SAN FRANCISCO -- On Jan. 3, a U.S. drone strike in Iraq killed Major General Qassem Soleimani, Iran's top security and intelligence commander. In the United States, the assassination triggered immediate preparations for a possible Iranian cyberattack against critical infrastructure.
During the first week after Soleimani's death, the U.S. agency in charge of infrastructure security was in continuous contact with 26,000 people across the nation. Some were in healthcare organizations and others worked for utilities responsible for delivering power, water and gas to businesses, households and government offices.
To help those organizations protect their networks, the U.S. Cybersecurity and Infrastructure Security Agency shared intelligence on Iranian cyberactivity. CISA also provided information on ways to defend against the tactics, techniques and procedures typically used by Iranian hackers. Yet, although he led the defensive effort, CISA Director Christopher Krebs knew he couldn't guarantee the nation's safety.
CISA assumed the Iranians were probably in the systems needed to "achieve their strategic objectives," Krebs said in an onstage interview during the opening keynote of the RSA security conference.
Fortunately, an Iranian attack never occurred, but rather than declare an end to the emergency, Krebs redirected the attention of the people in contact with CISA to another significant threat -- ransomware attacks.
In 2019, security firm Emsisoft received files from more than 205,000 organizations struck by ransomware attacks, an increase of 41% from the year before, according to The New York Times. Meanwhile, the average payment to release files doubled to more than $84,000 from the third to the last quarter of the year.
"I call it the scourge of the internet," Krebs said of ransomware.
Protecting U.S. elections
CISA believes ransomware attacks, along with nation-state hackers, also pose a threat to the 2020 U.S. elections. So, the agency is helping states and local election jurisdictions secure the databases where voter-related information is stored. A CISA risk assessment of election systems found that the databases were the most likely target of hackers.
"The American people need to understand that we are taking this seriously, and we're engaged on it," Krebs said. "But 100% security is not going to be the outcome."
Guaranteeing election integrity requires the use of paper ballots as an auditable record of votes, Krebs said. The backstop is a pivotal defense against attacks that U.S. intelligence agencies believe are likely to come from Russia.
In 2016, Russian groups probed state voter databases for vulnerabilities and hacked computers of the Hillary Clinton campaign, the Democratic Congressional Campaign Committee and the Democratic National Committee.
The Justice Department's Special Counsel Robert Mueller also found that Russian organizations used social media to try to sway voters toward then-candidate Donald Trump. Along with helping Trump, the groups hoped to undermine Americans' trust in the presidential election.
As a result, 2016 was the first time election officials and the American public "truly understood that cyber could destabilize a democracy," Krebs said.
CISA does more than fight ransomware and protect elections and critical infrastructure. The agency's resources are also available to small and midsize businesses, Krebs said. For those organizations, the agency will provide information on updating security systems, implementing multi-factor authentication and designing an incident response plan.
"They're going to be better off when the next bad thing happens," he said.