Ukraine War Puts US Cities, States on Cyber Alert

This story was originally posted by Stateline, an initiative of the Pew Charitable Trusts.

President Joe Biden this week urged U.S. companies to be on high alert because of “evolving intelligence” that Russia is exploring options for potential cyberattacks against critical infrastructure targets.

Even before Biden’s warning, state and local governments were busy shoring up their cybersecurity in response to the Russian invasion of Ukraine and the elevated threat of cyberattacks targeting the United States.

Nearly two weeks before Russian troops poured over the border, the U.S. Cybersecurity and Infrastructure Security Agency issued a “Shields Up” warning about the growing threat. It advised every organization, including state and local governments, to “adopt a heightened posture” and be prepared to respond to disruptive cyber activity.

The federal agency offered guidance on steps to take, including updating software, testing backup procedures and ensuring that manual controls are available.

On Feb. 24, the day of the Russian attack on Ukraine, New York Democratic Gov. Kathy Hochul said at a news conference that her state was “on heightened alert with respect to cybersecurity and our own defenses.”

Just days before, Hochul had announced the creation of a joint cybersecurity operations hub in Brooklyn to coordinate between the state, major cities, local and regional governments, critical infrastructure businesses and the federal government. The hub will address threats and deal with cyber incidents.

In Colorado, Democratic Gov. Jared Polis signed an executive order on Feb. 24, directing the Office of Information Technology to identify and focus resources on protecting critical state infrastructure from Russian cyberattacks.

The following day, Texas Republican Gov. Greg Abbott ordered state information technology and public safety officials to make sure cyber incident response teams are ready and that a potential cyber intrusion can be quickly detected through antivirus and other software.

He also mandated that officials track and report to the public any attacks from Russian sources.

And last week, North Carolina Democratic Gov. Roy Cooper signed an executive order establishing a joint cybersecurity task force comprised of state information technology, emergency management, National Guard and local government members.

“Geopolitical events like Russia’s unlawful invasion of Ukraine can lead to an increase in cybersecurity threats and attacks,” which can affect the delivery of essential services to North Carolinians, the order says.

In Connecticut, Chief Information Security Officer Jeff Brown said in an interview with Stateline that the state has been “very aggressively” blocking IP addresses coming from computers in Russia. An IP address is a unique series of numbers that allows computers to send and receive data over the internet.

“Why would someone coming into our system from a computer in Russia have any need or reason to be looking at the state of Connecticut?” Brown said. “We aren’t allowing their internet traffic through.”

Connecticut also has been running through “scenario planning” to figure out what could happen if there is a cyberattack and the state had to lock down its network, he added.

“When you’re talking about a nation-state actor with people who are trained all day every day to break into networks, they’re a very formidable adversary,” Brown said. “It’s difficult to defend against that.”

While there is no reason to believe that Connecticut is being threatened, Brown said, he worries about all the services the state oversees, such as transportation and health care, that could be affected in a cyberattack.

In Colorado, cybersecurity officials have increased the monitoring of their systems, said Tony Neal-Graves, the chief information officer and executive director of the Office of Information Technology.

“Everything that’s gone on in the Ukraine and Russia brought this all to the forefront,” Neal-Graves said. “We’re collecting additional data and logging that information and sorting through it. If we see something, we need to err on the conservative side and report more than we normally would to the feds.”

While Colorado has seen no credible threats so far, Neal-Graves said he is trying to make sure that his agency has systems in place to protect not only the 30,000 people employed by the state but also the public.

Since Russia’s attack on Ukraine, the Multi-State Information Sharing and Analysis Center, a federally funded group that helps state and local governments prevent and respond to digital threats, also has boosted its efforts, said Randy Rose, a senior director. The group sent information to every state about ways to take defensive actions.

But states shouldn’t just focus on Russia, Rose noted, because other cybercriminals and “state actors” may attempt to take advantage of the increased focus on Russia “to slip in unnoticed.”

Connecticut’s Brown likewise said he’s concerned that a group not connected with Russia could find a vulnerability in the state’s computer network and exploit it.

“There are other attackers, and we need to not get distracted with a single adversary,” he said.

Earlier this month, Mandiant, a cybersecurity company, discovered that a hacking group linked to the Chinese government had compromised and stolen data from at least six state government networks between May 2021 and February 2022.

Many local governments also are trying to beef up their cyber defenses, said Alan Shark, executive director of the CompTIA Public Technology Institute, a Washington, D.C.-based nonprofit that provides consulting services to local governments.

City and county governments also are making sure they’re checking for phishing, looking closely at all the spam coming through and reminding employees to be more mindful when they open emails, Shark said.

He said local governments are seeing a slight uptick in probes from Russia and Eastern Europe in the last several weeks.

“Until this horrific invasion, the biggest threat everyone had was ransomware,” he said. “Now people are worried about government-owned facilities. The alert level has gone up. They’re worried about water treatment plants, utilities, other municipal services.”

Ransomware typically spreads through phishing, in which hackers email malicious links or attachments and people unwittingly click on them. Malware then hijacks the victim’s computer system and holds it hostage until the victim either pays a ransom, usually with the cryptocurrency bitcoin, or restores the system on their own.

In May, a ransomware attack by a cybercriminal group that operated out of Russia forced the shutdown of the Colonial Pipeline, sparking panic buying and gas shortages along the East Coast.

And in February 2021, a hacker got into the city of Oldsmar, Florida’s water treatment plant computer system, boosting the level of sodium hydroxide—or lye—in the water supply to 100 times higher than normal.

“The big fear is what happens if our utilities no longer work?” Shark said. “What if we aren’t getting clean water or what if public safety communications are knocked out? It’s infrastructure that keeps the city or county alive.”

Shark said local governments not only need to make sure their systems are up to date with the latest cyber software but also to have a plan if their network goes down.

“What are the backup communications among staff? How can we come up with services?” Shark said.

While local governments are looking forward to getting at least 80% of a new $1 billion federal cybersecurity grant program that will be distributed to states beginning later this year, it won’t help them improve their defenses against a possible Russian cyberattack now, Shark noted.

Aldona Valicenti, a commissioner and chief information officer for Lexington-Fayette Urban County Government in Kentucky, said local governments need to heed the federal cybersecurity agency’s advice about ways to beef up their protection in light of the Russian attack.

“We’re telling our people to be much more vigilant, to be alert to things that come from the outside. Don’t click on stuff if you don’t recognize it,” she said. “We’re monitoring IP addresses all the time.”