Crisis in Ukraine as a deadline and high-level talks approach.
N2K logoJan 20, 2022

Neither Russia nor NATO show signs of moving from their respective positions over Ukraine, and tensions in cyberspace remain high.

Crisis in Ukraine as a deadline and high-level talks approach.

NATO considers its options as Russian forces remain poised in assembly areas near Ukraine. The AP reviews the Alliance's military options. Both retaliation and inaction carry significant near- and long-term risks. And despite Russian statements placing little hope in diplomacy, and despite Moscow's expectation of receiving a formal response to its soft ultimatum sometime today, the New York Times reports that US Secretary of State Blinken still plans to meet Russian Foreign Minister Lavrov in Geneva tomorrow.

The US states its position in advance of Friday's talks in Geneva.

US President Biden said at a news conference yesterday that he expects Russian President Putin to direct incursions into Ukraine. The New York Times quotes him as saying “My guess is he [President Putin] will move in. He has to do something.” He also indicated that Russia could be expected to test NATO resolve: “Do I think he’ll test the West, test the United States and NATO, as significantly as he can? Yes, I think he will. But I think he will pay a serious and dear price for it that he doesn’t think now will cost him what it’s going to cost him. And I think he will regret having done it.” President Biden saw challenges in maintaining NATO unity, saying “It’s very important that we keep everyone in NATO on the same page. That’s what I’m spending a lot of time doing. There are differences. There are differences in NATO as to what countries are willing to do, depending on what happened, the degree to which they’re able to go.”

President Biden also suggested that minor incursions might not lead the US to exact as serious and dear a price as major incursions would, and observers tend to see this (the Wall Street Journal's coverage is representative) as a slip that may have inadvertently signaled some degree of toleration for the more ambiguous forms of aggression Russia might undertake.

White House press secretary Jen Psaki subsequently issued a statement clarifying the US position on the crisis over Ukraine in a way that seems to resolve any such diplomatic ambiguity. It's brief and clear enough to warrant quoting in full:

"President Biden has been clear with the Russian President: If any Russian military forces move across the Ukrainian border, that’s a renewed invasion, and it will be met with a swift, severe, and united response from the United States and our Allies. President Biden also knows from long experience that the Russians have an extensive playbook of aggression short of military action, including cyberattacks and paramilitary tactics. And he affirmed today that those acts of Russian aggression will be met with a decisive, reciprocal, and united response."

This will not be received as a positive response to the Russian government's proposals for resolving the crisis. Those proposals would have required an extensive and public retreat by NATO from the forward defense of its eastern member nations. (Ukraine is not a member, yet, and forestalling Ukrainian admission to NATO is a central Russian objective.) Note that the White House statement refers to aggression short of military action, including both cyberattack and paramilitary operations (that is, plausibly deniable action by proxies, irregulars, or special forces) and promises not a proportional or asymmetric response, but a "reciprocal" response.

Preparing defenses against a Russian cyber threat.

CISA has urged organizations to take steps to shore up their defenses in advance of possible Russian cyber operations. Last week's data-wiping attacks against Ukrainian targets are seen, BleepingComputer reports, as a bellwether. The Drive says the US Government's assessment is that such attacks could produce "widespread damage" to US infrastructure.

NSA will oversee US National Security Systems.

US President Biden yesterday morning signed National Security Memorandum / NSM-8 (Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems) which specifies how Executive Order 14028, Improving the Nation’s Cybersecurity, will apply to National Security Systems (NSS), most of which are operated by the Department of Defense and the Intelligence Community systems. It brings these systems' cybersecurity under the supervision of the National Security Agency (NSA), and it gives NSA authority to issue Binding Operational Directives to the organizations that operate the systems. "This directive is modeled on the Department of Homeland Security’s Binding Operational Directive authority for civilian government networks," the White House fact sheet that accompanied NSM-8 says, and the expectation is that NSA will learn from the Cybersecurity and Infrastructure Security Agency's (CISA) experience in securing the Federal civilian networks it oversees. NSM-8 lays out a one-hundred-eighty-day timeline, with appropriate milestones, for NSA to formulate guidance and for the affected agencies to complete and report compliance.

