President Joe Biden on Monday urged US companies to make sure their digital doors are locked tight because of “evolving intelligence” that Russia is considering launching cyberattacks against critical infrastructure targets as the war in Ukraine continues.
Addressing corporate CEOs at their quarterly meeting, Biden told the business leaders they have a “patriotic obligation” to harden their systems against such attacks. He said federal assistance is available, should they want it, but that the decision is theirs alone.
Biden said the administration has issued “new warnings that, based on evolving intelligence, Russia may be planning a cyberattack against us. … The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming.”
The president said the federal government is “doing its part” to prepare for an attack and warned the private-sector CEOs that it also is in the national interest that they do the same.
“I would respectfully suggest it’s a patriotic obligation for you to invest as much as you can” in technology to counter cyberattacks, Biden told members of the Business Roundtable. “We’re prepared to help you, as I said, with any tools and expertise we possess, if you’re ready to do that. But it’s your decision as to the steps you’ll take and your responsibility to take them, not ours.”
Biden’s top cybersecurity aide, Anne Neuberger, expressed frustration at a White House press briefing earlier Monday that some critical infrastructure entities have ignored alerts from federal agencies to fix known problems in software that could be exploited by Russian hackers.
“Notwithstanding these repeated warnings, we continue to see adversaries compromising systems that use known vulnerabilities for which there are patches,” said Neuberger, who is the president’s deputy national security adviser for cyber and emerging technologies. “That makes it far easier for attackers than it needs to be.”
The federal government has been providing warnings to US companies of the threats posed by Russian state hackers since long before the country invaded Ukraine last month. The Cybersecurity and Infrastructure Security Agency has launched a “Shields Up” campaign aimed at helping companies strengthen their defenses and has urged companies to back up their data, turn on multifactor authentication and take other steps to improve cyber hygiene.
Neuberger said there’s no intelligence suggesting a specific Russian cyberattack against US targets, but she did add that there has been increase in “preparatory activity,” like scanning websites and hunting for vulnerabilities, that is common among nation-state hackers.
In an written statement earlier Monday, Biden said Russia could launch a cyberattack against US targets as retaliation for “the unprecedented economic costs we’ve imposed” on Russia through sanctions.
“It’s part of Russia’s playbook,” Biden said.
The United States and its allies have put a slew of sanctions in place aimed at crippling the Russian economy, and Biden recently announced the US is sending more anti-aircraft, anti-armor weapons and drones to help Ukraine.
John Hultquist, a vice president of intelligence analysis at the cybersecurity firm Mandiant, said cyberattacks gives Russia the ability to punch back.
“Cyberattacks are a means for them to exact costs without crossing a major red line,” he said.
Russia is considered a hacking powerhouse but its offensive cyberattacks since it invaded Ukraine have been muted compared to what some feared. Russia has carried out significant cyberattacks against Ukraine in years past, including the devastating NotPetya attack in 2017 that spread far and wide and caused more than $10 billion in damage globally.
Neuberger said Russia cyberattacks against Ukraine are ongoing, though she did not provide specifics. She said the Biden administration has made clear there will be consequences if Russia engages with the US in cyberspace.
“We’re not looking for a conflict with Russia. If Russia initiates a cyberattack against the United States, we will respond,” she said.
The Russian Embassy did not immediately respond to a request for comment.