Warning about the possibility of a Russian cyberattack, President Biden recently said it’s a sophisticated operation that Vladimir Putin is likely to deploy in response to sanctions after Russia invaded Ukraine last month.
The fact that he delivered the message himself — as opposed to the Department of Homeland Security communicating it to the private sector, which is typical — represents a new, serious level of concern from the administration, says Carrie Cordero. She’s a member of the Homeland Security Advisory Council and a senior fellow and general counsel at the Center for a New American Security.
She notes that Microsoft announced a few weeks ago that they were seeing Russia conduct “severe activity” against Ukraine, but the public hasn’t seen any malign Russian cyber engagement against the U.S.
A wide range of organizations and companies could be potential victims, Cordero says. There are 16 different critical infrastructure sectors — communications, financial services, manufacturing, defense, government facilities. Then there are the utilities and more public sector entities. Right now, the U.S. government doesn’t have specificity about which sectors Russia might target, she notes.
Regardless, individual private companies are responsible for protecting themselves from cyber threats, and the Department of Homeland Security typically works with them on this. “The government can't come in and make changes in a particular company. Instead … it can provide advice, it can provide warning, it can provide recommendations for what companies do,” she says.
“Malign cyber activity” and “cyberattack” have different meanings
Cordero says a “cyber attack” destroys a company or industry’s information so it can’t function. “We've seen Russia do these types of activities … against Ukraine in particular years ago, where the banking sector or computer systems just simply do not function for a portion of the country.”
Meanwhile, “malign cyber activity” is what companies are used to defending against (think: protecting credit card information and personal data).
March 24, 2022 correction: An earlier version of this story included references to information discussed in a private meeting that should not have been disclosed. That portion of the interview has been removed. KCRW regrets the error.