The Cybersecurity Risks of an Escalating Russia-Ukraine Conflict
With the looming threat of increased conflict in Ukraine, businesses around the world should be preparing now. Corporate security and intelligence teams have said they’re seeing an increase in cyber probes, and the U.S. Cybersecurity and Infrastructure Security Agency and the European Central Bank have both issued warnings about potential Russian cyberattacks. At this point, companies should be taking the following steps: 1) Review your business continuity plans; 2) Closely examine your supply chain; 3) actively engage your peer networks, vendors, and law enforcement around cyber intrusions; 4) Instill a security mindset in your employees; and 5) Make sure your corporate intelligence and IT teams are working closely together on solutions.
Update: Russian forces launched an attack on Ukraine on Feb. 24.
As warnings of an imminent Russian attack on Ukraine proliferate, news networks and social media have featured clips of Russian armed forces training, exercising, and preparing to fight. Less visible are Russia’s formidable cyber forces that would be preparing to unleash a new wave of cyber-attacks on Ukrainian and western energy, finance, and communications infrastructure. Whether an invasion occurs now or not, tensions will remain high, and the cyber threat will likely wax, not wane.
The implications for business of conflict in Ukraine — whether conventional, cyber, or hybrid — will be felt far beyond the region’s borders. As a business leader, you’ve likely already assessed whether you have people at risk, operations that might be affected, or supply chains that might be interrupted. The White House recently warned of the supply-chain vulnerabilities stemming from the U.S. chip industry’s reliance on Ukrainian-sourced neon. And Russia also exports a number of elements critical to the manufacturing of semiconductors, jet engines, automobiles, agriculture, and medicines, as detailed in a Twitter thread by former Crowdstrike CTO, Dmitri Alperovitch. Given the existing pressure on U.S. supply chains from the Covid-19 pandemic, adding further shock to the system is worrisome.
But if you are just now evaluating your cyber posture, you are probably too late. Effective cyber defense is a long game requiring sustained strategic investment, not a last-minute bolt on.
Conflict in Ukraine presents perhaps the most acute cyber risk U.S. and western corporations have ever faced. Invasion by Russia would lead to the most comprehensive and dramatic sanctions ever imposed on Russia, which views such measures as economic warfare. Russia will not stand by, but will instead respond asymmetrically using its considerable cyber capability.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning of the risk of Russian cyberattacks spilling over onto U.S. networks, which follows previous CISA warnings on the risks posed by Russian cyberattacks for U.S. critical infrastructure. The European Central Bank (ECB) has warned European financial institutions of the risk of retaliatory Russian cyber-attacks in the event of sanctions and related market disruptions.
Early cyber skirmishing has already begun, with Ukrainian government systems and banks attacked in the past week, and vigilant U.S. companies noting a dramatic increase in cyber probing. Rob Lee, CEO of the cybersecurity firm Dragos told us, “We have observed threat groups that have been attributed to the Russian government by U.S. government agencies performing reconnaissance against U.S. industrial infrastructure, including key electric and natural gas sites in recent months.”
The security and intelligence teams at several major multinationals indicated to us that they are anticipating Russian cyberattacks and assessing the potential for second and third-order effects on their operations. Some companies noted that they are anticipating an increase in attacks and scams in conjunction with the Ukraine crisis, with risk assessments typically contingent on whether the company has direct links to Ukrainian national banks or other critical infrastructure. One corporate intelligence manager observed that their cyber team “doesn’t think we’re a likely target,” but has been following CISA guidance. Another similarly indicated that their company was not concerned with direct threats to their data, because they have no presence in Ukraine or Russia, but were watching for indirect impacts on their customers and business partners in the region.
So, if it is too late to improve your cyber defense and conflict appears imminent, what can leaders do besides throw up your arms?
The first rule is that a cyber or IT problem quickly becomes a business problem. The primary step firms should be taking right now is pulling out, dusting off, and exercising business continuity plans. What would it mean to work in an analog world, or a pencil-and-paper world, for days, weeks, or months? When Saudi Aramco was hit by a cyberattack, 30,000 corporate laptops were turned into paper weights in the span of seconds. Take out your pen knife and poke under the crisis response paint. Ask: “If my IT systems go down, how am I going to track my inventory, manage my accounts, or communicate with my offices and plants?”
Second, closely examine your supply chain. Your firm may face the risk of hidden dependence upon Ukrainian-based software engineers, code writers, or hosted services. Ukraine’s Ministry of Foreign Affairs reports that more than 100 of the world’s Fortune 500 companies rely at least partially on Ukrainian IT services, with several Ukrainian IT firms being among the top 100 outsourcing options for IT services globally.
Third, connecting with peer networks, vendors, and the FBI can dramatically improve your odds of identifying and mitigating cyber intrusions. Empower your teams to reach out to cyber and intelligence teams at peer companies, and to federal and local government partners who are closely watching the same threats. Ensure that your teams know their regional CISA representatives and local FBI field office and that they’re on their mailing lists to stay on top of alerts and warnings. Share anomalous or malicious cyber activity with federal and local partners for greater awareness to help build a collective defense.
Fourth, instill a security mindset in your employees. Enabling multifactor authentication (which, according to CISA Director Jen Easterly makes you 99% less likely to get hacked), patching those old vulnerabilities, ensuring passwords are strong, and remembering that phishing is still the number one attack vector, even for sophisticated adversaries — all of these can contribute to better overall security.
Finally, recognize cyber security as closely connected to overall business security and risk. In face of cyber threats, corporate leadership too often turns to IT for a solution, but IT security and geopolitical risk assessments must go hand in hand.
Teams looking at cyber security, geopolitical risk, and physical security should be working closely together, not in silos. In one case, a corporate intelligence manager told us that he had produced a joint assessment with his cyber intelligence team on Russia-Ukraine — the first time they had ever cooperated in that way. In this case, the crisis built on pre-existing relationships and prompted new levels of cooperation.
If you’re building relationships in crisis, it may be too late. It’s far better to build communication and cooperation before disaster strikes. Be wary of risk assessments that assign too much weight to proximity or presence. In a cyber war, innocent bystanders far afield can be hit by stray cyber bullets or precise cyber sniper fire.
In a crisis, corporate resilience and business continuity plans become paramount, and these require whole of company attention and solutions. With the threat of war in Europe looming, which will certainly include cyber, it is time to pull out those contingency plans and test if they are current, realistic, and fit for purpose.