A changing world requires CISOs to rethink cyber preparedness

A changing world requires CISOs to rethink cyber preparedness

Following a tumultuous 2023, it might seem remarkable to suggest that 2024 could bring unprecedented security events to world affairs. Yet many factors suggest this will be the case. Around 50 countries will vote in 2024, including the world’s three largest democracies and several nations in geopolitical hotspots. Ten of those countries will send nearly a third of the world’s population to the ballot box.

Prospects for unprecedented geopolitically driven interference and conflict are strong, particularly considering rising tensions over Taiwan (Chinese aircraft breached Taiwanese airspace 1,700 times last year alone) and recent statements made by NATO officials like military committee chairman Admiral Rob Bauer that future war between Russia and the allies is entirely conceivable.

This last point signals a sea change in thinking among Western security communities about the proper stance of governments and their societies, both in the face of resilient Russian aggression and the willingness of many countries to support Moscow. Bauer’s comments have led to debate in the United Kingdom and elsewhere about how best to prepare for mobilization of society in a future conflict. Some have suggested the need for serious conversations about conscription after comments about the need for “citizen armies.” Others, including many in Davos recently, have spoken passionately about the need to reintroduce values-oriented and society-informed approaches in areas of security often driven by commercial interests, including AI development and cybersecurity.

Periods dominated by a feeling of inevitable conflict often see traditional security paradigms supplanted by socially and geopolitically conscious alternatives. Cybersecurity planners and operators should, therefore, consider the implications of a world in which the sociopolitical corollaries of the worst digital or informational threats – in terms of attack source or societal expectations – are difficult to escape. Preparedness for the cybersecurity team of today might – and perhaps should — look different than for the team of tomorrow.

Conflict risks to industry: The conventional view

The threat of a hot war with Russia appears to be motivating conversations about preparedness across Europe and North America. For cybersecurity companies and teams, the threat of such a conflict implies risk linked to both strategic goals that Moscow might prioritize and the constellation of actors that might be deployed to achieve those aims. Fortunately, recent research on cyber activities during Russia’s conflict with Ukraine tells us much about the form, the sources, and the focus of malicious cyber activities.

Recent data collection efforts out of Columbia University, the Army Cyber Institute of West Point, and elsewhere illustrate fascinating trends in the use of cyber as a tool of statecraft in the context of the Ukraine-Russia war. The conflict has witnessed both government and non-state threat actors engage targets in Ukraine and the broader NATO alliance bloc ranging across all its phases: pre-invasion, crisis, initial conflict, and extended conflict periods.

The two years of tension and subsequent war between Russia and the Western-backed Ukraine have included than 130 major cybersecurity events and more than 400 minor operations (as distinct from the more commonly cited figure of general intrusion activity estimated in the millions of incidents). Just under 60% of these took place in Ukraine, but the remainder occurred in other European or North American countries.

One of the most meaningful takeaways from recent analyses of the war’s cyber dimensions is that the bulk of serious intrusion events (63.3%) have been intelligence-gathering attacks on firms tied to satellite support to the armed services or on government systems. By contrast, relatively little intrusion activity has been seen tied to influence operations (6.56%) and the remainder (about 30%) have been cyber effect operations. These effect operations – which have included denial-of-service (DoS) attacks, ransomware, and deployment of wiper malware – have also tended toward low-level disruption, with just a handful of more significant exceptions. The clear takeaway is that companies that support military and related national security functions are at greatest risk of targeting.

That said, cybersecurity teams thinking about future conflict with Russia should consider the timeline and the actor landscape of the Ukraine-Russia war. In line with the now-acknowledged argument that the “cyber blitzkrieg” predicted in the lead-up to invasion would have made little sense, almost 100% of major cyber incidents attributed to the Russians through the end of 2021 and first weeks of 2022 appear to have had intelligence-gathering objectives.

By contrast, almost half of intrusion events seen in the opening months of 2022 were cyber effect operations and almost 20% were tied to influence efforts. This then tilted significantly back toward intelligence-gathering in the summer of 2022, and this distribution of activities has persisted up to today. The story here is of risk that varies around crisis moments in which cyber effect and influence operations are emphasized in narrow periods around emergent military activity but much less so otherwise.

Finally, recent research has shown that Russian-aligned threat actors each have a distinct focus on targeting strategies and tools. Groups like APT28, Gamaredon, and Ember Bear, for instance, are almost exclusively tied to intelligence intrusion activities. The former two split their efforts among government and private targets, while Ember Bear has shown willingness to hit military and defense contractor systems. By contrast, Killnet and the People’s Cyber Army are almost exclusively focused on cyber effect operations and spread their focus relatively evenly among types of targets (critical infrastructure, businesses, government, military, etc.) in intervals that more closely correspond to Russia’s military activities.

The patterns of cyber engagement seen during the phases of Russia’s war against Ukraine offer a reasonable picture of where risk lies, as well as what steps cybersecurity teams might take to identify their own exposure in the event of future escalation with the West. These trends support a conventional view that risk is directly tied to:

  • National security relevance via services provided or information possessed
  • Direct military or intelligence support
  • Status as a visible symbol of national function
  • Situational relevance to conflict, often defined by statements made or actions taken pertaining to moments of crisis

These criteria are relevant regardless of how Russia might be tempted to use cybersecurity in a future crisis – as a firebreak to help control escalation, for instance, or as an adjunct to enhance preparation for war – and can form the basis of robust vulnerability assessment, capacity assessment, and training/networking programming.

