CISA’s ‘Shields Up’ Campaign Proving Value, Built for the Long Haul

The Cybersecurity and Infrastructure Security Agency’s (CISA) “Shields Up” cybersecurity campaign launched in February to warn critical infrastructure operators and other U.S.-based organizations of cybersecurity threats spilling over from Russia’s invasion of Ukraine is proving its worth over the first four months of operation.

However long the current Shields Up campaign lasts, CISA and its government partners including the FBI face a very long haul in trying to hold the line against destructive exploits against critical infrastructure amid an ever-evolving active attack environment.

Because the practical goals of the Shields Up program are focused on promoting better security across a very wide range of industry sectors – including those that are cyber-savvy and some that are not – the tenets of the Shields Up program are likely to continue long into the future.

Shields Up Genesis

The Shields Up campaign – as far as we can tell from public information – has not rolled out any particularly novel technologies or tactics for cyber defense. Rather, the campaign has provided pointed focus and visibility into cyber threats emerging from the Russian invasion, and turned the attention of critical infrastructure operators back to a long list of well-known advice on doing many of the basic steps that make networks and infrastructure more secure.

Those steps include many that CISA returns to again and again in its guidance to government and the provide sector:

Implement multi-factor authentication (MFA) for remote, privileged, and administrative access;
Patch known vulnerabilities promptly and according to CISA’s alerts and guides;
Disable unused ports and protocols;
Implement strong cloud service controls;
Focus on unexpected or unusual network behavior;
Pay special attention to traffic from Ukraine organizations;
Designate crisis response teams;
Test data backup procedures, and manual controls in the case of industrial control systems or operational technology;
Review CISA’s guide to understanding mitigating Russian state-sponsored cyber threats to U.S. critical infrastructure; and
Sign up for CISA’s free cyber hygiene services including vulnerability scanning.

The list goes on. And if it seems to the top ranks of sophisticated cyber professionals like a recitation of the high points of Good Cyber 101, CISA preaches that those basic steps are exactly the kind of preparation that will foil most cyberattacks. By taking those actions, CISA said in announcing the program, “all organizations can make near-term progress toward improving cybersecurity and resilience” by adopting the Shields Up measures.

Is Shields Up Succeeding?

As far as we can tell – always a big and necessary caveat when judging government and private sector actions that take place largely behind the scenes – Shields Up has been working, and CISA has not been shy about saying so.

“Through this extensive coordination across the public and private sectors, underpinned by the Biden administration’s elevation of cybersecurity as a core national security imperative, this approach is working,” said CISA Director Jen Easterly on June 6 about the Shields Up campaign.

And it’s not for a lack of trying on Russia’s part, she emphasized.

“Despite relentless Russian cyberattacks on Ukrainian networks, which have had spillover impacts on the networks of other European nations, the U.S. has not to-date suffered a major Russian state-sponsored attack,” she said.

The unexpectedly low level of Russian cyber attacks on even Ukrainian interests, at least early in the conflict, came as a surprise to some very well-informed insiders like Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee. “Why haven’t we seen the GRU [Russia’s foreign military intelligence agency] – or some of the entities that we know have the capacity to frankly shut down entire systems – shut down the internet” in Ukraine, he asked in March. “We don’t have an answer,” he added.

Apart from CISA’s assessment of the Shields Up campaign’s effectiveness, another important measure helps us in the unclassified sphere to also judge its impact; simply put, if there were major destructive attacks on U.S. critical infrastructure, it’s a good bet we’d all know about it pretty quickly.

Exploits such as the SolarWinds software supply chain attack that came to light in early 2021 might have flown under the radar for many people not involved in technology sectors.

But debilitating attacks on big companies like JBS Foods and Colonial Pipeline that same year disrupted consumer supply chains, made the TV news with gasoline lines, and probably did more than any exploit since the 2015 Office of Personnel Management (OPM) data breach to bring the importance of cybersecurity into the public mind.

