Two decades ago, no military expert could have predicted just how hostilities between countries would evolve. Conventional wars continued over land and air, but many predicted the next World War would be fought over water. The 9/11 bombings had people thinking that communications and traffic would be the next attack surface. But a new battlefield was already in the making with computer networks proliferating the world over, one that had no geographical boundaries.
Cyberspace.
In 2003, came Titan Rain, the name given to the Chinese-backed cyberattack on the United States that further soured Sino-US relations. The audacious attack resulted in hackers gaining access to US defense contractor networks and key national organizations like the FBI and NASA. Four years later in 2007 came the Estonia hacks reputedly perpetrated by Russia over the relocation of a war memorial. The attack seriously impacted the former’s parliament, financial institutions, news portals, and broadcasters. Widely regarded as the first instances of geopolitical cyberattacks, these attacks were followed by the Stuxnet cyber worm (1) in 2010 that was successfully deployed by the US and Israel to bring down Iran’s uranium facilities in order as to have them comply with nuclear program disarmament decisions.
The word was out. Geopolitics was no longer exempt. Cyberattacks were now inexorably linked to it.
Responses to the threat
Some of the steps taken in the wake of these early nation-state attacks would suggest a somewhat reactive approach on the part of the establishment. Observers say that whenever the political climate heats up between nations, new cyber laws and policies are released. NATO upped its cyber capabilities and opened a cyber defense research center in Estonia following the 2007 attacks, even as the country pressed for criminalization of cyberattacks. Post Stuxnet in 2010, several countries took steps to shore up their cybercrime postures. The 2014 Russia-Ukraine conflict led to security measures being taken by the Budapest Convention on Cybercrime, the first international treaty to address internet and computer-related crime. And the US took unprecedented steps following the disclosure that their Presidential elections of 2016 were hacked by Russia-backed scammers.
But it was largely in 2022, when Russia invaded Ukraine, and unleashed its integrated/hybrid war involving physical and cyberattacks on critical sectors, that alarm bells started sounding frantically in organization circles.
Understanding the attacks
With several providers either being brought down in the attacks or impacted in the fallout, it became clear that organizations not taking geopolitical threats seriously would be doing so at their peril. A nation relies on goods and service providers in the public and private sectors for its strategic needs like defense, infrastructure, energy, etc, and also for the services that its citizens receive. An attack on a nation therefore would have a direct impact on organizations operating in these spheres.
While the business profile of an organization would normally play a crucial role in determining whether an organization is likely to be targeted directly, CSO Online’s (3) listing of the categories of geopolitical attacks suggests that organizations also need to perceive the objectives of the Advanced Persistent Threat (APTs) actors perpetrating the attack, when evaluating their vulnerability to geopolitical attacks. Degradation Attacks that are directed at crippling a service provider may be easy to comprehend, but Performative Attacks where the connection with the hostilities is remote or Signal Attacks where the attack is orchestrated to send a signal or warning, may prove hard to decipher.
Watchwords for organizations
The Israel-Hamas war which followed the Russian incursion into Ukraine went a step further by establishing that geopolitical crises come with diverse cybersecurity footprints. Government agencies were not the only ones to be targeted. Even small-sized companies, retailers, suppliers, and a variety of firms in the private sector and civil society space were singled out for attack.
Consulting firm BCG (2) makes a point, saying organizations need to remember that though they may feel insulated, and believe they are unlikely to be affected by geopolitical cybercrime, three tenets will always apply:
- Nobody is exempt. The size of the organization does not matter. Even small businesses can and are being targeted
- Geopolitical cybercrime is directed at society also, and hence organizations offering services to citizens are also in the crosshairs of cybercriminals
- In the ever-changing cyber landscape, even the best cyber defenses can be only so secure, and hence cybersecurity posture evaluation and upgradation is a continual process
Once taken for granted that this was a task for the CISO and his team to handle, organizations have realized that cyberattacks are now firmly in the domain of the C-suite. This is a business problem, calling for strategic involvement from the entire business leadership to achieve response-to-recovery resilience.
What organizations can do
The devastating effects of the ongoing cyber wars have left little doubt that geopolitical cyber crises are now an active threat in real-time. Organizations will be called to evaluate their cybersecurity posture and make strategic investments to shore up their cybersecurity defenses. Some of the measures could be:
- Monitor global and domestic political trends including sanctions
- Monitor market trends especially those for key commodities in the energy sector
- Monitor terrorist activity
- Follow new trends in cyberattacks and hacktivism, including attacks on new areas
- Make cybersecurity a C-suite responsibility and designate it a business strategy
- Analyze the organization’s situational risk profile, evaluate risk exposure on an ongoing basis, and periodically revisit the risk management plan
- Map all possible risk scenarios and plan cybersecurity investments accordingly
- Benchmark for cybersecurity standards, to avoid being an easy/weak target
- Protect supply chains
- Remain on red alert for attacks
- Invest in and embed a professional incident response plan that ensures business continuity
Conclusion
The World Economic Forum’s Global Risk Report 2023 (4), puts cybercrime and cyber insecurity among the top 10 global risks for the next two to ten years. There is therefore little doubt that geopolitical cybercrime will continue in the years to come. Studies already show that nation-state attacks have increased by almost 300% since 2020.
Happily, many organizations are seized of the dangers and are already taking pre-emptive measures to insulate themselves. Gartner research (5) indicates that over a quarter of organizations in North America and EMEA have taken some kind of cybersecurity action in response to Russia’s invasion of Ukraine. Web development and training company NuCamp (6) says that 74% of financial institutions are making cybersecurity their top priority. Heeding the messages of the recent Hamas-Israel war, even retailers are expected to pour up to 20% of their IT budgets into cybersecurity defenses, with up to 60% investing in advanced encryption to keep customer transaction data safe.
With 2024 being predicted as a year of complexities and new cyber threats emerging in areas like OT (Operational Technology) and ICS (Industrial Control Systems), organizations would do well to take the geopolitical threat seriously, remaining cued into developments in the global arena, and constantly monitoring their own cyber defense readiness.
In the global village we find ourselves in, it would be the rule rather than the exception.
References:
- State-Sponsored Cyber Terrorism: A Harbinger of Things to Come – Aurora Systems Consulting Inc. (aurorait.com)
- A Geopolitical Lens for Cyber Resilience (bcg.com)
- How cybersecurity teams should prepare for geopolitical crisis spillover | CSO Online
- Cybersecurity must be tightened up in this era of polycrisis | World Economic Forum (weforum.org)
- How Geopolitics Impacts the Cyber-Threat Landscape (gartner.com)
- How will global geopolitics affect cybersecurity policies in 2024? (nucamp.co)