- The United States was prepared for “potential blowback” related to its response to Russia’s invasion of Ukraine, and was on the lookout for an onslaught of related cyberattacks even before the war began, but those attacks did not materialize, U.S. Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales said Wednesday.
- Credit for deterrence and defense goes to both industry and government, Wales said Wednesday during a discussion of nuclear-related cybersecurity issues hosted by Foreign Policy Magazine. But it also reflects “decisions by the Russian government on what they're willing to do right now,” he said.
- The future of nuclear cyber defense is evolving quickly, experts agreed. Smaller, advanced nuclear reactors can be designed with resiliency to digital attacks in mind, and an offensive strategy to disrupt would-be hackers will become vital, they said.
Protecting critical infrastructure from hackers will require a “balance” of offensive and defensive capabilities, Wales said.
“Offensive operators” can gain access to adversary networks and “identify specific tools that they're using, getting those into the hands of the defenders,” Wales said. “We need to make sure that this is a partnership because neither side will be completely successful without the other.”
CISA launched a “Shields Up” campaign in January 2022, as it became apparent Russia was preparing to invade Ukraine, Wales said. “Recognizing that an invasion was likely, we were getting industry ready for potential attacks here at home. We have not seen that.”
“We have not seen successful attacks on the United States from Russia, from the Russian government,” Wales continued. “And I think that is a credit to the work of both government and industry partnering together to make sure that those are much harder to achieve.”
The Russian government may not be behind the attacks, but cyberattacks are on the rise according to Alina Polyakova, president and CEO of the Center for European Policy Analysis.
“Cyberattacks have increased by 300% since 2020, against Ukraine and NATO states,” Polyakova said during Wednesday’s discussion. She advocates for a change in how the responsibility for cybersecurity is viewed.
So far, “governments have been putting the responsibility on private industry,” Polyakova said. “We really need to move beyond that framework. And the way we do this, we have to get on the offensive. We have to think about disruption.”
There is also the potential for the next generation of nuclear resources to be built with cybersecurity and safety in mind from the ground up, in addition to better defending of existing plants, said experts.
“It's important that we start to do what I would call sort of stress checks, failsafe reviews, so that if a nuclear facility is compromised, in a cyber sense, we understand what the physical implications could be,” said Page Stoutland, a consultant to the Nuclear Threat Initiative.
Smaller, advanced nuclear generation resources can also be designed with safety in mind, Stoutland said.
"There are many different designs being considered,” Stoutland said. “Many of these systems are more inherently safe .... so I guess overall, I'm optimistic but the specific answer would depend on the particular system we're considering.”