At a glance.
- Cyber operations likely as Russia pressures Ukraine.
- US, Japan, to discuss cooperation against ransomware.
- A look at the future of cyber regulation in the US.
The West prepares for cyberattacks as precursor to Russian aggression in Ukraine.
As the potential threat of another Russian invasion of Ukraine looms, the West is preparing for the possibility of cyberattacks targeting Ukraine or its Western allies. CPO Magazine says US officials recognize Moscow might use cyberattacks as an opening maneuver, incapacitating the country’s essential services and sowing distrust in the Ukrainian government in order to provide an excuse for invasion or the installation of a regime more welcoming of Russian influence. British intelligence officials have called Ukraine “Russia’s cyber playground,” as in 2015 and 2016 Moscow hacked the country’s electrical grid, knowing Christmas staffing shortages would allow an attack to go unnoticed until too late. Allies worry a similar holiday surprise could be planned in time for January’s Orthodox Christmas observation. There’s also the possibility that Russia could follow in China and Iran’s footsteps and begin targeting the log4j vulnerability that is plaguing systems all over the world. In preparation, NATO recently set up a Cyberspace Operations Centre in Belgium, and the US and UK have dispatched cyberwarfare teams to Ukraine. Moscow could also target Ukraine’s Western allies, but experts note the country must be cautious in order to avoid triggering Article 5, which states that an attack against one NATO member is considered an attack against all and could provoke collective defensive measures. Matthew Schmidt, a national security expert at Connecticut’s University of New Have told CBC News, "I think they could expect high-level cyberattacks just short of Article 5, just short of war, whether or not Putin goes into Ukraine.”
Japan and US to discuss ransomware at January summit.
A virtual meeting of the Japan-US Security Consultative Committee, also known as the “2-plus-2,” scheduled for January 7 will concentrate on improving the countries’ collaboration on ransomware measures. Though details are have not been disclosed, the Record by Recorded future reports that US Defense Secretary Lloyd Austin, US Secretary of State Antony Blinken, Japanese Defense Minister Nobuo Kishi, and Japanese Foreign Minister Yoshimasa Hayashi are expected to discuss increased information sharing, ways to cooperation in the identification of hacker groups, and measures to improve cyber-resilience in the private-sector.
US tightens up on industry cyber-regulations.
The Wall Street Journal reports that the New Year will bring more aggressive cyber-regulations for US companies. In May of 2021, a presidential executive order from the Biden administration tightened cyberattack reporting regulations and introduced requirements for dedicated cybersecurity liaisons and zero-trust network policies, and last week the president signed the National Defense Authorization Act of 2022 (NDAA), which puts gives the private sector more responsibility in protecting the US’s critical infrastructure. Nextgov notes that the NDAA also includes the establishment of the CyberSentry program, which focuses on codifying public-private partnerships in order to allow uninterrupted monitoring of industrial control systems and the development of ‘know your customer’ guidelines for service providers. As Representative Jim Langevin, chair of the House Armed Services’s cybersecurity subcommittee, told The Hill, the increased regulations are the reaction to an onslaught of attacks in 2021 that strained the US’s cybersecurity defenses. “Everybody’s consciousness had been raised with respect to threats in cybersecurity, everything from the ransomware attacks, to other different types of cyber intrusions which have taken place. We have more awareness now, more members are paying attention to it than ever before.” Langevin stated.
Senior fellow at the Center for a New American Security Laura Brent feels the measures might not be strong enough. “Given the scale of the cyber challenge…the NDAA lacks the necessary sustained urgency. Most significantly, requirements for even some industry reporting of cyber incidents and ransomware payments to the government were not included—despite being key for the government to get better insight into cyber threats.” Contrastingly, some companies find the NDAA too strict, and despite the fact that the measures rely on voluntary participation, the heightened regulations feel mandatory. Sujit Raman, a partner at law firm Sidley Austin LLP and a former associate deputy attorney general at the Justice Department explained, “They have moved quite aggressively away from voluntary standards and have been willing to impose mandatory standards. It’s disruptive in a novel way.”