The Cybersecurity and Infrastructure Security Agency’s (CISA) “Shields Up” cybersecurity campaign launched in February to warn critical infrastructure operators and other U.S.-based organizations of cybersecurity threats spilling over from Russia’s invasion of Ukraine is proving its worth over the first four months of operation.
However long the current Shields Up campaign lasts, CISA and its government partners including the FBI face a very long haul in trying to hold the line against destructive exploits against critical infrastructure amid an ever-evolving active attack environment.
Because the practical goals of the Shields Up program are focused on promoting better security across a very wide range of industry sectors – including those that are cyber-savvy and some that are not – the tenets of the Shields Up program are likely to continue long into the future.
Shields Up Genesis
The Shields Up campaign – as far as we can tell from public information – has not rolled out any particularly novel technologies or tactics for cyber defense. Rather, the campaign has provided pointed focus and visibility into cyber threats emerging from the Russian invasion, and turned the attention of critical infrastructure operators back to a long list of well-known advice on doing many of the basic steps that make networks and infrastructure more secure.
Those steps include many that CISA returns to again and again in its guidance to government and the provide sector:
- Implement multi-factor authentication (MFA) for remote, privileged, and administrative access;
- Patch known vulnerabilities promptly and according to CISA’s alerts and guides;
- Disable unused ports and protocols;
- Implement strong cloud service controls;
- Focus on unexpected or unusual network behavior;
- Pay special attention to traffic from Ukraine organizations;
- Designate crisis response teams;
- Test data backup procedures, and manual controls in the case of industrial control systems or operational technology;
- Review CISA’s guide to understanding mitigating Russian state-sponsored cyber threats to U.S. critical infrastructure; and
- Sign up for CISA’s free cyber hygiene services including vulnerability scanning.
The list goes on. And if it seems to the top ranks of sophisticated cyber professionals like a recitation of the high points of Good Cyber 101, CISA preaches that those basic steps are exactly the kind of preparation that will foil most cyberattacks. By taking those actions, CISA said in announcing the program, “all organizations can make near-term progress toward improving cybersecurity and resilience” by adopting the Shields Up measures.
Is Shields Up Succeeding?
As far as we can tell – always a big and necessary caveat when judging government and private sector actions that take place largely behind the scenes – Shields Up has been working, and CISA has not been shy about saying so.
“Through this extensive coordination across the public and private sectors, underpinned by the Biden administration’s elevation of cybersecurity as a core national security imperative, this approach is working,” said CISA Director Jen Easterly on June 6 about the Shields Up campaign.
And it’s not for a lack of trying on Russia’s part, she emphasized.
“Despite relentless Russian cyberattacks on Ukrainian networks, which have had spillover impacts on the networks of other European nations, the U.S. has not to-date suffered a major Russian state-sponsored attack,” she said.
The unexpectedly low level of Russian cyber attacks on even Ukrainian interests, at least early in the conflict, came as a surprise to some very well-informed insiders like Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee. “Why haven’t we seen the GRU [Russia’s foreign military intelligence agency] – or some of the entities that we know have the capacity to frankly shut down entire systems – shut down the internet” in Ukraine, he asked in March. “We don’t have an answer,” he added.
Apart from CISA’s assessment of the Shields Up campaign’s effectiveness, another important measure helps us in the unclassified sphere to also judge its impact; simply put, if there were major destructive attacks on U.S. critical infrastructure, it’s a good bet we’d all know about it pretty quickly.
Exploits such as the SolarWinds software supply chain attack that came to light in early 2021 might have flown under the radar for many people not involved in technology sectors.
But debilitating attacks on big companies like JBS Foods and Colonial Pipeline that same year disrupted consumer supply chains, made the TV news with gasoline lines, and probably did more than any exploit since the 2015 Office of Personnel Management (OPM) data breach to bring the importance of cybersecurity into the public mind.
Where to From Here?
