FCC and CISA Issue Cybersecurity Guidance for All Industries

The Federal Communications Commission has released a Public Notice encouraging all communications companies to review the joint advisory on “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure” issued by the Federal Bureau of Investigation, National Security Agency, and Cybersecurity Infrastructure Security Agency (CISA). The FCC also urged communications companies to take the actions recommended in the Joint Advisory to protect their networks from cyber threats, and to notify CISA and other industry stakeholders (such as other communications companies and/or trade associations) of threats. Communications companies include broadcast stations and networks, cable, telecommunications, energy/utility, and internet service providers, especially critical infrastructure network defenders.

The Joint Advisory provides an overview of Russian state-sponsored cyber operations, including commonly observed procedures, techniques, and tactics. Specific to communications companies, the Joint Advisory includes a section on mitigation strategies for critical infrastructure, including best practices for vulnerability and configuration management, protective controls and architecture, and identity and access management. The Joint Advisory also includes technical details of common vulnerabilities known to be exploited by Russian state-sponsored advanced persistent threat actors to gain access to U.S. critical infrastructure, as well as identification of the types of U.S. targets that have been subject to such attacks to date, such as the energy and telecommunications sectors.

The Joint Advisory issues a warning that Russian state-sponsored attacks continue to evolve to avoid detection. Therefore, all U.S. critical infrastructure companies should maintain heightened awareness and conduct “proactive threat hunting.”

CISA recently released additional warnings for all U.S. organizations, regardless of sector or size, about state-sponsored cyber security threats, and emphasized the importance of taking immediate steps to protect websites and network systems. CISA provided a checklist outlining mitigation measures to improve cybersecurity efforts and resilience.

If you have questions about the Joint Advisory or cybersecurity in general, please contact any attorney in our Privacy, Data Protection and Cybersecurity practice group.