Biden Administration urges American companies to act quickly to improve cybersecurity safeguards
The Biden Administration warned yesterday that Russia is exploring options to engage in cyberattacks in response to heavy sanctions imposed by the US and its allies. The Administration urged American business to proactively prepare for those attacks.
While the Administration noted the significant efforts being made by federal agencies and critical infrastructure partners to improve cybersecurity posture, the fact sheet and the President’s accompanying statement call on businesses of all sizes to take key steps to thwart nation-state bad actor activities.
The White House recommends that companies take the following steps and stresses the urgency of doing so:
- Mandate the use of multi-factor authentication (MFA) on company systems (note, however, that Russian state cyber actors have recently exploited misconfigured MFA protocols, so companies should takes steps to ensure the default protocols are configured and updated appropriately).
- Deploy modern security tools on company computers and devices to continuously scan for and mitigate threats.
- Be particularly vigilant about patching systems and protecting against all known vulnerabilities.
- Change passwords across company networks so that previously stolen credentials are useless (consider doing on an accelerated schedule even if password policies set longer expiration periods).
- Back up company data and ensure that there are offline backups beyond the reach of malicious actors.
- Run tabletop exercises and drill company emergency plans to be prepared to respond quickly to minimize the impact of any attack.
- Encrypt data so it cannot be used if it is stolen.
- Educate employees to common tactics attackers will use over email or through websites (eg, phishing or spearphishing campaigns, requests to click on malicious email attachments, requests to fill in usernames and passwords on websites linked in emails).
- Encourage employees to report if their computers, phones, or other devices have shown unusual behavior, such as unusual crashes or sluggish operation.
- Engage proactively with local FBI field offices or a Cybersecurity and Infrastructure Security Agency (CISA) Regional Office to establish relationships in advance of any cyber incidents.
- Encourage IT and Security leadership to visit CISA and FBI websites to locate technical information and other useful resources.
In addition to the recommended immediate steps, the Administration laid out recommended actions technology and software companies can take to help improve US cybersecurity on a more long-term basis. The recommendations include:
- Take a “security-by-design” approach to product and software development. “Bake it in, don’t bolt it on.”
- Use software development platforms that are highly secure and accessible only to those working on a given product or project. This mitigates the ability for bad actors to move laterally through a company’s systems.
- Use modern tools to scan code and find coding errors before software or updates ship out to prevent bad actors taking advantage of these vulnerabilities in the wild.
- Know the origin of components and code libraries integrated into the software. Consider maintaining a “software bill of materials” in case components or libraries are later found to have a vulnerability so that the offending code can be quickly remediated.
- Implement the security practices laid out in the President’s Executive Order, Improving our Nation’s Cybersecurity. [While these practices are required for software suppliers to the US government, the Administration encourages all companies to voluntarily adopt these practices.
In response to the heightened threat from Russia, CISA also recently urged organizations to follow a “Shields Up” defense in-depth approach . CISA’s announcement provides guidance and recommendations for organizations, corporate leaders, and individuals on threat mitigation steps to combat ransomware and other cyberattack risks.
Bottom line: The threats we are seeing in all industries are real. Don’t wait. Act now to modernize your cybersecurity protections and to train your workforce.
Learn more about the implications of these developments or your business by contacting any of the authors or our usual DLA Piper relationship partner.