The answer to “what’s next” tracks with the well-rooted aims of the Shields Up campaign, but also CISA’s much longer-term effort to greatly improve the cybersecurity of U.S. critical infrastructure sectors.
On the one hand, CISA launched the campaign as an important, preemptive action to publicly warn critical infrastructure operators that the then-pending Russian invasion of Ukraine could lead to a ripple effect of cyber attacks on U.S. and western targets. In other words, Shields Up was purpose-directed for the current environment.
On the other hand, the Russian invasion of Ukraine – once seen by many as something that would last for days or weeks – is now seen as a conflict that will last for many more months, or years. The conflict has also rallied many western nations to Ukraine’s defense, and further isolated the Russian government through harsh sanctions. Because the conflict – and the icier relations between Russia and many other countries – won’t be resolving themselves soon, the necessity of the Shields Up effort is unlikely to abate, and its primary themes only continue to grow in importance.
Even if the conflict were to simmer down from its rolling boil, CISA’s longer-term priority to improve critical infrastructure security remains one of the very top tasks for the nation’s risk management agency. In the longer run, the Shields Up campaign – and all of the sensible security steps that it urges infrastructure operators to take – should be properly viewed as just the current phase of a very enduring effort.
Threats Continue Unabated
That view of the enduring value of the Shields Up campaign and its underlying tenets are being borne out by the top brass at CISA in recent assessments.
“We in the cyber world are well aware, the prospect of cyberattacks here at home — whether by Russia or other malign state and non-state actors — will not dissipate anytime soon,” CISA Director Easterly said in early June. That raises the question, she continued, “when will be able to put our shields down?”
“In today’s complex, dynamic, and dangerous cyberthreat environment, the answer is that our shields will likely be up for the foreseeable future,” Easterly said. The CISA director went on to warn, however, of the possibility of “vigilance fatigue” setting in, and called that “the opposite of what we are aiming for in building a collective cyber defense.”
The future of improving cyber defenses, she said, relies on working with private sector leaders to make the “necessary investments” in security to meet threats from Russian and other nation-state actors.
It will also rely on, in times of elevated threats, “a cyber alert and advisory framework that provides timely warning and recommended actions” both in localized and broader-scale situations, she said. That kind of system, Easterly said, will be “the natural successor to today’s ‘all-on’ Shields Up approach.”
Along those same lines, National Cyber Director Chris Inglis said in mid-June that the cost of entry for cyber attackers remains too low to create truly stout deterrence, but also pledged in the context of the Shields Up campaign that “we’ll never not defend ourselves in cyberspace.”
“The cost of entry for aggressors at this moment is still far too low for us to essentially assume ever that this is over,” Inglis said.
And he said that the current landscape of defending against potential nation-state actors – who may conduct operations that bleed past the Ukrainian borders and into the United States or North American Treaty Organization (NATO) allies’ infrastructure – as well as other cybercriminals and ransomware groups, represents “an enduring threat at a high level.”
In other words, cybersecurity is the fight that never ends, and the current Shields Up campaign can be viewed as a strong and necessary link in a similar chain of defense strategies stretching beyond the visible horizon.
Where Do Organizations Start?
We asked several top private sector experts where organizations looking to Shields Up for help might start taking steps to improve their security.
“It’s challenging to pick out specific initial areas of focus because every organization is different and each must tailor its cyber modernization plans to its own specific needs,” said Jim Richberg, CISO, Public Sector at Fortinet.
“For some that could mean looking broadly at ways to balance security with a positive user experience for both employees and end users; for others, it could involve focusing on the security and integrity of specific applications,” he said. “Overall Shields Up offers a sound approach that looks at factors such as resources, guidelines, and technology.”
Allan Liska, intelligence analyst and solutions architect at Recorded Future, recommended that “organizations start with the basics and, honestly, doing the basics goes a long way toward accomplishing the goals of Shields Up.”
