The potential for malicious cyber activity has been a concern for the Biden administration throughout the evolving crisis in Ukraine (including the imposition of sanctions against Russia). In response to the concern, the Biden administration, which is now facing “evolving intelligence that Russia may be exploring options for potential cyberattacks,” has released recommendations for companies to protect against cyberattacks.
The administration urges companies to do the following with urgency:
- Mandate the use of multi-factor authentication on all systems;
- Deploy modern security tools on all computers and devices to continuously look for and mitigate threats;
- Check with cybersecurity professionals to make sure that all systems are patched and protected against all known vulnerabilities, and change passwords across all networks so that previously stolen credentials are useless to malicious actors;
- Back up data and ensure that offline backups are beyond the reach of malicious actors;
- Run exercises and drill any emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
- Encrypt data so it cannot be used if it is stolen;
- Educate employees on common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
- Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.
The fact sheet released by the administration further encourages U.S. companies to think long-term about cybersecurity. The administration encourages technology and software companies do the following:
- Build security into products from the ground up to protect both your intellectual property and your customers’ privacy.
- Develop software only on a system that is highly secure and accessible only to those working on a particular project.
- Use modern tools to check for known and potential vulnerabilities (both patch and configuration).
- Software developers are responsible for all code used in their products, including open-source code. Most software is built using many different components and libraries, much of which is open source. Make sure developers know the provenance (i.e., origin) of components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it.
- Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity, more broadly even if not expressly required. Pursuant to that EO, all software the U.S. government purchases is now required to meet security standards in how it is built and deployed.
Companies are encouraged to ask IT and Security leadership to visit the CISA and FBI websites for additional technical information and resources, including CISA’s Shield-Up campaign. In addition, agencies and regulators continue to release sector-specific guidance for protecting against cyberattacks, including the growing threat of ransomware attack against companies critical to U.S. infrastructure. We will continue to watch these issues as the ongoing crisis in Ukraine unfolds.