Former NSA Hacker & Cybersecurity Expert's Advice: Be Vigilant But Don’t Panic

As Russia continues to lash out at critics of its invasion of Ukraine, cyber-attack anxiety has been running understandably high—particularly among the owners and operators of America’s infrastructure, which has been labeled a target by analysts and Russian officials alike.

With members on alert, IBTTA brought in one of the country’s foremost cyber security experts, former National Security Administration (NSA) hacker Jake Williams, to give us the latest information and answer our most pressing questions. Williams delivered a much needed (and unexpectedly comforting) reality check in the webinar, “Evaluating Realistic Risk: The Russian Cyber Threat.” While Russia has conducted sophisticated cyber-attacks against Western targets before, Williams noted there are a number of reasons why the threat of an attack today isn’t any greater than it might’ve been before Russia invaded Ukraine. 

Rather, there’s reason to believe an attack is even less likely now, and it has to do with one simple thing we tend to think of as limitless when it comes to Russia’s ability to wage cyber warfare: resources.

“It is important to remember that Russian intelligence is really, really busy right now,” Williams said. “We don’t have to be military tacticians to know this is not going as they planned, so even if you have the capacity, and even if you have the desire, do you have the resources?” he asked, (“you,” in this case being the Kremlin). “Probably not. You have bigger things to deal with.”

Other parts about the situation on the ground for Russia and the way the war has been conducted are why the deck is stacked against a large-scale Russian cyber-attack happening relatively soon. “So far NATO has stayed out of the fight other than to provide lethal aid,” Williams said. “They haven’t committed troops. Once you step back and think that if Russia does conduct [a major] cyberattack, that likely could invite retaliation—kinetic retaliation either from the U.S. or from NATO or from the EU. That isn’t in Russia’s interest.”

Williams continued, assuaging concerns some webinar attendees had about repeats of other noteworthy cyber-attacks executed over the last few years, such as when Russian intelligence used ransomware to disrupt operations at shipping giant Maersk in the “NotPetya” attack of 2017, or a single line of malicious code to breach the systems of dozens of companies and government agencies in the 2019-2020 SolarWinds attack. These were attacks on the software supply chain that ensnared a number of huge, high-dollar and high-value private sector targets, not major pieces of infrastructure. This doesn’t mean roadways are completely safe from cyber threats, of course, but the nature of infrastructure in the U.S. makes it more difficult to attack. “There’s not one grid that you’re going to be taking down,” Williams said. “Things are much more complicated.”

Furthermore, in the case of SolarWinds, the cyber-attack took place over a period of time—six to nine months in that case. The attackers found it much more valuable to avoid being detected for as long as possible to collect as much data as possible. The idea of taking down a whole system is much less appealing in that regard because “you can’t collect intelligence and destroy the network or create a destructive impact on the network at the same time,” Williams said.

So, combine how difficult it would be to really take down a whole piece of U.S. infrastructure, how little intelligence would be gained by doing so and how negatively such an attack could boomerang on Russia and you have the recipe for a high-risk, low-value target, when you’re looking at things like roadways and bridges, Williams noted.

Although there’s little reason for Russia to use a cyber-attack to disrupt U.S. infrastructure right now, it doesn’t mean organizations should disregard the basics of cybersecurity, according to Williams. 

First, he said, “Patch, patch, patch. I know this sounds ridiculous, but in my experience in vulnerability management the vast, overwhelming majority of compromises, at the root cause or near the root cause is a failure in vulnerability management. You have to patch and it has to be a deliberate process,” he added, suggesting that the easiest way to make this a bigger priority in organizations is to “rewrite IT job descriptions such that vulnerability management is part of the job description.”

When it comes to information security, Williams talked about the CIA triad which is comprised of three core components that guide cybersecurity policies and procedures: confidentiality (is the data private and are unauthorized users blocked from accessing the same data?), integrity (can the data be trusted?) and availability (can the data be accessed by the right people when they require?).

“When I go to my typical systems administrator, they care about only one of those things, and I don’t blame them. They care about availability because that’s what they’re rated on,” Williams said. “Every time you employ a patch there’s some risk that there’s some compatibility issues, and we have to have these outage windows, but it’s got to be patched.” Getting these professionals’ job descriptions changed to make vulnerability management something they’re directly rated on is a surefire way to get IT to have skin in the game when it comes to cybersecurity.

The second thing every organization needs to do is to monitor their systems. “Do log review,” Williams said, noting that while these reviews are typically required as part of the compliance process for lots of regulation, they’re still not a huge part of each organization’s IT operation. “So, when you go back to your organization, ask them if they’re doing log review,” Williams said, “And then ask them ‘for what?’ What are you doing the log review for?”

The reality, he said, is that many times an organization will do log review without knowing what to seek out in terms of malicious code. “So often folks are looking for the word ‘hacker’ in the log,” Williams said. “But do they know what that bad activity looks like? That’s where the log review piece is failing. So many people don’t know what to look for.”

Watch the entire recording of Williams’ webinar here.