Conflict preparedness: Security approach or societal model?

The conventional view of risk for cybersecurity operations invites a conventional view of preparedness as reactive even in its forecast of future liability. Analysis of Russia’s digital activities against Ukraine since 2014 offers a reasonable basis for assessing repeated patterns of geopolitical standoff, grey-zone engagement, escalation, and armed conflict that might ensue in years to come.

However, such an operational focus on cybersecurity past and future belies the reality that geo-strategic circumstances in the world are in flux. Among other developments, rising support for Moscow’s agendas among authoritarian regimes and anocratic states in Eurasia will continue to broaden the nature of potential confrontation.

In such an environment, it is worth considering the societal preparedness model that took hold and contributed positively to national resilience more than 100 years ago prior to American involvement in the First World War. Building from a set of common conversations of concern about growing tensions among the continental powers of Europe in the first decade of the 20th century, the Preparedness Movement emerged in tandem with the onset of major hostilities in 1914.

History often views the Preparedness Movement as an instance where prominent former politicians like Teddy Roosevelt attempted to persuade Woodrow Wilson’s administration – directly and via demonstrative efforts like the training of volunteers for a future military venture – that American involvement in war was a necessity. However, the movement was highly decentralized and was as much an effort to build a social consciousness of the realities of future conflict as it was a cohesive pro-war movement. In fact, the movement was ardently anti-war and simply promoted a pragmatism that railed against the idea that a purely reactive approach to national security would see American industry and society avoid the worst of war.

The lessons of historical preparedness for today’s cybersecurity industry lie in its emphasis on factors that are social, non-structural, and enabling in nature, instead of just the need for a posture that is continuously active and anticipatory. These latter ideas sit at the core of readiness planning across industry today and essentially amount to the conventional view of risk (with its intendant implications) outlined above. By contrast, the concept of preparedness espoused by the movement a century ago emphasized that:

  • Social: Socialcapital, perceptions and culture function as major assets or barriers to response, increasing directly in line with the rising complexity of security conditions.
  • Non-structural: Mitigation of such complex conditions will involve pre-engineered tools and systems but will likely require their deployment in ad hoc fashion.
  • Enabling: Effective security response comes from better planning for what comes after (i.e., resilience and recovery) and so must take the altruism and capacities of the public into account.

These principles are analogous to precepts that underwrite cybersecurity practice already, including the need to design systems that are available in the face of potential disruption and the reality of thinking about vulnerability in network terms. Given conditions in the world in 2024, now might be a good time to begin the process of codifying these principles as strategic and community imperatives, as well as operational ones.

Potential shape of better cyber preparedness

A cybersecurity posture that is societally conscious equally requires adopting certain underlying assumptions and taking preparatory actions. Foremost among these is the recognition that neutrality and complacency are anathema to one another in the context of digital threats stemming from geopolitical tension. As I recently wrote, the inherent complexity and significance of norm politicking in international affairs leads to risk that impacts cybersecurity stakeholders in nonlinear fashion. Recent conflicts support the idea that civilian hacking around major geopolitical fault lines, for instance, operates on divergent logics of operations depending on the phase of conflict that is underway (e.g., crisis moment, grey zone conflict, or shaping operations).

The result of such conditions should not be a reluctance to make statements or take actions that avoid geopolitical relevance. Rather, cybersecurity stakeholders should clearly and actively attempt to delineate the way geopolitical threats and developments reflect the security objectives of the organization and its constituent community. They should do so in a way that is visible to that community. Neutrality is a security posture to be attained via objective arbitration on appropriate behavior; it requires realism that eschews both idealism and buck-passing. So, if realistic neutrality for private cybersecurity teams and institutions is the goal, industry needs to embrace the notion that reasonable advocacy on expectations of digital security is the minimum requirement for building shared awareness and resilience.

Cybersecurity firms and teams would also do well to double down on the normative framework of digital security as a core social responsibility in the 21st century. The resilience of any service, platform, or community to disruption is not just a function of technical capacity, workforce, or insurance. If an organization suffers as a direct result of geopolitically motivated hacking, its recovery and subsequent operation are enhanced substantially by the existence of a positive public perception of the firm as a community helper and as an actor whose liability cannot be mitigated entirely by conventional cybersecurity actions. At the level of operational planning, this should mean the construction of a social map of risk for relevant industry communities to leverage structured tools to create potential for non-structural solutions in the wake of a crisis.

Finally, private cybersecurity actors would do well to recognize that preparedness along these lines – i.e., a “macro” or geopolitically motivated preparedness posture – is a robust hedge against crisis-based uncertainty and tumult. It is also prospectively an excellent bid for future patronage on the part of government, public opinion, and industry networking.

The recent development of a US government strategy of “cyber with the brakes on” has made attempts to signal relevance to the national security enterprise beneficial for the average cybersecurity-concerned business. Less government oversight with similar levels of commitment to capacity building and incident response is married to a “campaigning” view of American cyber threat risk. This is not only a demonstration of greater government supportiveness of private-led cybersecurity solutions; it also implies a strong preference for private partners and beneficiaries whose thinking about cybersecurity sees preparedness not as a limited act of static anticipation, but as a dynamic process that is fundamentally social, non-structured, and communal in its appearance.

Critical Infrastructure, CSO and CISO, Risk Management

Go to Source