Russia’s full-scale military invasion of Ukraine is raising cybersecurity risks for American businesses.  Corporate America must take immediate additional precautions to protect their networks in light of what is quickly becoming a major war in Europe.

This cybersecurity threat manifests itself in two ways.  First, Russia uses offensive cyber attacks as a central element of its military doctrine.  The Kremlin has repeatedly, and recently, launched denial-of-service and malware attacks against the government and industry of Ukraine.  While the primary targets of these attacks are Ukrainian, the fallout can easily reach far beyond Ukraine’s borders.  For example, in 2017, Russian military hackers targeted Ukraine with the NotPetya wiper attack, but the malware spread globally “causing billions of dollars of damage to computer systems across Europe, Asia, and the Americas.”  That may well happen again during this war.

Second, if the United States takes further hardline positions against Russian aggression—levying graver sanctions, bolstering its military presence in Eastern Europe, barring Russia from the SWIFT financial system, and even undertaking offensive cyberoperations of its own—Russian state-backed actors may target U.S. government and industry for direct cyberattacks.  Notably, when Russian police arrested members of the prolific Russian ransomware group REvil in January, authorities said they did so on the basis of information provided by the United States.  The Kremlin could easily release the hackers amid souring Russian-American relations, claiming that the U.S. intelligence cannot be trusted, and REvil could reconstitute to blitz American companies.

In the face of these rising dangers, businesses of all sizes should take at minimum the following five steps to reduce cyber risks during the Russian war in Ukraine.

1. Revisit cybersecurity preparedness and incident response plans.  Boards of directors and senior managers should be briefed.  Crisis teams should be prepared and duties assigned.  Chief Information Security Officers (CISOs) and their teams should test backup procedures to ensure the rapid restoration of critical data if it is lost or otherwise compromised.  Prepare today to mitigate the dangers tomorrow.
2. Ensure agreements with third-party service providers are papered ahead-of-time.  Time is of the essence in a cyberattack. The longer it takes for a victim to onboard a cyber forensics company to assess the extent of a breach, the worse it can be for the business.  Therefore, companies should prepare retention agreements with third-party service providers, like digital forensic and investigative firms, now.  Companies should ensure that these firms are being retained through counsel and work under legal privilege, where appropriate.  If the agreements exist already, review them to ensure they are up-to-date.
3. Protect networks.  Companies, particularly those with large work-from-home contingents, need to prioritize network protection.  As the Cybersecurity and Infrastructure Security Agency (CISA) recommends in its “Shields Up” program, this includes: validating all remote access network users employ multi-factor authentication; ensuring all software is updated and all known vulnerabilities patched; and that cloud services, if applicable, are using top-of-the-line protections.
4. Follow government guidance.  Businesses should align their efforts with recommendations from CISA, the FBI, and other government agencies. For example, in mid-February, officials from several U.S. agencies met with executives from major American financial institutions, according to reports.  And a February 20 FBI report warned that Russian hackers “have targeted a variety of U.S. and international critical infrastructure, including entities in the Defense Industrial Base, Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors,” and that those dangers will increase in the event of a deteriorating security situation in Europe.  Industry should weigh these warnings carefully and engage in outreach with the U.S. Government to help protect private systems and contribute to the common defense.
5. Call counsel at the first sign of an incident.  Cybersecurity incidents pose substantial business and legal risk.  At the first sign of an incident, businesses should contact counsel to map out a response, investigate where necessary, and coordinate with regulatory authorities, if appropriate.

WilmerHale will continue to follow developments in this fast-moving situation closely.