U.S. tells CEOs to ‘empower’ chief information officers in preparation for Russian cyberattacks

Last week, the U.S. Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, urged corporate leaders to prepare for attacks and adapt their C-suites accordingly.

“We are watching with grave concern the unprovoked Russian invasion of Ukraine,” Jen Easterly, director of CISA, wrote in a letter to the National Association of Corporate Directors. “As a matter of national and economic security, we need your collaboration.”

The agency encouraged executives to lower the threshold for reporting suspicious events to authorities and to include top leadership and board members in response plans. CISA also implored boards and CEOs to empower chief information security officers, who typically report to the CIO, and involve them in all decision-making regarding cybersecurity risks.

Readying for cyber warfare

Corporate America appears to be heeding these warnings. Top U.S. banks are already preparing for retaliatory cyberattacks from Russia-based hackers, by increasing network monitoring, drilling for cyberattack scenarios, vigilantly probing network threats, and beefing up staff in case hostile activity increases, Reuters reports. Their goal is to protect the U.S. financial system from ransomware and malware attacks, data theft, and denial-of-service attacks.

Last year offered C-suites and boards countless examples of how such attacks can cripple a business. The spring 2021 attack on Colonial Pipeline, believed to have been conducted by the Russia-based REvil ransomware group, briefly led to gas shortages in parts of the country. A few weeks later, an attack on meat giant JBS shut down some of its operations in Australia, the U.S., and Canada for an extended period. Saudi Aramco, a major oil producer, was also hit by hackers who stole data and rendered thousands of its company laptops useless until a $50 million ransom was paid.

Perhaps most famously, as detailed in a Fortune investigation last year, Russian hackers were found in 2020 to have attacked SolarWinds in a cyber aggression that may have started the previous year. The hackers exploited flaws within SolarWinds’ little-known but widely used product for managing corporate IT systems, allowing them to covertly penetrate and conduct espionage on the networks of some 100 organizations.

Cyberattacks have been on the rise of late. Corporate systems saw 50% more attacks in 2021 over the previous year, according to data from the intelligence firm Check Point Search. And in a recent PWC survey, 49% of CEOs cite cyber risk as their top concern in 2022. The CEOs of financial services firms are the most worried about cyberattacks, and more than half of all surveyed executives (53%) say they made changes to their organizational structure in response to new cybersecurity needs.

U.S. corporations with Ukrainian ties have another reason to be concerned: More than 100 Fortune 500 companies outsource some IT services to Ukrainian companies, including Amazon, Adobe, and Microsoft, according to the country’s Ministry of Foreign Affairs. Beyond the risk of service disruption due to employee displacement, Ukrainian companies are already being targeted as part of a heightened campaign by Russian cybercriminals.

Cyberattacks originating in Russia also have the potential to exacerbate supply-chain issues, a major stressor for U.S. business leaders. In her warning to American companies, CISA’s Easterly encouraged C-suite executives to take part in simulations of a major cyberattack to fully understand how it will affect their companies as well as companies within their supply chain.

These concerns are not hyperbolic. As Quartz noted last week, Russian hackers in 2017 created one of the largest and most damaging cyberattacks in recent history, culminating in the complete shutdown of Danish shipping giant Maersk’s computer networks for two weeks, and paralyzing multinational companies like Merck and FedEx’s European subsidiary TNT Express.