![](\"https:\/\/media.wired.com\/photos\/620bcf977d11d746344b5936\/master\/pass\/Science_Ukraine_GettyImages-1231220523.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Garrett M. Graff| Date: Tue, 15 Feb 2022 17:10:41 +0000<\/strong><\/p>\n Garrett M. Graff<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n As Russian troops<\/span> remain amassed on Ukraine\u2019s border, the possibility looms that tensions may spill over to a cyberattack with international consequences. If so, the first sign to the US government will likely come in a Slack message read at Eric Goldstein\u2019s desk in a generic office building in Ballston, Virginia.<\/p>\n Goldstein oversees the Joint Cyber Defense Collaborative, launched last year to provide what the agency calls \u201cvisibility at scale\u201d over US network and private sector critical infrastructure. That means CISA may be on the front lines of any escalation by Russia that ripple all the way to the US homeland. Officials and private sector leaders are hurriedly patching, preparing, and war-gaming in case Russia decides to launch direct attacks against US infrastructure, unleash a flood of disruptive ransomware<\/a>, or aim a tailored cyberattack against Ukraine<\/a> that spills over into US networks.<\/p>\n The JCDC is so new that it still only exists virtually and hasn\u2019t yet moved into its physical space in CISA\u2019s offices in northern Virginia. It\u2019s meant to serve as something like a unified command center for US internet infrastructure, bringing together nearly two dozen private sector security and network firms; today, its Slack channel includes companies like Cloudflare, CrowdStrike, Mandiant, Microsoft, Verizon, Google Cloud, and Amazon Web Services. In addition to CISA, the NSA, the FBI, and US Cyber Command representatives are participating on the government side.<\/p>\n The collaboration center gives network monitors a place and community to quickly identify and share odd happenings, potential breaches, and suspicious activity. It confronted its first crisis in early December, with news of vulnerabilities in the widely used logging library Log4j<\/a>. At the time, CISA director Jen Easterly called the vulnerability the \u201cmost serious<\/a>\u201d she\u2019d seen in her entire career, and the group moved quickly to confront it\u2014convening on a Saturday to discuss the initial dangers and by Monday launching a comprehensive GitHub page<\/a> to coordinate mitigation efforts.<\/p>\n Now, just weeks later, the US government and the Biden administration\u2019s cyber team face another serious risk as the White House warns of a possible Russian invasion of Ukraine\u2014an event that many in private industry and Western governments worry could spill over, purposely or accidentally, to computer networks far from any Eastern European battlefield. \u201cWe hope to leverage the muscle memory that we've created through Log4j to apply to potential activity coming out of the Russia-Ukraine crisis,\u201d says Easterly, who spoke with WIRED late last week in her first extended public comments on the looming war.<\/p>\n Even as they\u2019ve warned of an increasing chance of war, officials in the US and UK have been careful to state that they don\u2019t see specific threats. They\u2019re instead expressing a generalized unease at Russia\u2019s geopolitical recklessness and its history of nefarious cyber activity, as well as the sheer complexity and connectedness of digital ecosystems.<\/p>\n \u201cThere are currently no specific credible threats to the US homeland coming out of this particular Russia-Ukraine crisis, but we are very mindful of the potential for Russia to consider escalating in destabilizing ways that may impact others outside of Ukraine,\u201d Easterly says. \u201cGiven how the US and our partners may react to an invasion, we\u2019re also very mindful of the connectivity of infrastructure around the world and that you might have cascading impacts that may be either intended or unintended.\u201d<\/p>\n Friday night, hours after White House national security advisor Jake Sullivan warned that the US believes a Russian invasion may be imminent and after the State Department urged all US citizens to evacuate Ukraine, CISA launched a new website, called Shields Up<\/a>, that warns about the rising threat of Russian hostilities affecting the online ecosystem. This follows similar efforts by the UK government<\/a> and other European nations to prepare for the effects a Russian war may bring to countries beyond Ukraine\u2019s borders.<\/p>\n The Shields Up moniker builds on a unique and colorful online superhero persona Easterly has created since she was confirmed by the US Senate last summer as CISA\u2019s second-ever director. Her Twitter profile picture is a comic book-style drawing of her dressed as a superhero in a cape and bodysuit emblazoned with CISA\u2019s logo. In what was surely a first for a senior US government official, Easterly appeared at a Black Hat keynote last summer wearing dragon pants and a \u201cfree Britney\u201d T-shirt and solved a Rubik\u2019s Cube behind her back while she spoke. In announcing the new website, Easterly tweeted, \u201cALL organizations must adopt a heightened posture of vigilance. The time to act is NOW. We\u2019re urging all orgs to put #ShieldsUp.\u201d<\/p>\n \u201cYou might have cascading impacts that may be either intended or unintended.\u201d<\/p>\n Jen Easterly, CISA director<\/p>\n The Shields Up push is the latest in a flurry of US government activity since the new year warning private industry to prepare for spillover effects if the situation in Ukraine continues to deteriorate. Behind the scenes, the FBI has increased its reporting tempo on suspicious cyber events and urged US industry to share more information about attacks, probes, and phishing campaigns spotted on individual networks. The White House\u2019s National Security Council, under the auspices of deputy national security advisor for cyber and emerging technologies Anne Neuberger, convened a closed-door meeting on January 31 with industry partners to warn of possible Russian escalation.<\/p>\n The efforts are part of a governmentwide push that started almost as soon as US intelligence began warning of increased Russian buildups along the Ukrainian border in December. \u201cWe started leaning really far forward on this around late 2021,\u201d Easterly says. \u201cWe began a pretty deliberate outreach campaign, providing classified TS-level [top-secret] information down to the unclassified level to ensure that all of our industry partners were aware of potential risk, and then talking through key mitigations and steps that they should take.