AT&T and Government Technology hosted a live Special Districts Fireside Cyber Chat in April with Christopher Krebs, former director of the federal Cybersecurity and Infrastructure Security Agency (CISA). Krebs, who was CISA director from 2018 to 2020, shared how conflicts abroad can impact the essential services that special districts deliver and that society has come to rely upon. Krebs offered insights on how to protect our nation’s critical infrastructure and why it’s urgent to prioritize these efforts now.
Brace for disruptive attacks
Special districts — particularly critical infrastructure operators — should brace for an increase in disruptive cyberattacks connected to Russia’s war on Ukraine, Krebs warned. He said Russian cyber operations could begin targeting the U.S. and its NATO allies in retaliation for tightening economic sanctions on Russia and growing military aid to Ukraine.
“There’s a belief that Russia may start causing us pain here,’” said Krebs, who is now a private cybersecurity consultant.
Krebs called President Biden’s March warning about the growing potential for disruptive retaliatory cyberattacks on U.S. critical infrastructure unprecedented.
“I don't think I've ever seen a president of the United States go to the podium and talk about the intent of an actor to strike us with that sort of urgency of messaging,” he said.
Speaking at the White House on March 21, Biden said “evolving intelligence” indicates the Russian government is exploring options for malicious cyber activity in response to crippling economic measures imposed by the U.S. and its partners. “It’s part of Russia’s playbook,” Biden said.
Krebs urged district leaders to take federal cybersecurity warnings seriously. In particular, he pointed to an alert about possible threats to satellite communications networks issued jointly by CISA and the FBI in March. These networks are commonly used by water districts, power providers and other critical infrastructure operators to connect remote facilities.
“They don't issue those alerts just for giggles; they're trying to send a message,” Krebs said. “So you really need to think about how you're configuring your operational technology.”
He said special districts should work to reduce risks associated with internet-connected control systems and eliminate vulnerabilities such as default passwords on technology hardware.
Everyone is a Target
Financially driven cybercrime like ransomware and social engineering attacks also continue to increase — both because these activities are extremely profitable and organizations are more vulnerable than ever due to pandemic-driven growth of remote work and digital services.
“We're using devices in places now that five or six years ago we would have never connected to Wi-Fi,” Krebs said.
Here, again, global tensions could stoke criminal activity that impacts special districts. Krebs said continuing economic pressure on Russia may drive an uptick in financially motivated cybercrime by choking off other sources of income.
“You may see more and more actors resort to cybercrime … because they have no legitimate way of raising funds,” Krebs said. “That's, in fact, the model that North Korea has used. They've funded their entire nuclear program using cybercrime.”
These financially motivated attacks are often aimed at small and midsize organizations with less sophisticated security defenses. Community water and energy districts — which have strong motivation to fork over ransom payments to avoid disruption of critical services — could be at particular risk.
“Attackers aren’t looking for one big payout,” said Krebs. “They’re shopping in volume — going after targets that lack security resources and are reluctant to tolerate any sort of downtime.”
Closing the Gaps
New cybersecurity investments are part of the solution to growing cyberattacks, Krebs said, adding that more resources are available thanks to security funding from the Infrastructure Investment and Jobs Act and earlier federal COVID relief programs. Smaller agencies can use this funding, as well as free security services available from CISA and other federal agencies, to shore up their defenses.
He urged special districts of all sizes to ensure security transparency and accountability from their technology vendors. This is especially important for cloud-based services, which have become more common in government since the beginning of the COVID-19 pandemic.
“You need to ask them questions about their security processes — what they can detect, what they can alert on and what their response looks like,” Krebs said.
He also called for new federal government initiatives to curb cybercrime, including regulating cryptocurrencies — which are typically used to make ransomware payments — and confronting countries that harbor cyber criminals.
Attackers operating in Russia or other Eastern European countries rarely pay a price for their crimes, Krebs said. “We have to work with foreign governments — not just our allies, but also with those like Russia — to make sure they understand this is not acceptable behavior, and we are going to hold them accountable.”
Prioritizing the Risk
Ultimately, executive leaders must prioritize security improvements to cope with the heightened threat environment. For example, Krebs said, special districts may need to accelerate timelines for deploying multifactor authentication or other cyber-protection measures and delay planned business initiatives.
“Right now — particularly in this moment with the Russian invasion — executives may need to override business decisions that leave the organization, its workforce and stakeholders exposed,” he said. “This is anything but business as usual.”