Where to From Here?

The answer to “what’s next” tracks with the well-rooted aims of the Shields Up campaign, but also CISA’s much longer-term effort to greatly improve the cybersecurity of U.S. critical infrastructure sectors.

On the one hand, CISA launched the campaign as an important, preemptive action to publicly warn critical infrastructure operators that the then-pending Russian invasion of Ukraine could lead to a ripple effect of cyber attacks on U.S. and western targets. In other words, Shields Up was purpose-directed for the current environment.

On the other hand, the Russian invasion of Ukraine – once seen by many as something that would last for days or weeks – is now seen as a conflict that will last for many more months, or years. The conflict has also rallied many western nations to Ukraine’s defense, and further isolated the Russian government through harsh sanctions. Because the conflict – and the icier relations between Russia and many other countries – won’t be resolving themselves soon, the necessity of the Shields Up effort is unlikely to abate, and its primary themes only continue to grow in importance.

Even if the conflict were to simmer down from its rolling boil, CISA’s longer-term priority to improve critical infrastructure security remains one of the very top tasks for the nation’s risk management agency. In the longer run, the Shields Up campaign – and all of the sensible security steps that it urges infrastructure operators to take – should be properly viewed as just the current phase of a very enduring effort.

Threats Continue Unabated

That view of the enduring value of the Shields Up campaign and its underlying tenets are being borne out by the top brass at CISA in recent assessments.

“We in the cyber world are well aware, the prospect of cyberattacks here at home — whether by Russia or other malign state and non-state actors — will not dissipate anytime soon,” CISA Director Easterly said in early June. That raises the question, she continued, “when will be able to put our shields down?”

“In today’s complex, dynamic, and dangerous cyberthreat environment, the answer is that our shields will likely be up for the foreseeable future,” Easterly said. The CISA director went on to warn, however, of the possibility of “vigilance fatigue” setting in, and called that “the opposite of what we are aiming for in building a collective cyber defense.”

The future of improving cyber defenses, she said, relies on working with private sector leaders to make the “necessary investments” in security to meet threats from Russian and other nation-state actors.

It will also rely on, in times of elevated threats, “a cyber alert and advisory framework that provides timely warning and recommended actions” both in localized and broader-scale situations, she said. That kind of system, Easterly said, will be “the natural successor to today’s ‘all-on’ Shields Up approach.”

Along those same lines, National Cyber Director Chris Inglis said in mid-June that the cost of entry for cyber attackers remains too low to create truly stout deterrence, but also pledged in the context of the Shields Up campaign that “we’ll never not defend ourselves in cyberspace.”

“The cost of entry for aggressors at this moment is still far too low for us to essentially assume ever that this is over,” Inglis said.

And he said that the current landscape of defending against potential nation-state actors – who may conduct operations that bleed past the Ukrainian borders and into the United States or North American Treaty Organization (NATO) allies’ infrastructure – as well as other cybercriminals and ransomware groups, represents “an enduring threat at a high level.”

In other words, cybersecurity is the fight that never ends, and the current Shields Up campaign can be viewed as a strong and necessary link in a similar chain of defense strategies stretching beyond the visible horizon.

Where Do Organizations Start?

We asked several top private sector experts where organizations looking to Shields Up for help might start taking steps to improve their security.

“It’s challenging to pick out specific initial areas of focus because every organization is different and each must tailor its cyber modernization plans to its own specific needs,” said Jim Richberg, CISO, Public Sector at Fortinet.

“For some that could mean looking broadly at ways to balance security with a positive user experience for both employees and end users; for others, it could involve focusing on the security and integrity of specific applications,” he said. “Overall Shields Up offers a sound approach that looks at factors such as resources, guidelines, and technology.”

Allan Liska, intelligence analyst and solutions architect at Recorded Future, recommended that “organizations start with the basics and, honestly, doing the basics goes a long way toward accomplishing the goals of Shields Up.”

