The United States "desperately needs to revamp the playbook it uses for critical infrastructure cybersecurity," said Rep. Yvette Clark, D-N.Y., chairwoman of the House Homeland Security committee's Cybersecurity, Infrastructure Protection and Security Technologies subcommittee. Photo courtesy of the clerk of the U.S. House of Representatives
WASHINGTON, April 6 (UPI) -- Top federal cybersecurity officials and members of Congress said this week that the invasion of Ukraine increases the risk of Russian hackers targeting critical infrastructure, and they urged more coordination between the government and private companies to combat the threat.
The United States "desperately needs to revamp the playbook it uses for critical infrastructure cybersecurity," Rep. Yvette Clark, D-N.Y., chairwoman of the House Homeland Security committee's Cybersecurity, Infrastructure Protection and Security Technologies subcommittee, said Wednesday.
"Our nation's critical infrastructure is vulnerable to cyberattacks, and the federal government has resources it can bring to bear in closing security gaps, but we've been reluctant to make the private sector come to the table," she said.
Subcommittee members on Wednesday heard from experts who outlined how the United States could work to strengthen public-private partnerships in the cybersecurity sector.
On Tuesday, the full House Homeland Security Committee discussed securing critical infrastructure against Russian cyber threats.
That committee's vice chair, Ritchie Torres, D-N.Y., said that as the United States continues to impose sanctions on Russia and its leaders over its invasion of Ukraine, "we must consider the potential risk to the homeland."
"Over the past decade, Russia has demonstrated its ability and willingness to use cyber tools to advance its global agenda. It has used its neighbors in Eastern Europe as testbeds for deploying its cyber capabilities to interfere with elections, spread disinformation, and disrupt critical infrastructure," Torres said.
He cited Russia's attacks on Ukraine's power grid in 2015 and 2016 and the NotPetya attack in 2017, which wiped computer data from Ukrainian banks, energy firms, government officials and an airport.
For several lawmakers, the question is not whether Russia will orchestrate a cyberattack, but what it will target and when.
"I am very worried. I think it's more likely than not that Russia will start using cyber attacks against the West," Rep. Bill Foster, D-Ill., said in a March interview. "And when that happens, we have to understand how we're going to avoid a retaliatory spiral."
A Russian cyberattack most likely would come in the form of ransomware, as SWIFT sanctions have encouraged a reliance on cryptocurrency to access foreign capital, according to Adam Levin, former director of the New Jersey Division of Consumer Affairs and host of the "What the Hack with Adam Levin" podcast.
SWIFT is is a Belgian cooperative society that provide services related to the execution of financial transactions and payments between banks worldwide.
"Because of all of the sanctions, ransomware becomes a very big deal for [Russia], because it can actually help them by way of cryptocurrency make up some of what they're losing by all the sanctions," Levin said in an interview.
The top Republican on the subcommittee, Rep. Andrew Garbarino of New York, said that "cyberthreats posed by foreign adversaries are only becoming more potent."
"Potential for malicious Russian cyber activity, as well attacks by other adversarial nations like China, Iran and North Korea, is only increasing," he said, calling on Congress to continue facilitating public-private partnerships to curb threats.
Specifically, concerns about water infrastructure being targeted have grown since the cyber attack on a treatment facility in Oldsmar, Fla., last February, Levin said.
According to investigators, the hacker used remote access software to raise the levels of sodium hydroxide -- a chemical compound used in small amounts to remove metals from water -- from about 100 parts per million to more than 11,000 ppm. An employee noticed something was wrong before anyone was hurt.
The Oldsmar hack was mentioned in both hearings, but Rep. Jeff Van Drew, R-N.J., brought up a separate instance of water infrastructure being targeted through a ransomware attack in Atlantic County, N.J. (A similar attack also occurred in Jersey City.)
"Services like utility authorities are vital to day-to-day life, and it is imperative that Congress and the administration continue to invest in protecting critical infrastructure everywhere small or large in every way," Van Drew said. "It affects every aspect of our life."
While water facilities remain a top potential target, communication infrastructure and financial infrastructure also could be hit, Levin said.
"What if they attacked the ability of financial institutions to provide cash through ATM machines?" he said. "Or what if they were to do something that would disrupt the free flow of credit card transactions?"
The Cybersecurity and Infrastructure Security Agency was repeatedly mentioned in both hearings as a conduit for combating cyber threats across sectors by increasing information sharing and coordination across private industry and the federal government.
"I can't say enough how encouraging it is to see that CISA is developing those really trusted and treasured partnerships in the private sector," said New York Rep. John Katko, the top Republican on the full committee.
"It's so critical to their mission and the more we develop that trust and the trusted exchange of information, by far we are going to make the whole cyber landscape safer."
Crowdstrike's senior vice president for intelligence credited CISA's Joint Cyber Defense Collaborative for "disrupt[ing] Russian infrastructure preparing for cyber operations."
Based in Austin, Texas, Crowdstrike provides cloud workload and endpoint security, threat intelligence and cyberattack response services.
"We actively participate in public-private partnerships such as CISA's JCDC, through which we have worked with select industry partners to disrupt Russian infrastructure preparing for cyber operations," Adam Meyers said Tuesday.
The White House's acting principal deputy national cyber director, Robert Knake, said the biggest asset the federal government can provide to private sector companies to curb cyber threats is increased intelligence.
"We've heard from every private sector company we've talked to is to make sure we provide the one thing private companies can't do on their own, which is intelligence," he said. "Only the U.S. government can collect intelligence and only the U.S. government can provide it back."
Lawmakers from both parties appeared motivated to strengthen infrastructure security by improving coordination between the government and private sector to reduce cyber threats, in part evidenced by the passage of the Fiscal Year 2022 Omnibus, which included the Cyber Incident Reporting for Critical Infrastructure Act.
The legislation, deemed a "game-changer" in a statement by CISA, set two new reporting obligations and timeframes for critical infrastructure operators. The agency expressed gratitude for receiving an "unprecedented level of funding."