European Union Officials Call for Stricter Cyber RulesProposal Comes Amid US Warning That Russians Could Level Attacks on the West
Just one day after the White House warned that intelligence is pointing to potential offensive cyberattacks out of Moscow, European Union officials are calling for more stringent cybersecurity rules.
On Tuesday, the European Commission, the EU's 27-member executive branch, called for a cybersecurity risk framework it would implement to stem cyberthreats emanating from the Kremlin, according to Reuters. This comes as the latter wages war in Ukraine, a former Soviet state, and as the West, including the Biden administration, has hobbled the Russian Federation with economic sanctions.
According to the same report, the proposal comes as part of a Cybersecurity Regulation package that would also create a board to implement the rules. The board would require EU institutions, bodies and agencies to identify cybersecurity risks, create a plan to bolster cybersecurity, assess their security posture and share incident details. The proposal follows calls from EU ministers earlier this month to establish a cybersecurity emergency response fund, the same report indicates.
"It is critical to build a strong shield against cyberthreats and incidents that could disturb our capacity to act," said Budget Commissioner Johannes Hahn, according to Reuters.
West: On Alert
EU officials appear to be piggybacking off the White House's words of caution on Monday. The Biden administration - in fact, the president's national security adviser for cyber and emerging technology - warned that the long-feared Russian cyber escalation may yet come to pass, particularly amid a reeling Russian economy.
Anne Neuberger, who sits on Joe Biden's National Security Council, told reporters that "there is no certainty there will be a cyber incident on critical infrastructure. [But] this is a call to action and a call to responsibility for all of us" (see: Illicit Crypto Activity Detected by US Treasury Department).
Neuberger said the administration has detected "preparatory activity" and that specific companies, potentially at-risk organizations, have been privately briefed.
Biden followed this up in a written statement late Monday, saying: "Today, my administration is reiterating [previous] warnings based on evolving intelligence that the Russian government is exploring options for potential cyberattacks. … My administration will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure. … [And] we need everyone to do their part to meet one of the defining threats of our time."
In a White House fact sheet, administration officials urged organizations to implement mandatory multifactor authentication, run tabletop exercises, enhance detection and response capabilities, back up and encrypt data, and focus on other cyber hygiene measures.
An Unprecedented Warning?
Cybersecurity experts were quick to respond to the White House's rhetoric this week.
"Considering the target is toward the U.S.-defined critical infrastructure, organizations must implement the various safety requirements to protect their data and systems," says James McQuiggan, education director for the Florida Cyber Alliance and security awareness advocate for the firm KnowBe4. "The mitigating threat tactics put forth by CISA's 'Shields Up' will require boards to approve and fast-track spending for products and services not already implemented."
Mike Hamilton, former vice chair for the DHS State, Local, Tribal, and Territorial Government Coordinating Council and current CISO for the security firm Critical Insight, says: "The language … is beginning to edge up on 'specific and credible' threats, although it involves 'evolving intelligence.' … Part of this may be driven by the pretext that has been provided by an army of volunteers."
Others call the move "unprecedented."
"Cyberwar is not military versus military; all organizations, across public and private sectors, will have to defend themselves from attack," says Justin Fier, vice president of tactical risk and response for the firm Darktrace. He has supported efforts within the U.S. intelligence community and says, "Organizations must take advantage of this unprecedented access to government threat intelligence and heed these warnings."
Despite the straightforward messaging out of Washington, D.C., the Kremlin on Tuesday reportedly dismissed related warnings.
In fact, according to Reuters, Dmitry Peskov, a spokesperson for the Kremlin, reportedly told journalists on Tuesday: "The Russian Federation, unlike many Western countries, including the United States, does not engage in state-level banditry."
The Russian government has previously denied nation-state cyber activity that has crippled foreign networks - including alleged DDoS attacks hitting Ukrainian banking and government sites in the lead-up to the Feb. 24 invasion.
Briefing the press on Tuesday, Pentagon spokesperson John Kirby said the Department of Defense has not yet suffered related cyberattacks.
"Our systems get attacked every day, and so building cyber resilience and cyber defenses is an ongoing process here," Kirby added.
Meanwhile, in Russia, Vasily Shpak, the country's deputy industry and trade minister, has reportedly recommended that Russia bolster its cyber troops to protect the federation and "demonstrate patriotism," according to Reuters.
Last week, Russia reported "unprecedented" cyberattacks on its networks. According to a report from The Washington Post, the country's Ministry of Digital Development, Communications and Mass Media told state-run media agency Tass that it is "registering unprecedented attacks on government agencies' websites. This includes DDoS attacks reaching 500GB and climbing to 1TB (see: Russia Says It's Seen 'Unprecedented' Level of Cyberattacks).
Incoming attacks in Russia reportedly include attacks on government and banking sites - including its central bank - and officials there are reportedly "filtering foreign internet traffic," according to the same report.
Incentive for Cyber Strikes?
Despite the Kremlin's dismissal, cybersecurity experts have long contended that Russia could activate its elite hackers to target U.S. or European infrastructure - especially as the economic sanctions leveled by Biden begin to take hold.
To date, the U.S. and its allies have partially expelled Russian banks from the international bank-messaging system SWIFT, banned the import of Russian oil, individually sanctioned Vladimir Putin and members of his inner circle and targeted the funds and luxury items of Russian oligarchs - moves that drove the ruble to all-time lows.
To some, this could be incentive for Putin to respond.
The Russians, U.S. officials have said, have long meddled in U.S. networks, driving disinformation around the 2016 and 2020 elections, and allegedly conducting the late 2020 SolarWinds cyberespionage campaign, which fast-tracked a series of cybersecurity modernization efforts within the federal government.
In 2021, Biden met with Putin in Geneva to discuss the surge in ransomware - which U.S. officials at the time suggested was thriving within Russia's borders - and laid out 16 critical infrastructure sectors that were to remain off-limits (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
The Russians later conducted enforcement efforts against known ransomware operators, in late 2021, though foreign policy experts say it could have been a distraction from Russia's troop buildup in eastern Ukraine between November 2021 and February 2022.
In late 2021 and early 2022, with U.S. intelligence reportedly pointing to an imminent invasion of Ukraine by the Russians, the cybersecurity community was quick to react - issuing a "Shields Up" warning for U.S. organizations. Though any sort of cyber blitz has yet to occur, officials urge U.S. organizations to remain on high alert, especially as the Russian Federation grows increasingly isolated on the world stage.