The head of the Cybersecurity and Infrastructure Security Agency (CISA) said this week that the United States needs to take a page out of Ukraine’s cyber playbook and build more resiliency into its critical infrastructure now.
During the Black Hat security conference in Las Vegas on August 9, CISA Director Jen Easterly cited the courage and tenacity of the Ukrainian people in the years since 2015 and said that exemplifies what resilience looks like in practice.
In a panel discussion alongside Victor Zhora, a top Ukrainian cybersecurity official, Easterly said that a memorandum of cooperation between CISA and Ukraine “allowed us to really focus on how do we effectively share information, best practices, exercise together, train together, figure out how to hunt for adversary activity.”
Easterly went on to describe the need to improve societal resilience.
While Ukraine has shown great resilience in responding to the Russian invasion on thwarting cyberattacks, the U.S. public is far less resilient in the phase of similar threats, such as the Colonial Pipeline ransomware attack and the Chinese spy balloon that floated over the U.S., she said.
“I don’t see that level of resilience in terms of how we respond to potential threats,” Easterly said. “We should be unified as an American people in the face of these very serious threats.”
Easterly noted that while Russia poses a major threat in cyberspace, the U.S. intelligence community’s annual threat assessment noted that in the event of a conflict, China is “almost certainly is capable” of launching disruptive attacks against U.S. pipeline infrastructure as well as rail systems.
Easterly wrote in a recent blog post from CISA that it is critical for the United States to take inspiration from Ukraine’s successes and proactively fortify its defenses and improve its response and recovery mechanisms.
“This will require a major shift in approach, with a deliberate focus on three key elements: risk assessment, resilience planning, and continuous improvement and adaption,” the blog reads.
First, organizations must identify their most critical functions and assets, define dependencies that enable the continuity of these functions, and consider the full range of threats that could undermine functional continuity.
Second, organizations must perform dedicated resilience planning. That includes determining the maximum downtime acceptable for customers, developing recovery plans to regain functional capabilities within the maximum downtime, and testing those plans under real-life conditions.
Finally, organizations must be prepared to regularly adapt to changing conditions and threats. This starts with fostering a culture of continuous improvement, based on lessons learned and evolving cross-sector risks.
“The world has watched the incredible unity of the Ukrainian people to fight on, towards victory, in the face of enormous adversity,” CISA’s blog reads. “It is our hope that in 5 years, global citizens will be able to look back and see the way our nations, our companies, and our people have worked together to learn from each other and improved our collective ability to respond to, recover, and learn from the full range of threats to our nations. We must prepare now for future attacks that we know may be coming.”
