As Russian troops remain amassed on Ukraine’s border, the possibility looms that tensions may spill over to a cyberattack with international consequences. If so, the first sign to the US government will likely come in a Slack message read at Eric Goldstein’s desk in a generic office building in Ballston, Virginia.
Goldstein oversees the Joint Cyber Defense Collaborative, launched last year to provide what the agency calls “visibility at scale” over US network and private sector critical infrastructure. That means CISA may be on the front lines of any escalation by Russia that ripple all the way to the US homeland. Officials and private sector leaders are hurriedly patching, preparing, and war-gaming in case Russia decides to launch direct attacks against US infrastructure, unleash a flood of disruptive ransomware, or aim a tailored cyberattack against Ukraine that spills over into US networks.
The JCDC is so new that it still only exists virtually and hasn’t yet moved into its physical space in CISA’s offices in northern Virginia. It’s meant to serve as something like a unified command center for US internet infrastructure, bringing together nearly two dozen private sector security and network firms; today, its Slack channel includes companies like Cloudflare, CrowdStrike, Mandiant, Microsoft, Verizon, Google Cloud, and Amazon Web Services. In addition to CISA, the NSA, the FBI, and US Cyber Command representatives are participating on the government side.
The collaboration center gives network monitors a place and community to quickly identify and share odd happenings, potential breaches, and suspicious activity. It confronted its first crisis in early December, with news of vulnerabilities in the widely used logging library Log4j. At the time, CISA director Jen Easterly called the vulnerability the “most serious” she’d seen in her entire career, and the group moved quickly to confront it—convening on a Saturday to discuss the initial dangers and by Monday launching a comprehensive GitHub page to coordinate mitigation efforts.
Now, just weeks later, the US government and the Biden administration’s cyber team face another serious risk as the White House warns of a possible Russian invasion of Ukraine—an event that many in private industry and Western governments worry could spill over, purposely or accidentally, to computer networks far from any Eastern European battlefield. “We hope to leverage the muscle memory that we've created through Log4j to apply to potential activity coming out of the Russia-Ukraine crisis,” says Easterly, who spoke with WIRED late last week in her first extended public comments on the looming war.
Even as they’ve warned of an increasing chance of war, officials in the US and UK have been careful to state that they don’t see specific threats. They’re instead expressing a generalized unease at Russia’s geopolitical recklessness and its history of nefarious cyber activity, as well as the sheer complexity and connectedness of digital ecosystems.
“There are currently no specific credible threats to the US homeland coming out of this particular Russia-Ukraine crisis, but we are very mindful of the potential for Russia to consider escalating in destabilizing ways that may impact others outside of Ukraine,” Easterly says. “Given how the US and our partners may react to an invasion, we’re also very mindful of the connectivity of infrastructure around the world and that you might have cascading impacts that may be either intended or unintended.”
Friday night, hours after White House national security advisor Jake Sullivan warned that the US believes a Russian invasion may be imminent and after the State Department urged all US citizens to evacuate Ukraine, CISA launched a new website, called Shields Up, that warns about the rising threat of Russian hostilities affecting the online ecosystem. This follows similar efforts by the UK government and other European nations to prepare for the effects a Russian war may bring to countries beyond Ukraine’s borders.
The Shields Up moniker builds on a unique and colorful online superhero persona Easterly has created since she was confirmed by the US Senate last summer as CISA’s second-ever director. Her Twitter profile picture is a comic book-style drawing of her dressed as a superhero in a cape and bodysuit emblazoned with CISA’s logo. In what was surely a first for a senior US government official, Easterly appeared at a Black Hat keynote last summer wearing dragon pants and a “free Britney” T-shirt and solved a Rubik’s Cube behind her back while she spoke. In announcing the new website, Easterly tweeted, “ALL organizations must adopt a heightened posture of vigilance. The time to act is NOW. We’re urging all orgs to put #ShieldsUp.”
The Shields Up push is the latest in a flurry of US government activity since the new year warning private industry to prepare for spillover effects if the situation in Ukraine continues to deteriorate. Behind the scenes, the FBI has increased its reporting tempo on suspicious cyber events and urged US industry to share more information about attacks, probes, and phishing campaigns spotted on individual networks. The White House’s National Security Council, under the auspices of deputy national security advisor for cyber and emerging technologies Anne Neuberger, convened a closed-door meeting on January 31 with industry partners to warn of possible Russian escalation.
