Private Companies Urged to Bulk Up Cyber Defenses

WASHINGTON — The White House on Monday urged private companies to bolster their cyber defenses, citing intelligence that suggests the Russian government is exploring “options for potential cyberattacks” on entities and critical infrastructure in the United States.

“To be clear, there is no certainty there will be a cyber incident on critical infrastructure,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology, during Monday’s White House brief with reporters.

“This is a call to action and a call to responsibility for all of us,” she said.

Moments before Neuberger’s appearance alongside White House Press Secretary Jen Psaki, the Biden administration sent out a statement from the president, in which he reiterated past warnings about malicious cyber activity from Russia in response to the “unprecedented economic costs we’ve imposed on Russia alongside our allies and partners.”

“It’s part of Russia’s playbook,” President Biden said, adding that he was repeating his earlier warning “based on evolving intelligence” regarding the Russian government’s activities.

“My administration will continue to use every tool to deter, disrupt and, if necessary, respond to cyberattacks against critical infrastructure. But the federal government can’t defend against this threat alone,” Biden said. 

He noted that most of America’s critical infrastructure is owned and operated by the private sector, and he said these owners and operators must accelerate efforts to lock their digital doors. 

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has been actively working with organizations across critical infrastructure to rapidly share information and mitigation guidance to help protect their systems and networks.

“If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year,” the president said. “You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.

“We need everyone to do their part to meet one of the defining threats of our time. Your vigilance and urgency today can prevent or mitigate attacks tomorrow,” Biden said.

Neuberger said the administration has worked “extensively” over the last year to prepare to meet the cybersecurity threat posed by Russia, and provided “unprecedented warning and advice” to the private sector.

“For example, just last week, federal agencies met with representatives from more than 100 companies to share new cybersecurity threat information, in light of this evolving threat intelligence,” she said. “During those meetings, we shared resources and tools to help companies harden their security … and offered them hands-on support from their local FBI field offices and sister regional offices. 

“The meeting was part of an extensive cybersecurity resilience effort that we began in the fall, prompted by the president. Agencies like the Department of Energy, [the Environmental Protection Agency], [the] Treasury and DHS have hosted both classified and unclassified briefings with hundreds of owners and operators of privately-owned critical infrastructure,” Neuberger said. “In addition, the [National Security Agency] and FBI have published cybersecurity advisories that set out protections the private sector can deploy to improve security.”

Notwithstanding these repeated warnings, Neuberger said, “we continue to see adversaries compromising systems [with] known vulnerabilities for which there are patches.” 

“This is deeply troubling,” she said. “So we’re urging companies today to take the steps within your control to act immediately to protect the services millions of Americans rely on, and to use the resources the federal government makes available.”

Before ceding the press room dais, Neuberger reiterated, “There is no evidence of any sort of specific cyberattack that we’re anticipating. There has been some preparatory activity that we were seeing and we shared that, in a classified context, with companies that we thought might be affected.

“Now, we’re just trying to broaden the awareness and share even fragmentary pieces of information we have to ensure maximum preparedness,” she said.

Dan can be reached at [email protected] and at https://twitter.com/DanMcCue