferences and presidential memos," he said.

Join ST's Telegram channel and get the latest breaking news delivered to you.