\u201d<\/p>\n Neuberger says the administration is keenly focused on three specific interrelated efforts: Working with Ukraine to shore up its own cyber defenses, working with European allies and partners\u2014like NATO\u2014to shore up Western defenses and coordinate any potential response to further Russian aggression, as well as shoring up cybersecurity defenses domestically. \u201cThe White House has been coordinating the interagency to ensure that we are postured to react quickly to any eventuality, both within the government and with our private sector partners,\u201d Neuberger says, referring to the formal National Security Council process that brings together different arms of the government.<\/p>\n Neuberger herself traveled to Europe early this month to meet with cyber-focused counterparts in Brussels and at NATO, then journeyed to Warsaw to meet with Polish and Baltic cybersecurity officials; she also met with representatives from what are known as \u201cB9\u201d nations, the NATO nations that make up the security alliance\u2019s Eastern flank, closest to Russia. In each meeting, the theme was the same: How can Western nations be better prepared for a coordinated response to cyber aggression from Russia?<\/em><\/p>\n \u201cThe Russians have used cyber as a key component of their force projection over the last decade, including previously in Ukraine,\u201d Neuberger says. \u201cThe Russians understand that disabling or destroying critical infrastructure\u2014including power and communications\u2014can augment pressure on a country\u2019s government, military, and population and accelerate their acceding to Russian objectives.\u201d<\/p>\n In recent weeks, nearly every corner of the US government has been brought to bear on that same question: The Transportation Security Administration, which oversees pipeline security, in addition to its better-known role of passenger screening at airports, has issued directives to pipeline companies; the Environmental Protection Agency has recently hosted two webinars for more than 400 water utilities about necessary security steps; and the Department of Energy held comparable, CEO-level briefings for energy companies.<\/p>\n More public-facing government efforts have come in the form of a mid-January advisory<\/a> from CISA, the NSA, and the FBI outlining common tactics and techniques for Russian cyber operations, ranging from preferred Cisco routers to Microsoft Exchange vulnerabilities. Last week, those agencies issued another joint advisory, along with international counterparts from Australia and the UK highlighting the proliferation of ransomware attacks against critical infrastructure in 2021. While the advisory never specifically mentions Russia, many of the worst attacks of 2021 stemmed from Russia-based groups like REvil<\/a>.<\/p>\n Russia has long treated its neighbor Ukraine as a real-world sandbox in which to test cyberattacks. In 2015, Russia brought down the country\u2019s power grid<\/a>. In 2017, it set loose the NotPetya ransomware<\/a>, which corrupted Ukrainian tax software and went on to cause as much as $10 billion in damage to international companies that did business in the country. The shipping company Maersk saw some 80,000 computers destroyed; FedEx suffered nearly half a billion dollars in damage; and drug company Merck saw upwards of $800 million in losses.<\/p>\n A more recent attack came in mid-January, as dozens of Ukraine government websites were knocked offline and defaced, replacing the sites with text that warned, \u201cBe afraid and expect the worst.\u201d While that attack may have originated from Russian ally Belarus, subsequent destructive malware hit Ukrainian systems, posing as ransomware but deleting data<\/a>. US officials have also warned of \u201cspecific, credible<\/a>\u201d threats against Ukraine\u2019s critical infrastructure. On Tuesday, an apparent DDoS attack hit<\/a> the websites of Ukraine's Ministry of Defense, Armed Forces, and two major banks, although it's unclear who's responsible.<\/p>\n The US government has long been intimately involved in helping understand and mitigate Ukraine\u2019s cyber risk, collaboration that it hopes will also help it understand and mitigate threats to the homeland. US Cyber Command has conducted what it calls \u201chunt-forward<\/a>\u201d missions in Ukraine, deploying teams to the country to search for malware as part of a strategy known as \u201cpersistent engagement,\u201d developed by its commander, general Paul Nakasone<\/a>, in an effort to keep the US in constant contact with its primary adversaries in the most active arenas in cyberspace.<\/p>\n On the civilian side, CISA works closely with Ukrainian cybersecurity agencies, and the US Agency for International Development has for years run large-scale<\/a>, multimillion-dollar programs<\/a> to help Ukraine protect its own critical infrastructure against cyberattacks. \u201cWe've also more recently, as you can imagine, been communicating with CERT-Ukraine to provide reports of possible activity targeting Ukrainian organizations, including Ukrainian government agencies,\u201d Easterly says, referring to the country\u2019s computer emergency response team. \u201cWe are standing in to be able to be helpful for them.\u201d<\/p>\n Conversations in recent weeks with more than a dozen senior cybersecurity leaders across the US government, tech companies, and the private sector\u2014many of whom asked to speak anonymously in order to candidly discuss a dynamic threat environment\u2014outlined major areas of risk they\u2019re collectively watching, as Russia has already demonstrated a sometimes brutal effectiveness online.<\/p>\n While many expect Russia to deploy information operations regionally, including disinformation and perhaps even hack-and-leak operations similar to those it used to target the 2016 US presidential elections, the two leading threats are a scourge of ransomware and so-called collateral damage. \u201cLooking back at NotPetya, that\u2019s a huge cautionary tale,\u201d Easterly says, pointing to the many US companies or Western subsidiaries that do business in Ukraine and thus have interlocked digital systems.<\/p>\n Few officials believe Russia would purposefully target US networks, at least at the start of any campaign against Ukraine, and think Russia would only do so if the US or NATO dramatically escalated a Ukraine conflict. They note that Russian state actors, unlike those in North Korea or Iran, have never deliberately carried out destructive cyberattacks on US infrastructure or companies.<\/p>\n