On March 21, 2022, President Biden warned U.S. companies, particularly those operating in critical infrastructure sectors, that “[b]ased upon evolving intelligence, Russia may be planning a cyberattack against us.” See details here. The evolving intelligence appears to be based upon, among other things, a March 18th advisory from the FBI to U.S. businesses that threat actors associated with Russian internet addresses have been scanning the networks of five U.S. energy companies and at least eighteen U.S. companies in other sectors, such as defense and financial services.
The FBI identified 140 overlapping IP addresses linked to “abnormal scanning” activities. Vulnerability scanning is the process of identifying security weaknesses and flaws in systems and software running on them. Threat actors often dedicate time to observing and probing target computer networks to find weaknesses in its defenses to further assess and develop a strategy for exploitation. Accordingly, the FBI warns, Russia is exploring its options for potential cyberattacks on U.S. companies in critical infrastructure sectors.
Russia has already used Ukraine as a testing ground for powerful cyber weapons. According to the Ukrainian government, since February 15th, it has suffered approximately 3,000 Distributed Denial of Service Attacks on government websites, rendering them unusable. As the conflict in Ukraine escalates, President Biden therefore warns that “[t]he magnitude of Russia’s cyber capacity is fairly consequential and its coming.” As such, U.S. Intelligence is proactively sharing this information to encourage the private sector to shore up its defenses. To assist, the White House released a fact sheet detailing ways that U.S. companies can defend themselves against cyberattacks.
While every company’s cybersecurity needs are different, organizations should ensure that it has implemented at least the following as part of its comprehensive approach to mitigate its risk of a cybersecurity attack.
- Conduct a Cybersecurity Risk Assessment (“Assessment”). In general, the purpose of an Assessment is to identify cybersecurity vulnerabilities in an organizations policies, procedures, and IT environment and to provide remediation strategies as appropriate. An Assessment may identify vulnerabilities, exploit attempts and secondary attackers’ actions. As best practice, Assessments should be conducted by an independent IT Security firm, at the direction of counsel, to protect the Assessment’s findings under Privilege.
- Prepare a Written Cybersecurity Policy. A written cybersecurity policy sets forth an organization’s policies and procedures for the protection of its information systems, particularly its sensitive business information. The cybersecurity policy should address key areas of concern, to the extent applicable, such as data governance and classification, customer data privacy, and vendor and third-party service provider management. To instill a “tone from the top” culture, the cybersecurity policy should be approved by a senior officer or the organization’s board of directors.
- Develop or update your Incident Response Plan (IRP). Many industries and jurisdictions require organizations to have a policy addressing how the company with effectively respond to a cybersecurity incident, like a ransomware attack. An IRP sets forth the key steps that organizations need to immediately take during a cyber-incident. For example, an IRP will set forth reporting escalation procedures, alternative communication plans and will create a response team of stakeholders and outside experts to assist with the response.
- Ensure your personnel are adequately trained. Organizations should provide regular training for all personnel based upon the risks identified in the Assessment. Given that a common method of attack is through email phishing or downloads from malicious websites, an effective defense mechanism is to train your personnel on the basics of cyber-hygiene. Likewise, your response team should conduct at least yearly tabletop exercises to practice its response in accordance with the IRP. Having a well-trained Incident Response Team in place prior to an attack, positions organizations to efficiently act in a measured, calm, and unified manner.