The invasion in Ukraine has heightened the risk of cyberattacks both from nation-states and non-state actors prompted by the disruptions caused by the conflict. ThoughtLab asked sponsors and advisors of our Cybersecurity Solutions for a Riskier World program to share their views on the fast-moving cybersecurity landscape.
1. Forbes recently noted that suspected Russian-sourced cyberattacks increased 800% in the two days immediately following the breakout of conflict between Russia and Ukraine in late February. What impact is the war in Ukraine and related geopolitical risks having on the cybersecurity landscape? What new or larger risks does it present for companies?
Gary McAlum, Former CSO & VP, Enterprise Security, USAA: Today’s cyber risk environment has never been more fragile, with cyberattacks increasing in sophistication, intensity, and scope. The current geopolitical situation in Ukraine has only exacerbated the risk implications for companies across the board but especially for critical infrastructure companies and their supply chains. Recent government warnings about the potential for increased cyberattacks have further increased the level of concern for Boards and senior management teams. While larger companies—particularly those in regulated verticals—continue to optimize their security environment, the greatest risk will be to those smaller and mid-sized enterprises where cybersecurity staffing and budgets are thin.
Cory Simpson, Executive Vice President, Resolute: We have not seen the spike in Russian attributed cyberattacks against liberal democracies that many predicted at the onset of Russia’s illegal war in Ukraine. While the cause for this is currently unknown—perhaps aggressive US government “defend forward” efforts, lack of capacity, or others—what is known is that Russian cyber threat actors are very skilled, and any constraints they may have had previously on their actions are unlikely to continue in today’s environment. In short, we are not out of the proverbial woods, and as CISA (the Cybersecurity and Infrastructure Security Agency) has advised, “Shields Up.”
Mandy Andress, CISO, Elastic: The cybersecurity landscape is significantly impacted. Cyber is another front in global geopolitical conflicts that’s often invisible, happening behind the scenes. Companies need to be prepared that their industry could be susceptible, or their actions and statements could lead to direct cyberattacks. Companies could also be targeted if they are seen as a means to access another targeted company that is a customer.
Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: Experts expect that Russia may yet unleash a devastating online attack on Ukrainian infrastructure or in other western countries. The Ukrainian government has taken some appropriate measures to counteract and protect their networks. For example, to protect the Ukrainian railways, a team of American soldiers and civilians have found and cleaned up one particularly pernicious type of malware, which cybersecurity experts dub “wiperware”, which disable entire computer networks simply by deleting crucial files on command.
Also, companies and institutions in Ukraine and other western communities are likely to face a massive onslaught of “distributed denial-of-service attacks” (DDoS), which are relatively unsophisticated attacks that take down networks by flooding them with demands for small amounts of data from a large number of computers.
2022 has already seen a concerning number of cyberattacks on ports and terminals. In January, a cyberattack hit major European ports including Rotterdam and Antwerp. A ransomware attack has caused a full system outage at one of the container terminals at Jawaharlal Nehru Port Trust (JNPT) in India. Attacks to ports, terminals, and supply chain networks may further aggravate the current backlogs and bottlenecks in the global supply chains. Looking forward, cyber espionage capabilities and defense strategies are likely to increase significantly, as well as international coordination among countries in order to offset potentially dangerous cyberattacks. Along with cyber threats, Russia is also spreading misinformation about the Ukraine conflict. It seems that the age of cyber warfare is just beginning. And for Russia, the war with Ukraine is likely serving as a live testing ground for its next generation of cyber weapons.
Steve Durbin, CEO, Information Security Forum: The speed of digital transformation and the consuming of cloud technologies/services (especially given accelerated uptake due to Covid) has made it increasingly difficult for organizations to enumerate their footprints and map these to geopolitical risk areas. It is difficult to say with complete certainty when and if organizations could be impacted by geopolitical events and regional instability. This is a risk hotspot at present.
Hacktivists and lone wolves are supporting the cause in some cases, picking sides and launching ‘deregulated’ hostile activities against each other and towards the opposite side. Tracking their activities is increasingly challenging as threat intelligence bleeds with regulated OSINT and the poisoning of social and unofficial media feeds by multiple interested parties.