“Start with good asset and vulnerability management: know what you have, and ensure you are patching on a regular schedule,” he said. “I realize that this is one of those tasks that everyone says to do, but can be extremely hard to do in practice. That’s okay, take baby steps. The goal should be full visibility into your technical stack and a regular patching cadence.”
“Next, you have to have a good backup system in place that is saving your critical data and is regularly tested,” he continued. Part of that good backup system has to be offline backups, and while there are a lot of new great solutions out there don’t forget that ransomware groups can’t encrypt data on tape. if you have a reliable tape backup system you don’t have to run out and replace it, especially if there are other priorities.”
“Finally, enable Multi Factor Authentication,” he said. “There are a lot of very good and inexpensive, or even free, MFA solutions that work for any sized organization. The great thing about MFA is that it can help cover for other security flaws that have not been fixed.”
Ben Miller, VP of Services at Dragos, said his company “continually finds that OT/ICS environments contain the most critical assets, but are the least understood and monitored areas. An accurate asset inventory list and a defined security architecture are the building blocks of defense, but we can’t stop there.”
“OT-specific network monitoring, combined with contextualized threat intelligence, is proven to proactively identify malicious attacks and results in more secure operations,” Miller said.
Lonnie Price, VP, Cyber and Information Warfare at Peraton, said that “the first steps any organization should take to align with Shields Up include requiring multi-factor authentication for all enterprise systems and applications, updating all software and hardware with the latest patches, and ongoing training to promote safe cyber practices, like CISA’s prudent “think before you click” guidance to all users, at home and at work.”
Enduring Value
Those same private sector security experts also pointed to the enduring value of organizations making cybersecurity improvements – no matter where the current threat is coming from.
“The possibility of a state-sponsored attack is always on the mind of government agencies and is top-of-mind for many given the heightened threat environment we currently face,” Fortinet’s Richberg said. “Director Easterly was right in noting that it doesn’t matter whether the attack comes from Russia or other state or non-state actors – the threat is not going away, and agencies must be prepared.”
He also emphasized that improving collective defenses “will take extensive collaboration between the public and private sectors.”
“With Ukraine as a stark backdrop, we remain mindful that Russia’s formidable cyber forces are highly motivated and have global reach,” said Peraton’s Price. “For years they have probed American networks for weaknesses and are succeeding with such alarming frequency that today’s cyber leaders must divert attention from protection to incident response, investigation, and remediation.
“Fortunately, the guidance from the White House and CISA is spot on,” he continued. “Their recommended cyber measures are prudent and effective. And existing advanced cyber tools and services will also help. This is truly a Team USA effort. With strong partnerships across industry, all levels of government, law enforcement, the Intelligence Community, and our military, we can meet these threats head-on!”
Recorded Future’s Liska noted Easterly’s comment – “we must use this moment to seize the opportunity to make fundamental improvements in the cyber ecosystem” – as particularly salient. “Everyone was expecting a major Russian cyber espionage offensive to accompany the invasion of Ukraine, and to the best of our knowledge that did not happen. But, that doesn’t mean we can breathe a sigh of relief, instead what it means is we need to be redoubling our efforts.”
“So much time in cybersecurity is spent responding to crisis after crisis, that we often forget to use our precious downtime in between crises to be proactive in order to prevent future attacks,” he continued. “Those projects that have been sitting around for months or even years, now is the time to get them put in place before the next challenge from the Russians, the Chinese, North Korea, or Iran is knocking on our door. The more we can do now to set us up for success against the next wave of attacks the less crisis focus we have to be and Shield Up offers great guidelines for that.”
Added Dragos’ Hill, “Agencies with OT/ICS environments are often in the very early stages of their OT cybersecurity journey. There’s a lot of complexity, as more and more devices become interconnected and interdependent.”
“The threat is real, but the defense can get ahead of the challenge, and Shields Up has helped to amplify the challenges of our constantly evolving cybersecurity landscape,” he said.