“Start with good asset and vulnerability management: know what you have, and ensure you are patching on a regular schedule,” he said. “I realize that this is one of those tasks that everyone says to do, but can be extremely hard to do in practice. That’s okay, take baby steps. The goal should be full visibility into your technical stack and a regular patching cadence.”

“Next, you have to have a good backup system in place that is saving your critical data and is regularly tested,” he continued. Part of that good backup system has to be offline backups, and while there are a lot of new great solutions out there don’t forget that ransomware groups can’t encrypt data on tape. if you have a reliable tape backup system you don’t have to run out and replace it, especially if there are other priorities.”

“Finally, enable Multi Factor Authentication,” he said. “There are a lot of very good and inexpensive, or even free, MFA solutions that work for any sized organization. The great thing about MFA is that it can help cover for other security flaws that have not been fixed.”

Ben Miller, VP of Services at Dragos, said his company “continually finds that OT/ICS environments contain the most critical assets, but are the least understood and monitored areas. An accurate asset inventory list and a defined security architecture are the building blocks of defense, but we can’t stop there.”

“OT-specific network monitoring, combined with contextualized threat intelligence, is proven to proactively identify malicious attacks and results in more secure operations,” Miller said.

Lonnie Price, VP, Cyber and Information Warfare at Peraton, said that “the first steps any organization should take to align with Shields Up include requiring multi-factor authentication for all enterprise systems and applications, updating all software and hardware with the latest patches, and ongoing training to promote safe cyber practices, like CISA’s prudent “think before you click” guidance to all users, at home and at work.”

Enduring Value

Those same private sector security experts also pointed to the enduring value of organizations making cybersecurity improvements – no matter where the current threat is coming from.

“The possibility of a state-sponsored attack is always on the mind of government agencies and is top-of-mind for many given the heightened threat environment we currently face,” Fortinet’s Richberg said. “Director Easterly was right in noting that it doesn’t matter whether the attack comes from Russia or other state or non-state actors – the threat is not going away, and agencies must be prepared.”

He also emphasized that improving collective defenses “will take extensive collaboration between the public and private sectors.”

“With Ukraine as a stark backdrop, we remain mindful that Russia’s formidable cyber forces are highly motivated and have global reach,” said Peraton’s Price. “For years they have probed American networks for weaknesses and are succeeding with such alarming frequency that today’s cyber leaders must divert attention from protection to incident response, investigation, and remediation.

“Fortunately, the guidance from the White House and CISA is spot on,” he continued. “Their recommended cyber measures are prudent and effective. And existing advanced cyber tools and services will also help. This is truly a Team USA effort. With strong partnerships across industry, all levels of government, law enforcement, the Intelligence Community, and our military, we can meet these threats head-on!”

Recorded Future’s Liska noted Easterly’s comment – “we must use this moment to seize the opportunity to make fundamental improvements in the cyber ecosystem” – as particularly salient. “Everyone was expecting a major Russian cyber espionage offensive to accompany the invasion of Ukraine, and to the best of our knowledge that did not happen. But, that doesn’t mean we can breathe a sigh of relief, instead what it means is we need to be redoubling our efforts.”

“So much time in cybersecurity is spent responding to crisis after crisis, that we often forget to use our precious downtime in between crises to be proactive in order to prevent future attacks,” he continued. “Those projects that have been sitting around for months or even years, now is the time to get them put in place before the next challenge from the Russians, the Chinese, North Korea, or Iran is knocking on our door. The more we can do now to set us up for success against the next wave of attacks the less crisis focus we have to be and Shield Up offers great guidelines for that.”

Added Dragos’ Hill, “Agencies with OT/ICS environments are often in the very early stages of their OT cybersecurity journey. There’s a lot of complexity, as more and more devices become interconnected and interdependent.”

“The threat is real, but the defense can get ahead of the challenge, and Shields Up has helped to amplify the challenges of our constantly evolving cybersecurity landscape,” he said.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.