Organizations who can be demonstrably directly or indirectly associated with political groups and regions involved in hostility could find themselves in the crosshairs of cyber ‘armies’ and hacktivist groups.
Both direct and unintended consequences of these risks and threats present a clear and present danger across the globe. Several national and international security organizations have issued ‘shields up’ instructions to industry, and the instances of such advisories will likely increase as digital transformation penetrates further and further into industry and commerce.
2. What are the biggest threats that your firm (or your clients) are seeing and preparing for? Ransomware, denial of service, etc.? Which business areas, such as supply chains and critical infrastructure, are you (or your clients) giving the greatest attention?
Deborah Wheeler, CISO, Delta Airlines: We are continuously risk assessing our environment and monitoring threat actors and others with an interest in our industry sector. Obviously, supply chains present a risk that we didn’t foresee two years ago (think Solarwinds), and it has caused us to be more specific in our questions of third parties and requires that we spend more time understanding our supply chain connectedness.
Jamie Singer, Executive Vice President, Resolute: The ransomware epidemic continues to create havoc on organizations—operationally, financially and reputationally. The double extortion tactics of threat actors remain problematic for many companies, which must navigate the one-two punch of an operational disruption with the threat of data leaks/exfiltration. While critical infrastructure organizations—such as healthcare, manufacturing, etc.—continue to find themselves in the crosshairs of threat actors, no industry or sector is immune. Threat actors are also targeting under-resourced and under-prepared public-school districts, local governments and municipalities, and non-profit organizations—many of which have cyber insurance policies and often are compelled to negotiate ransoms.
Mandy Andress, CISO, Elastic: We are focused on a variety of threats, including ransomware and denial of service, but are primarily focused on overall data protection to ensure the safety of our customers’ information. We are also giving supply chain significant attention to help ensure it is not a threat vector for us or our customers.
Steve Durbin, CEO, Information Security Forum: Not only does any destabilization provide a convenient front for criminal activity, but it is also wholly possible that gangs and cartels sympathetic to the cause could ramp up operations to provide a line of funding to those involved (for instance, the activities of the ‘Lazarus’ group who provided funding lines for North Korea; a group strongly believed to be supported and bankrolled by the Kim regime).
The rapid growth of the data economy and volumes of data/relative value has turned heads, with threat actors seizing the opportunity of manipulating data to misinform and misdirect
Covid has exposed the frailties of supply chains in enterprise and the associated risk of disruption; geopolitical influences are yet another vector for this risk and we are already seeing examples of it.
Critical infrastructure is becoming a more lucrative target for attack; the footprint of these environments has increased significantly enabled by tech such as IoT and communications innovations such as 5G whilst the maturity of ICS/OT in terms of cyber controls continues to be low.
3. How prepared is your company (or are you clients) to address these escalating nation-state threats? What do you see as best practices to manage risk currently, and which areas are you (or your clients) beefing up, such as threat intelligence, attack simulation, scenario planning, business continuity awareness, and training?
Jamie Singer, Executive Vice President, Resolute: Robust incident response planning is table stakes for any organization today. And given the significant reputational risks associated with today’s evolving cybersecurity landscape, an increasingly critical component of that process is comprehensive cybersecurity crisis communications planning. It is imperative that organizations invest the time and resources in developing clear and consistent communications protocols, including streamlining internal messaging review and approval processes, to ensure timely and effective communications responses to these complex issues. Executive-level tabletop exercises and trainings are also critical to building muscle memory and gaining internal alignment on messaging and communications strategies, in advance of a significant cybersecurity event.
Gary McAlum Former CSO & VP, Enterprise Security, USAA: Not many companies, if any, are truly prepared to deal with an all-out, targeted attack by a sophisticated nation-state actor. These type of threat actors are backed by an almost unlimited budget and the very best cyber talent available. Add in the ability to stockpile zero-day exploits and you have an unfair fight, by any stretch of imagination. Any company that is specifically targeted by a nation-state adversary will not be able to prevent an eventual penetration that leads to an undetected presence on their network. However, as that actor attempts to exploit that presence, a sophisticated security team may have a greater chance to detect and effectively respond based on a security ecosystem that is overlapping and tightly monitored.