Russia isn't mentioned in NSM-8, but the timing and context of the memorandum clearly suggest that it was issued with current threats from Russia in mind. The White House fact sheet ticks off the customary list of Administration accomplishments by way of providing background: "And internationally, the Biden Administration has rallied G7 countries to hold accountable nations who harbor ransomware criminals, updated NATO cyber policy for the first time in seven years, and brought together more than 30 allies and partners to accelerate our cooperation in combatting cybercrime, improve law enforcement collaboration, and stem the illicit use of cryptocurrency."

NSM-8's major near-term provisions touch upon cloud migration, Zero Trust Architecture, multifactor authentication, and cryptographic interoperability, which it summarizes as follows:

"( i)  Within 90 days of the date of this memorandum, the Committee on National Security Systems (CNSS) shall develop and publish guidance, in addition to CNSS Instruction (CNSSI) 1253, regarding minimum security standards and controls related to cloud migration and operations for NSS, taking into account migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance.

"(ii)  Within 60 days of the date of this memorandum, the head of each executive department or agency (agency) that owns or operates an NSS shall, consistent with its statutory authority:

"(A) update existing agency plans to prioritize resources for the adoption and use of cloud technology, including adoption of Zero Trust Architecture as practicable;

"(B) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate:

"(1) NIST Special Publication 800-207 Guidance (Zero Trust Architecture);

"(2) CNSS instructions on Zero Trust Reference Architectures; and

"(3) Other relevant CNSS instructions, directives, and policies regarding enterprise architectures, insider threats, and access management; and

"(C) provide a report to the CNSS and National Manager discussing the plans required pursuant to section 1(b)(ii)(A) and (B) of this memorandum.

"(iii) Within 180 days of the date of this memorandum, agencies shall implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit. In those instances where the head of an agency determines the agency is unable to implement these measures, the head of the agency shall authorize an exception pursuant to the process provided in section 3 of this memorandum.

"(iv)  To ensure widespread cryptographic interoperability among NSS, all agencies shall use NSA‑approved, public standards-based cryptographic protocols. If mission-unique requirements preclude the use of public standards-based cryptographic protocols, NSA-approved mission unique protocols may be used. An agency shall not authorize new systems to operate that do not use approved encryption algorithms and implementations, absent an exception authorized by the head of an agency pursuant to section 3 of this memorandum."

Not all of the memorandum's directions are focused on near-term risk management (there is, for example, some discussion of the implications of quantum computing on cryptography).

Russian cyber operations against Ukraine: an update.

CSO has published a useful timeline of events surrounding Russian cyberattacks against Ukrainian targets.

  • January 11th: the US releases Alert (AA22-011A) Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.
  • January 13th - 14th: Ukrainian websites suffer defacements in connection with a fake ransomware campaign.
  • January 14th: Russian police raid the REvil ransomware gang. It's not clear whether the arrests are connected with tensions in Ukraine, but they were an unusual gesture of international cooperation against a cybercriminal organization widely regarded as having functioned as privateers tolerated by the Russian government. The arrests may have been intended to position Russia as a good citizen in cyberspace, clouding suspicion of Moscow's malign operations against its neighbor.
  • January 15th: Microsoft publishes an account of WhisperGate, the pseudo-ransomware used against Ukrainian targets.
  • January 16th: Kyiv attributes responsibility for the cyberattacks to Moscow.

Since Microsoft's revelations about WhisperGate, CrowdStrike has analyzed the bootloader used in the campaign. Their assessment reads in part:

"The activity is reminiscent of VOODOO BEAR’s destructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a reboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS file system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently be identified with VOODOO BEAR operations."