The Biden-Harris administration has repeatedly warned of the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed. There is now new evidence that Russia may be exploring options for potential cyberattacks.
The government has prioritized strengthening cybersecurity defenses to prepare our nation for threats from day one. President Biden’s executive order modernizes the federal government’s defenses and improves the security of widely used technology. The President has launched public-private action plans to strengthen cybersecurity in the power, pipeline and water sectors, and has directed ministries and agencies to use all existing government agencies to mandate new cybersecurity and network defense measures. Internationally, the government has brought together more than 30 allies and partners to work together to identify and stop ransomware threats, called the G7 to hold nations harboring ransomware criminals to account, and taken steps with partners and allies to publicly attribute malicious activity.
We accelerated our work last November as Russian President We accelerated our work last November when Russian President Vladimir Putin escalated his aggression ahead of his further incursion into Ukraine with comprehensive briefings and advice to US companies on potential threats and cybersecurity precautions . The US government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields Up campaign and we will do everything in our power to defend the nation and respond to cyber attacks. But the reality is that much of the nation’s critical infrastructure is owned and operated by the private sector, and the private sector must act to protect the critical services that all Americans rely on.
We urge companies to take the following steps as a matter of urgency:
- Enforce the use of multi-factor authentication on your systems to make it difficult for attackers to access your system;
- Deploy modern security tools on your computers and devices to continuously scan for and mitigate threats.
- Contact your cybersecurity experts to ensure your systems are patched and protected against all known vulnerabilities, and change passwords on your networks so previously stolen credentials are useless to malicious actors.
- Secure your data and ensure you have offline backups that malicious actors cannot reach.
- Conduct drills and exercise your contingency plans so you’re ready to respond quickly and minimize the impact of an attack.
- Encrypt your data so it cannot be used if stolen;
- Educate your employees about common tactics attackers use via email or websites, and encourage them to report if their computers or phones have exhibited unusual behavior, such as B. unusual crashes or very slow operation; and
- Work proactively with your local FBI field office or CISA regional office to build relationships in advance of cyber incidents. Please encourage your IT and security leadership to visit CISA and the FBI where to find technical information and other useful resources.
We also need to focus on strengthening America’s cybersecurity over the long term. We encourage technology and software companies:
- Build security into your products from the ground up—”bake in, don’t screw on”—to protect both your intellectual property and your customers’ privacy.
- Only develop software on a system that is highly secure and accessible only to those actually working on a specific project. This makes it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.
- Use modern tools to scan for known and potential vulnerabilities. Developers can fix most software vulnerabilities – if they know about them. There are automated tools that can inspect code and find most programming errors before the software ships and before a malicious actor exploits it.
- Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, many of which are open source. Make sure developers know the provenance (ie, origin) of the components they are using and have a “software bill of materials” in case one of those components later turns out to have a vulnerability so you can fix it quickly.
- Implement security practices mandated by the Executive Order of the President, Improving our nation’s cyber security. According to this EO, any software that the US government buys must now meet security standards in its creation and deployment. We encourage you to follow these practices more fully.