Mandy Andress, CISO, Elastic: The most prepared companies are the ones that have really focused on the fundamentals of good security hygiene: knowing your environment, updating and patching your technology, changing default configurations, and utilizing layers of security. Being solid on the basics closes the large majority of avenues that attackers leverage to access or move through an environment.
Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: More efforts are needed to strengthen international cooperation and resources but also scenario planning and simulations. Often the worst-case scenario assumptions in scenario planning process look more like a baseline scenario or at least one that is not truly severely adverse.
Steve Durbin, CEO, Information Security Forum: The ISF continues to provide support to members in a number of areas aligned to this developing threat landscape and this is something we would consider to be industry good practice. We have:
- delivered research and a methodology for protecting from, responding to and recovering from, Extinction Level Attacks, with specific materials dedicated to the topic of ransomware that are also available on our PWS.
- conducted cyber simulation exercises both publicly and ad-hoc for our members, to allow them to understand their limitations and hone their skills following a fictitious scenario.
- recently released the latest version of our flagship ‘Threat Horizon’ research, providing organizations with forward-thinking guidance on potential future threats, with supporting materials to facilitate the use of the research in the boardroom.
- a strong offering on managing supply chain risk and is seeing renewed interest in this topic from our members.
Barbara Kay, Senior Director Product Marketing for Risk, Security, and ESG, ServiceNow: So much is about hardening the weakest links in security programs. Most companies have longstanding investments in prevention and defense – so today’s emphasis is on review and upgrade of response visibility and readiness across systems and organizations. Using the MITRE ATT@CK framework to assess and enhance defense, monitoring, and response is a key element. We are also helping people tighten up their security operations, especially incident response, through automation, prioritization, and structurally linking security, IT, and other teams involved in reducing vulnerabilities and responding to a major incident.
Since it is a joint responsibility of security and IT, we see investment in general attack surface hardening using established frameworks, and also business continuity/disaster recovery plans to build cyber resilience. There’s been a clear motion in recent years to encourage this collaboration, and ubiquitous, complex digital systems are turning the desirable into the necessary. This is crawl/walk/run country, and every organization is in a different place. The key point is to see where you are, and then build and activate your plan for progress.
We recommend clients look at resilience and readiness. Every business has different points of failure, so it isn’t one single playbook, and each situation is heavily influenced by industry and maturity. In addition to the guidance offered by both UK NCSC and US CISA cybersecurity agencies, as well as CIS and NIST, there are copious resources around operational resilience, business continuity management, and vulnerability management.
4. Our survey of executives revealed that 30% of CISOs are becoming more involved in geopolitical risk management. Is that enough? How are companies ensuring their cybersecurity strategies are aligned with their political risk management?
Deborah Wheeler, CISO, Delta Airlines: I think companies that have both a CSO and a CISO or have separated physical security from cyber need to be collaborating to understand how material physical threats can play out in cyber and vice versa. These worlds collide much more than they did years ago. Companies needs to look at their potential to thwart geopolitically motivated cyber risks before announcing geopolitical positions.
Cory Simpson, Executive Vice President Resolute: No. Every CISO needs to have an awareness of the geopolitical risk factors in their organization’s operating environment and be a part of the strategy for best mitigating such risk. Just as the role of the CFO has evolved in the last 30 years from a budgetary gatekeeper to a strategic partner of the CEO in setting corporate strategy to manage financial risk in markets around the globe, we need the CISO’s role to quickly evolve in a similar way to help corporate leaders better mitigate geopolitical risk for their organizations. Companies should ensure cohesion between their cybersecurity and political risk management strategies. How this is best done will vary from company to company and market to market, but it all begins by ensuring a comprehensive, inclusive, and collaborative planning process.
Mandy Andress, CISO, Elastic: Sharing information and building awareness is critical. For instance, share what types of attacks you are seeing with your security peers and your company’s employees. Phishing and social engineering are primary entry vectors. By spreading awareness and education as far and wide as possible we can help everyone be more vigilant for suspicious activities.
