The First Cyber War: The Threat of Russian Cyberattacks has Thrust Cybersecurity Compliance into the Spotlight

Annalisa Kolb

Associate Editor

Loyola University Chicago School of Law, J.D. 2023

The impact of Russia’s unprovoked attack on Ukraine on February 24, 2022 has not only caused a horrific human rights crisis but has also had a dramatic effect on how the world conducts business, felt well beyond the borders of Russia and Ukraine. Warnings of an imminent Russian cyberattack on critical United States infrastructure has small and large businesses alike brushing up their cybersecurity policies to ensure they are compliant with current best practices in the likely event of a Russian cyberattack and impending federal legislation.

Alerts of an increased risk of Russian cyberattacks  

Shortly after Russia began its invasion of Ukraine, the Cybersecurity and Infrastructure Security Agency (CISA) warned that destructive malware deployed by Russia against Ukrainian organizations may also be used against other countries, especially as more economic sanctions are placed upon Russia. CISA further warned that this type of malware, known as WhisperGate, presents a direct threat to the daily operation of organizations and impacts the availability of critical assets and data.

While CISA made clear in another announcement that there is not currently a specific credible cyber threat to the U.S., the fact that the Russian invasion of Ukraine involved intense cyberattacks on Ukrainian governmental and critical infrastructure organizations presents a cause for concern for similar organizations in the U.S. CISA, therefore, created the “Shields UP” technical guidance initiative to provide guidance on creating policies to prepare for, respond to, and mitigate the impact of a cyberattack.

Implications of cyber warfare on cybersecurity legislation      

This war marks one of the first times state-sponsored cyberattacks are being used as a central military tool and has caused some members of Congress to advocate fast-tracking cybersecurity legislation. For example, U.S. Rep. Don Bacon of Nebraska is pushing for the passage of H.R. 5658, the DHS Roles and Responsibilities in Cyber Space Act, which would require the Secretary of Homeland Security to assess its cyber incident response plans and procedures, and provide recommendations for improvement.

On March 1, 2022, the Senate approved a bipartisan package of cybersecurity bills, known as the Strengthening American Cybersecurity Act of 2022, with legislation that will require mandatory incident reporting of cyberattacks against critical infrastructures. The package includes a bill that would update the Federal Information Security Modernization Act (FISMA) for the first time since 2014 by codifying the responsibilities of recently created cyber officials, such as the National Cyber Director. The same package was blocked by Republican Senate leaders and stripped from the annual defense policy bill just months ago.

Why has it taken a war to make cybersecurity a priority?  

Although Russian cyber-attacks have recently been in the headlines, the danger of cyberattacks has clearly been established as real over the last few years. Last May, a ransomware attack by the Russian hacking group “Darkside” caused the Colonial Pipeline, one of the largest oil pipelines in the U.S., to shut down for several days, causing panic among some consumers in the Southeast and a state of emergency in North Carolina. This incident marked the most significant cyberattack on energy infrastructure in American history. Just days later, the world’s largest meat supplier, JBS, experienced a similar ransomware attack, causing it to suspend operations of nine processing facilities in the U.S. The FBI believes a Russian hacking group was behind the JBS attack as well.

If organizations have waited until now to evaluate their cybersecurity risk, they are likely too late, as effective cybersecurity policies are complicated and take time to implement. And while pushing for cybersecurity legislation may help organizations with their cybersecurity policies in the future, it will not do much for organizations that currently remain vulnerable to attacks.

The continued clear vulnerability of our essential infrastructures is unacceptable. Given the major increase in quantity and intensity of cyberattacks over the last few years, including the two discussed above, it is gravely concerning that cybersecurity has remained on the backburner for organizations and lawmakers. Businesses of all types and sizes must prioritize and adequately fund cybersecurity compliance programs both to comply with their internal processes and ensure they operate within the boundaries of the law considering the inevitability of federal cybersecurity laws.

Author’s note

While the threat to cybersecurity is important and worth discussing, we must remember that Russia’s unprovoked and senseless war on Ukraine has caused an unacceptable humanitarian crisis. Please visit this website to learn about ways that foreigners can help Ukraine and the Ukrainian people. If you are able and would like to donate, Help Heroes of Ukraine is a trusted charity organization that provides medical, military, and humanitarian aid to Ukraine.