The Russian cyberattack threat might force a new IT stance

There’s a lot of fear of possible Russian cyberattacks stemming from Russia’s attempted takeover of Ukraine. Perhaps the biggest worry —and quite possibly the most likely to materialize — is that these cyberattacks will likely be finely tuned as retaliation for US financial moves against the Russian economy. 

The cyberattacks would be designed not to steal money or data per se, but to harm the US economy by strategically hitting major players in key verticals. In other words, the Russian government might say, “You hurt our economy and our people? We’ll do the same to you.”

Thus far, there’s no evidence of any large-scale attack, but one could be launched at any time. 

Brad Smith, a managing director for consulting firm Edgile, argues that enterprise IT and security executives need to change their thinking during the ongoing war. 

“The timeframes and the criticality of the investments that organizations need make around the defense of their attack surface need to be altered and looked at through a different lens and a different perspective,” Smith said.

Waiting to invest in stronger security until attacks are already visible is too late. “The threat now is an existential one,” he said. “The nature of what you’re trying to protect yourself against has fundamentally changed, so your behavior has to change as a result.”

It’s also critical to remember, Smith said, that the attackers’ goals are different than usual. “The threat is coming from organizations that are not interested in taking your information or leaving your systems alive afterwards,” Smith said. “They are simply trying to do as much damage as possible in order to disrupt businesses and thereby disrupt the American economy.”

This does raise the question of why more visible attacks have yet to materialize. Have the attacks already happened, planting digital timebombs in selected targets to either go off at a predetermined day/time or at the instant a trigger command is issued? That would have the dramatic result of everything detonating at once.

Various US government agencies have warned of imminent attacks, but the very few specifics they have offered generally amount to, “Do what every enterprise CISO knows they should have done years ago.” 

One of the better warnings came March 24 from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). After listing a variety of blindingly obvious suggestions — “Set and enforce secure password policies for accounts.” Really? Who would have ever thought of doing that? — CISA encourages far more implementations of VLANs (especially for networked printers and similar devices) as well as one-way communication diodes. 

CISA also offers a general thought that needed to be far more specific: “Enforce multifactor authentication (MFA) by requiring users to provide two or more pieces of information (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.” 

First, in 2022, CISA should be actively discouraging passwords entirely. Enterprise passwords should have died out years ago. Secondly, some MFA approaches are far more secure than others. (I won’t rant again about the worst MFA approach of sending unencrypted text via SMS; that is nothing more than terrible cybersecurity masquerading as decent cybersecurity.) How about encouraging mobile app authenticator approaches, which are low cost and easily accessible? 

What CISA didn’t say, and what Smith strongly implied, is that CISOs and CIOs need to take a war footing and change their thinking about end-user friction.

Today, IT, security, and line-of-business executives are terrified of making their users jump through too many authentication hoops, albeit for very different reasons. The line-of-business executives are worried about anything that could slow down efficiency, while CISOs are more worried about end-users getting frustrated and doing end-runs about the protections.

But now it’s time to up authentication strictness and allow end-user friction to rise. After all, the attack goal is not to steal customer data as much as it is to shut down operations. Think about hospitals and power plants and other high-value targets. Those attacks could easily kill people. Against that kind of threat, does a few minutes of inconvenience really matter?

That all said, there is an operational problem here. What if the attacks don’t come up for months? Or worse, what if they come and we never know when they are completed? Are enterprises expected to maintain a war footing forever.

That is not a question easily answered. On the one hand, cyberthieves of non-war-kinds are always going to be here and their attacks are going to continuously get more sophisticated. Wouldn’t that suggest that war-footing should be permanent? 

Also, non-friction doesn’t have to mean weak-authentication or weak cybersecurity. Consider behavioral analytics and continuous authentication. It’s not new security as much as a new way of thinking about security. And during a war, new ways of thinking could be what fends off successful attacks.