Steve Durbin, CEO, Information Security Forum: This is a disappointingly low number and tends to suggest that the value opportunity of CISOs in organizations is still struggling to be recognized fully, with some CISOs still anchored to the more traditional tenets of information security and risk management. CISOs’ relationship with the business needs to develop further; this relationship is a two-way thing. CISOs need to become more business-aligned and business leaders need to be more aware of the relevance of cyber to their personal and corporate accountabilities.
- Organizations with a more mature, holistic approach to enterprise risk management are able to bring multiple risk domains together so that they can become more complimentary in establishing an aggregate risk position.
- Organizations with a maturing risk management framework and culture may still have separation, treating differing risk management domains in isolation to each other with some notable gaps (such as geopolitical risk).
- Organizations with weak or no risk management framework and culture will be in a reactionary mode when it comes to geopolitical risk and certainly the current situation; likely they are contemplating the challenges of RUS-UKR for example as an operational challenge rather than a strategic risk, which is not effective in the longer term.
5. What advice would you give CISOs for these riskier times?
Deborah Wheeler, CISO, Delta Airlines: Stay calm; focus on the basics (patch management, access management enforcement of strong authentication, and educating end users about phishing), rehearse your IR plans and stay current on threat intelligence. They should have a good IR retainer in place should they need it and should have good partnerships in place with their company’s legal counsel and management and business leaders. Providing periodic written updates to leadership that address the heightened cyber risk environment and how the company is preparing for or is prepared to withstand certain types of events, allows management to gain confidence in the CISO and their organization, gives visibility to where investments have been made, and can also be used to alert leadership to where certain risks might have greater chance of resulting in an exposure.
Cory Simpson, Executive Vice President Resolute: Speed and agility. CISOs must ensure they develop their people, processes, and technologies with the speed and agility required by today’s volatile, uncertain, complex, ambiguous, and interconnected environment.
Gary McAlum Former CSO & VP, Enterprise Security, USAA: In today’s cyber risk environment, the potential for a major incident has dramatically increased. CISOs should be continuously focused on ensuring their security posture is as robust as possible, particularly security patches updated as quickly as possible. However, this is also a time to ensure a comprehensive incident response plan is in place and, preferably, recently validated through a table-top exercise or some other walk-through review. For example, ensuring good contact information for key external agencies, such as law enforcement, is a lot easier to do now than when the balloon goes up.
Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: Companies, banks, and institutions are paying greater attention to the future impact of Quantum Cryptography, in particular in Canada, the Netherlands, Australia, the UK, and the U.S. Banks are investing in PQC (Post-Quantum Teams) in order to improve their readiness to the quantum migration.
NATO is aiming to strengthen its internal proprietary network with the use of quantum cryptography. It seems that the algorithms they use in the VPN are not safe enough against quantum attacks, thus they may be subject to data breach and vulnerabilities.
Steve Durbin, CEO, Information Security Forum: Socialize the topic with business leaders, generate the conversation and offer support and assistance. CISOs are NOT expected to have all the answers, but the value is created when they broker effective conversations between business, technology, risk and security, and offer their subject matter expertise to broker solutions to identified problems.
Now is an opportune moment to renew relationships with your professional network; the value of knowledge sharing across different organisations and vertical markets cannot be understated in times like this (not to mention the mental health benefit of supporting each other). Resist the urge to leverage the situation to drive a personal agenda, always offer problems AND solutions, not just problems.
Be accessible to your teams AND your business. Now is the time to show true leadership in your business, not hide in the shadows behind others.
Barbara Kay, Senior Director Product Marketing for Risk, Security, and ESG, ServiceNow: COVID accelerated usage of digital technology throughout every BU of every organization and throughout every supply chain. Now the security posture and resilience of this extended enterprise infrastructure will be tested by both known and new tactics, techniques, and procedures. Last year’s challenges (Solarwinds, ransomware, and log4j) were a dry run. “Targeted attack 3.0” sophistication will be applied to a “Resilience 1.0” level digital business infrastructure.
Let’s take all that we have learned, especially MITRE ATT&CK insights, and tighten up our threat recognition and response. Let’s team with IT and Risk stakeholders to turn policies into rules, controls, continuous monitoring, and prioritized management. Let’s collaborate. There’s so much tech and wisdom that is not just possible, but proven, to help any team get stronger. Let’s put it to work.