The efforts are part of a governmentwide push that started almost as soon as US intelligence began warning of increased Russian buildups along the Ukrainian border in December. “We started leaning really far forward on this around late 2021,” Easterly says. “We began a pretty deliberate outreach campaign, providing classified TS-level [top-secret] information down to the unclassified level to ensure that all of our industry partners were aware of potential risk, and then talking through key mitigations and steps that they should take.”
Neuberger says the administration is keenly focused on three specific interrelated efforts: Working with Ukraine to shore up its own cyber defenses, working with European allies and partners—like NATO—to shore up Western defenses and coordinate any potential response to further Russian aggression, as well as shoring up cybersecurity defenses domestically. “The White House has been coordinating the interagency to ensure that we are postured to react quickly to any eventuality, both within the government and with our private sector partners,” Neuberger says, referring to the formal National Security Council process that brings together different arms of the government.
Neuberger herself traveled to Europe early this month to meet with cyber-focused counterparts in Brussels and at NATO, then journeyed to Warsaw to meet with Polish and Baltic cybersecurity officials; she also met with representatives from what are known as “B9” nations, the NATO nations that make up the security alliance’s Eastern flank, closest to Russia. In each meeting, the theme was the same: How can Western nations be better prepared for a coordinated response to cyber aggression from Russia?
“The Russians have used cyber as a key component of their force projection over the last decade, including previously in Ukraine,” Neuberger says. “The Russians understand that disabling or destroying critical infrastructure—including power and communications—can augment pressure on a country’s government, military, and population and accelerate their acceding to Russian objectives.”
In recent weeks, nearly every corner of the US government has been brought to bear on that same question: The Transportation Security Administration, which oversees pipeline security, in addition to its better-known role of passenger screening at airports, has issued directives to pipeline companies; the Environmental Protection Agency has recently hosted two webinars for more than 400 water utilities about necessary security steps; and the Department of Energy held comparable, CEO-level briefings for energy companies.
More public-facing government efforts have come in the form of a mid-January advisory from CISA, the NSA, and the FBI outlining common tactics and techniques for Russian cyber operations, ranging from preferred Cisco routers to Microsoft Exchange vulnerabilities. Last week, those agencies issued another joint advisory, along with international counterparts from Australia and the UK highlighting the proliferation of ransomware attacks against critical infrastructure in 2021. While the advisory never specifically mentions Russia, many of the worst attacks of 2021 stemmed from Russia-based groups like REvil.
Russia has long treated its neighbor Ukraine as a real-world sandbox in which to test cyberattacks. In 2015, Russia brought down the country’s power grid. In 2017, it set loose the NotPetya ransomware, which corrupted Ukrainian tax software and went on to cause as much as $10 billion in damage to international companies that did business in the country. The shipping company Maersk saw some 80,000 computers destroyed; FedEx suffered nearly half a billion dollars in damage; and drug company Merck saw upwards of $800 million in losses.
A more recent attack came in mid-January, as dozens of Ukraine government websites were knocked offline and defaced, replacing the sites with text that warned, “Be afraid and expect the worst.” While that attack may have originated from Russian ally Belarus, subsequent destructive malware hit Ukrainian systems, posing as ransomware but deleting data. US officials have also warned of “specific, credible” threats against Ukraine’s critical infrastructure. On Tuesday, an apparent DDoS attack hit the websites of Ukraine's Ministry of Defense, Armed Forces, and two major banks, although it's unclear who's responsible.
The US government has long been intimately involved in helping understand and mitigate Ukraine’s cyber risk, collaboration that it hopes will also help it understand and mitigate threats to the homeland. US Cyber Command has conducted what it calls “hunt-forward” missions in Ukraine, deploying teams to the country to search for malware as part of a strategy known as “persistent engagement,” developed by its commander, general Paul Nakasone, in an effort to keep the US in constant contact with its primary adversaries in the most active arenas in cyberspace.
