As major American businesses prepare for possible Russian-led cyberattacks, some Northwest information security experts are raising an alarm while others argue many companies are already prepared.
Barbara Endicott-Popovsky, director for University of Washington's Center for Information Assurance and Cybersecurity, expects most Americans can't imagine the cost of cyberwarfare, and warns that America's water systems, electric grid and utility systems are at high risk. BECU credit union said Thursday it "increased our actions" to protect information through system scanning, monitoring, alerting and threat management.
But, Rob Lee, chief curriculum director and faculty lead at the information security cooperative Sans Institute, said most companies are prepared and now need to "batten down the hatches," while WaFd Bank said it is confident in its "standard strategy," and doesn't expect most Washington residents would feel direct effects of a digital attack.
"There are certain macroeconomic factors that will impact their day to day life — we'll see surges in gas prices and the increased strain on the supply chain because of what's going on," said David Wolf, the chief information security officer at Washington Federal. "But when it comes to the personal identity or the sensitive data of Washington citizens, I wouldn't recommend that they be any more worried today than they were a couple of years ago."
Following a Russian invasion of Ukraine and a pledge to enact "consequences" for any country that got involved, companies were on high alert for cyber threats in retaliation to sanctions imposed by the United States and other countries Thursday.
Federal officials have not detected any credible threats to critical infrastructure, and President Joe Biden said the U.S. is "prepared to respond," but the Department of Homeland Security is warning most organizations are at risk.
The Cybersecurity and Infrastructure Security Agency, part of DHS, has advised "all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets."
That could include designating a crisis response team, testing backup procedures and lowering the threshold for reporting and responding to potential cyber incidents. Companies that work with Ukrainian organizations should take extra care, the agency recommended.
Disabling or destroying critical infrastructure, like power or communications systems, can put pressure on a country's government, military and residents, the agency explained.
"The internet is an unregulated war zone, and it has been that way for years," said Endicott-Popovsky from UW.
That's not a new tactic for Russia. It has been using Ukraine as a "cyberattack playground" for several years, said Wolf from WaFd. Hackers from Russia are linked to the Colonial Pipeline hack in May that temporarily cut off most of the East Coast from fuel.
Globally, ransomware volume increased 232% in the last two years, according to an annual report from internet security company SonicWall. It reported there were more than 623 million ransomware attacks in 2021. New types of malware detected also increased 65% year over year, SonicWall found.
Cyber events tend to track closely with geopolitical events, said Lee, from the Sans Institute. That means if Russia reacts to the new sanctions with some stern statements, something could "flare up."
"You can tell where things are heading based on the back and forth," Lee said. "There'll be warning."
Small- and medium-sized businesses aren't likely to be the first targets, Lee said, but they are also the most likely to be strapped for resources to respond.
The cyber attacks would most likely target three industries where a stop to service would have immediate impacts, Lee said: health care, finance and energy.
Major U.S. banks, for instance, fear aggressive cyberattacks if Washington imposes deeper sanctions on Russia. Electric utilities are "closely monitoring the situation and are coordinating across the industry and with our government partners," said Scott Aaronson, a security executive at the Edison Electric Institute, a trade group.
Seattle City Light said it has been "aware of the heightened cyber risk related to Russia/Ukraine tensions since mid-January," and is "paying close attention to the guidance from federal partners and have been following their recommendations," a spokesperson said. BECU said it is "committed to keeping ourselves informed as conditions unfold." It reminded members to "stay safe digitally."
At WaFd, the bank is sticking with its "standard strategy," Wolf said, and doesn't have any plans to add new defenses or processes to protect against a cyberattack.
"Threats are always changing but the controls you use to protect yourself against those threats are pretty static," he said. Those controls include examining where a company stores data, how it processes the information and the risks associated with the data, as well as making sure it discovers and addresses any software vulnerabilities.
The bank has seen a small increase in threats against its external-facing infrastructure, but it is difficult to attribute that uptick to what is happening in Russia and Ukraine specifically, Wolf said.
And, WaFd's defense systems are proving to work the way they are supposed to.
Wolf said the bank has seen an increase in what it calls "credential stuffing," a tactic where bad actors use a database of usernames and passwords exposed in data breaches to attempt to hack an account, banking on the fact that individuals likely reuse the same set of login credentials.
WaFd uses two-factor authentication, where an individual verifies their identity through something like a text message or email, to prevent credential stuffing — and it's been holding up, Wolf said.
"Our strategy is sound and continues to be," he said. "Everyone is watching and looking to see how things may change, but right now there's no expectation that they really would at this point."
Lee from the Sans Institute says, for now, it's a reassuring sign the power is still on in Ukraine. "If they did try an infrastructure attack," he said, "it didn't work."
