White House Warns Businesses to Harden Defenses Against Cyber Attack

“My Administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure. But the Federal Government can’t defend against this threat alone. Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors,” President Biden stated. © Karen Rubin/news-photos-features.com via msnbc.

The Biden Administration, from its first days, has been warning – and acting – on cybersecurity, when previous administrations just sat back as ransomware and cyberattacks became epidemic and more lethal – threatening water supplies, power grids, even nuclear plants. But the issue of cybersecurity has become elevated and unavoidable because of Russia’s reaction to sanctions for its invasion and war crimes against Ukraine, warranting President Biden and the White House to issue new warnings and mount pre-emptive defenses. (New York  Governor Kathy Hochul already has set up infrastructure to protect New York and cooperate with federal government.)

“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience,” President Biden declared. “  I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.

“From day one, my Administration has worked to strengthen our national cyber defenses, mandating extensive cybersecurity measures for the Federal Government and those critical infrastructure sectors where we have authority to do so, and creating innovative public-private partnerships and initiatives to enhance cybersecurity across all our critical infrastructure. Congress has partnered with us on these efforts — we appreciate that Members of Congress worked across the aisle to require companies to report cyber incidents to the United States Government.

“My Administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure. But the Federal Government can’t defend against this threat alone. Most of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has been actively working with organizations across critical infrastructure to rapidly share information and mitigation guidance to help protect their systems and networks

“If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow.”

FACT SHEET: Act Now to Protect Against Potential Cyberattacks

The Biden-Harris Administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed.  There is now evolving intelligence that Russia may be exploring options for potential cyberattacks.

The Administration has prioritized strengthening cybersecurity defenses to prepare our Nation for threats since day one. President Biden’s Executive Order is modernizing the Federal Government defenses and improving the security of widely-used technology. The President has launched public-private action plans to shore up the cybersecurity of the electricity, pipeline, and water sectors and has directed Departments and Agencies to use all existing government authorities to mandate new cybersecurity and network defense measures. Internationally, the Administration brought together more than 30 allies and partners to cooperate to detect and disrupt ransomware threats, rallied G7 countries to hold accountable nations who harbor ransomware criminals, and taken steps with partners and allies to publicly attribute malicious activity.

We accelerated our work in November of last year as Russian President Vladimir Putin escalated his aggression ahead of his further invasion of Ukraine with extensive briefings and advisories to U.S. businesses regarding potential threats and cybersecurity protections. The U.S. Government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields-Up campaign and we will do everything in our power to defend the Nation and respond to cyberattacks. But the reality is that much of the Nation’s critical infrastructure is owned and operated by the private sector and the private sector must act to protect the critical services on which all Americans rely.

We urge companies to execute the following steps with urgency:

  • Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
     
  • Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
     
  • Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
     
  • Back up your data and ensure you have offline backups beyond the reach of malicious actors;
     
  • Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
     
  • Encrypt your data so it cannot be used if it is stolen;
     
  • Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
     
  • Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.

We also must focus on bolstering America’s cybersecurity over the long term. We encourage technology and software companies to: 

  • Build security into your products from the ground up — “bake it in, don’t bolt it on” — to protect both your intellectual property and your customers’ privacy.
     
  • Develop software only on a system that is highly secure and accessible only to those actually working on a particular project.  This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.
     
  • Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them.  There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them. 
     
  • Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, much of which is open source.  Make sure developers know the provenance (i.e., origin) of components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it. 
     
  • Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity. Pursuant to that EO, all software the U.S. government purchases is now required to meet security standards in how it is built and deployed. We encourage you to follow those practices more broadly.