On the civilian side, CISA works closely with Ukrainian cybersecurity agencies, and the US Agency for International Development has for years run large-scale, multimillion-dollar programs to help Ukraine protect its own critical infrastructure against cyberattacks. “We've also more recently, as you can imagine, been communicating with CERT-Ukraine to provide reports of possible activity targeting Ukrainian organizations, including Ukrainian government agencies,” Easterly says, referring to the country’s computer emergency response team. “We are standing in to be able to be helpful for them.”
Conversations in recent weeks with more than a dozen senior cybersecurity leaders across the US government, tech companies, and the private sector—many of whom asked to speak anonymously in order to candidly discuss a dynamic threat environment—outlined major areas of risk they’re collectively watching, as Russia has already demonstrated a sometimes brutal effectiveness online.
While many expect Russia to deploy information operations regionally, including disinformation and perhaps even hack-and-leak operations similar to those it used to target the 2016 US presidential elections, the two leading threats are a scourge of ransomware and so-called collateral damage. “Looking back at NotPetya, that’s a huge cautionary tale,” Easterly says, pointing to the many US companies or Western subsidiaries that do business in Ukraine and thus have interlocked digital systems.
Few officials believe Russia would purposefully target US networks, at least at the start of any campaign against Ukraine, and think Russia would only do so if the US or NATO dramatically escalated a Ukraine conflict. They note that Russian state actors, unlike those in North Korea or Iran, have never deliberately carried out destructive cyberattacks on US infrastructure or companies.
“We believe the threshold [for direct action] is very high,” one senior US government official says, echoing a DHS advisory from mid-January.
Even if Russia chooses to act against the US directly, Michael Daniel, the one-time White House cyber coordinator for President Obama and now head of the industry group Cyber Threat Alliance, says his member companies anticipate that any such attacks against US networks would be “painful but reversible.” That means targeting noncritical networks like billing systems or supply chains, rather than central infrastructure. Such attacks can still lead to dangerous and disruptive unintended consequences; last year's ransomware attack on Colonial Pipeline led the company to voluntarily shut off its major East Coast gas pipeline as it dealt with the impact on noncore systems.
“Russia always surprises me with its willingness to cross red lines,” says John Hultquist, vice president of intelligence analysis at the security firm Mandiant.
Perhaps most likely is a scenario that officials described variously as “ransomware with extreme prejudice” or “unleashing the beast of their criminal actors.” In that instance, the notoriously permissive Russian government would free or encourage the criminal groups within its borders to unleash epidemics of ransomware on Western networks in an attempt to discourage or distract the US or NATO from intervening to aid Ukraine.
Officials are forthright, though, that the greatest challenge in preparing for a digital spillover from Ukrainian battlefields is hardly novel for cybersecurity: There are so many targets—and not much time. Whether in Ukraine, Europe, or the United States, officials are confronting a patchwork of privately and publicly owned infrastructure, much of it outdated and long underfunded when it comes to security. “Significant improvements in resilience don’t happen in weeks,” one official noted, and officials have long struggled to cajole private-sector companies to embrace stronger security measures.
“In the physical world, we have security baselines—seatbelts and airbags in our cars, speed limits on our roads, alarm systems and locks in our homes and offices. In the digital world, we don’t have this built-in security, but we are focused on building it urgently,” Neuberger says. “Requiring and building in these cybersecurity foundations for all of our critical infrastructure is the most important line of effort we can take as a nation to strengthen our resilience against cyberattacks.”
Whatever may unfold in the next few weeks—US officials have said they believe Putin may launch a full-scale Ukraine invasion as early as Wednesday, there have been signs that Russia may ultimately scale back—the JCDC’s ability to respond will be a key test of Easterly’s vision to turn CISA into the “front door for government,” the first place where private sector companies turn for cybersecurity information and collaboration.
“What I get paid to do is to ensure that we are reducing risk to our digital and physical infrastructure,” she says. “Given the fact that the government doesn’t own the vast majority of that infrastructure, it’s ensuring that our partners have the information and the actionable guidance they need to keep their businesses up and running.”
For now, CISA and the rest of the US government will wait to see what this week brings.
- 📩 The latest on tech, science, and more: Get our newsletters!
- How Telegram became the anti-Facebook
- Where to stream the 2022 Oscar nominees
- Health sites let ads track visitors without telling them
- The best Meta Quest 2 games to play right now
- It's not your fault you're a jerk on Twitter
- 👁️ Explore AI like never before with our new database
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
