WASHINGTON, D.C. — The White House this week warned that Russia could launch cyberattacks against critical U.S. infrastructure.

According to the Biden Administration, “If you have not already done so, I urge our private-sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time—your vigilance and urgency today can prevent or mitigate attacks tomorrow.”

Deputy NSA for Cyber and Emerging Technologies Anne Neuberger told the White House Press that there has been no indication that an attack is imminent, but that those in charge of critical infrastructure should do their due diligence and prepare for the worst. 

“The majority of our critical infrastructure, as you know, is owned and operated by the private sector. And those owners and operators have the ability and the responsibility to harden the systems and networks we all rely on,” said Neuberger.

The White House told companies this week that the following steps should be implemented with urgency: 

• Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
• Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
• Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
• Back up your data and ensure you have offline backups beyond the reach of malicious actors;
• Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
• Encrypt your data so it cannot be used if it is stolen;
• Educate your employees on common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
• Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and security leadership to visit the websites of CISA and the FBI where they will find technical information.

• Build security into your products from the ground up — “bake it in, don’t bolt it on” — to protect both your intellectual property and your customers’ privacy.
• Develop software only on a system that is highly secure and accessible only to those actually working on a particular project.  This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.
• Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them.  There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them. 
• Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, much of which is open source.  Make sure developers know the provenance (i.e., origin) of components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it. 

According to the White House Press Secretary, “The U.S. Government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields-Up campaign and we will do everything in our power to defend the Nation and respond to cyberattacks.”