Russia, Ukraine, Cybersecurity, and You
Russian cyberattacks aren’t new. From NotPetya in 2017 to the Colonial Pipeline attack last year to countless ransomware attacks, Russia has been striving to beat out China and North Korea for the mantle of the world’s biggest governmental cyberthreat. President Biden focused on combatting Russian ransomware attacks almost as soon as he got into office with good reason.
But the Ukraine invasion has turned the threat up to eleven. Russia launched denial of service attacks on Ukrainian banks and its defense industry ahead of the invasion, and Russian malware wiped Ukrainian software before the attacks began. Russia also targeted Ukraine’s largest energy company in an apparent attempt to cause widespread blackouts. Ukraine is countering with its own malware attacks against Russia, and Microsoft has joined anti-cyberattack efforts.
Recently, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom released a joint Cybersecurity Advisory to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. Separately, the Department of Energy, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI released a joint Cybersecurity Advisory warning that certain malicious actors could access critical US infrastructure, especially the energy sector, and it was not hard to figure out which country’s actors were attracting the most concern. In case you need a hint, the FBI also just announced an occupation designed to disrupt and prosecute Russian cyber-criminal activity. And those are just a few of the warnings that governments around the world have issued within a month or so of this writing.
Given Russia’s cyberattacks on the Ukrainian energy, IT, and financial sectors, US companies in those sectors should maintain or increase their cyber-vigilance. Separately, the agriculture sector may face increased ransomware attacks during the planting and harvesting seasons — a strategy that fits well with Russia’s fondness for societal disruption, especially in the United States. Even our beverages aren’t safe; Coca-Cola reports that it is investigating a potential Russian-based data theft. The transportation, manufacturing, and communications sectors also provide ripe targets in which Russia could sow disruption. All this is to say that no one is beyond concern regarding Russian cyberattacks, and every company should put their “shields up,” as CISA Chief Jen Easterly has urged.
What does “shields up” mean? CISA recommends several precautions, including:
Update software, including operating systems, applications, and firmware, on IT network assets
Multi-factor authentication (MFA)
Strong passwords
End-user awareness and training
Network segmentation
Secure and monitor any Remote Desktop Protocol (RDP) in use
Additionally, now is a good time to peruse your cyberattack/ransomware plan to make sure it is up to date. Make especially certain that all responsible personnel named in the plan are still with your organization, can assume the responsibilities the plan tasks them with, and have their current contact information listed. It is also not a bad time to conduct a tabletop exercise, to ensure that your plan meets today’s needs.
In reviewing your ransomware plan, pay special attention to the factors involved in the decision whether to pay the ransom. This question has always been hard, and it got harder in light of April 2022 OFAC regulations prohibiting transactions with Russian banks. These regulations follow the 2021 OFAC Advisory regarding ransomware payments, which advised of strict liability for paying ransom that makes its way to Russia or any other country against which the US has imposed sanctions. Although the 2021 Guidance offered some leeway to ransomware victims who cooperated with US law enforcement, the newer regulations suggest a less understanding posture.
Also review your business continuity plan. Ensure that your business has a viable plan if fighting in the Ukraine brings your network goes down. One hundred of the world’s Fortune 500 companies rely at least partially on Ukrainian IT services, and several Ukrainian IT firms among the top 100 outsourcing options for IT services globally, so it makes sense to have contingency plans in place in case those services are compromised.
Insurers and insureds alike should also review any policies written or purchased that may cover a data breach, ransomware attack, or other cyber incident (keeping in mind that the applicable policy may or may not be a cyberinsurance policy specifically). Check to see whether the policy you wrote or bought specifically covers data theft or ransomware attacks.
In particular, check for the policy’s language regarding war exclusions. Whether a Russian cyberattack would trigger a policy’s war exclusion is an open question. A recent New Jersey case held that a policy’s war exclusion did not apply, but this was an all-risks property policy, not a cyberinsurance policy. Any cyberattacks that may arise from the Ukraine conflict will probably depend on a very fact-dependent analysis, such as the nature of the conflict and the type of attack. And this assumes that a cyber victim can reliably trace an attack to the Ukraine conflicts, which may or may not be possible.
In short, although the Russia-Ukraine conflict is thousands of miles away, it promises to affect cybersecurity here in the US for the foreseeable future. No matter what your industry, or what size your business, the Ukraine invasion requires you to keep your shields up.