That cyber warfare is only a concern for “big fish” or government organizations is a myth — one that’s best left behind in 2022.
Contents:
Whether as direct targets or collateral damage, acts of cyber warfare can have negative impacts on both citizens and private businesses for one reason: they’re designed to.
Adding to the mix of an already high-threat climate, the idea of another source of unrest and threat to your business can be daunting.
That’s why we invited three cybersecurity thought leaders to share their take and best advice for businesses during the current climate. Specifically, we asked the experts to speak about how organizations can learn to spot cyber warfare and protect themselves.
Here’s a recap of the conversation moderated by Gerald Kasulis, VP of Business Operations North America at Nord Security, with:
Pete Gibson, CIO/CTO, Friendly's Restaurant
Sandy Dunn, CIO/CSO, BreachQuest
Alyssa Miller, BISO, S&P Global Ratings
Read on to learn what you need to know about cyber warfare and recommendations for how to avoid becoming prey.
What exactly is “cyber warfare”?
The definition of cyber warfare is difficult to pin down.
One way to understand what qualifies as an act of cyber warfare is whether it is state sponsored: SSA attacks are carried out with the approval of a government body for political gain.
This understanding is consistent with Dunn’s statement that “cyber warfare is any type of [cyber] military operations between nation states to gain an advantage.”
Gibson added that cyber warfare is similar to traditional forms of warfare, in that “it's a country or a government entity trying to influence political will through some other methodologies to achieve a political outcome.”
While Miller agrees with both accounts, she cautions being cavalier with the term. And on this point she is not alone. Saying the words “cyber warfare” can have meaningful consequences for businesses.
In January of this year, Merck Pharmaceuticals concluded a lengthy legal battle with its insurer following a financially and functionally devastating cyber attack in 2017.
The attack, involving the now-infamous NotPetya malware, locked access to servers and tens of thousands of devices from staff — bringing much of the US-based operations to a standstill.
When the well-insured company issued its over-one-billion-dollar claim, it was surprised to learn the claim was rejected: The attack was subject to an act of war exclusion.
It was widely reported that what was dubbed the “most destructive and costly cyber-attack in history” was part of a far-reaching cyber attack on Ukraine by a hacking group part of the Russian military — of which Merck was merely collateral damage.
Whether Merck would receive compensation turned on the question of whether the event qualified as an act of warfare.
Ultimately, the court determined that the exclusion was written with (only) armed conflict in mind — resulting in a win for the pharmaceutical company.
But the lawsuit highlights the issue with cyber war semantics: that the cyber warfare label depends on the threat actor and not the event. And, Miller said, “in cybersecurity, attribution of attacks is not quite so easy.” It’s uncommon for threat actors to take credit for their work.
What’s more, easier attribution wouldn’t be the end of it. Cyber terrorists and hacktivists might also be considered to be engaging in acts of cyber warfare despite being outside the umbrella of state sponsorship.
In any case, it’s important not to get stuck on the line between cybercrime and cyber warfare:
Whether we call it cyber warfare [or] we call it something else isn't as important as recognizing that there is a very real threat of those types of attacks increasing and organizations … can become targets as a part of that.
- Alyssa Miller
BISO, S&P Global Ratings
And though the current level of sophistication of cyber warfare is new, the concept is old.
... the Russian and Ukrainian conflict is definitely bringing it top of mind, but the reality is there have [always] been these types of attacks.”
- Sandy Dunn
CIO/CSO, BreachQuest
Importantly, cyber warfare is also not unique to one nation — making it an international concern.
How are businesses impacted by cyber warfare?
From exercising “influence” to “gain[ing] advantage[s],” the broad definitions provided by the experts underscore how the goals of cyber warfare can vary quite a bit.
Often, they fall within three categories, aiming to:
Disrupt (or destroy)
Spy (or steal)
Influence
That means if your business plays a part in the smooth function of society, deals in private information, or can have influence, it is at least a possible target of an attack.
It’s also possible that, under the umbrella of disruption, your business could be a victim of a retaliatory attack. Per Miller, in reference to the current geopolitical climate, “...private organizations within the US who may have some level of implications in those sanctions [on Russia] can become targets…”
Finally, your business could suffer collateral damage: the incidental impact of another attack.
Achieving the goals of cyber warfare is likely to involve a variety of techniques, benefitting from the latest technologies and intelligence at the highest levels. With the evolving sophistication of cyber attacks, not underestimating prospective cyber opponents is key.
There's this misconception that a hacker is still that lonely teenager in a basement, and it's absolutely not true.
- Sandy Dunn
CIO/CSO, BreachQuest
The following are some examples of instances of cyber warfare and their impacts on businesses.
By DDoS attacks that restrict access
In February of this year, Ukraine’s Ministry of Defense website and a number of financial institutions were forced offline following a DDoS attack.
The purpose of a distributed denial of service, or DDoS, attack is the interruption of a service or communication by cutting off access to a website or app. It’s a classic move in cyber warfare and the modern day successor to “shooting down messenger pigeons.” An early example comms warfare provided by Dunn.
There are many different ways of accomplishing this type of attack, usually using a combination of hacking and malware. In all cases, the interruption is accomplished by overwhelming a server enough to shut it down.
DDoS attacks are a common tool in cybercriminals’ arsenal: they may be used in conjunction with other cyber attacks or — especially when they are easily thwarted — as a cover or distraction for more sinister activity.
By spyware used to steal intelligence
As one example of the utility of spying, Gibson suggests it could provide a shortcut to development. Nations use spying to “help themselves to develop quicker and a stronger capability without having spent the years of [research and development] to get here.”
For example, it’s no coincidence, Gibson said in the context of his work in the US government, that “the weapon systems I was working on would be developed by Russia three to four years later — it was all due to espionage at that time that they were able to get it into production.”
But you don’t have to be a governmental organization to be a casualty of spyware or be surveilled in service of an advanced persistent threat, or APT. High-value organizations with “desirable” data are the most likely targets of these attacks.
Both sophisticated APTs and spyware are designed to operate undetected for long periods, giving cybercriminals unfettered access to the data they want.
By the widespread impact of a supply chain attack
A combination of spying and disruption, supply chain attacks involve adding malicious code to one supplier’s software or hardware with the goal of “infecting” other systems and software that interact with it.
The malicious code is a seed that grows branches, reaching into other interacting software undetected. What it’s designed to do upon having access varies depending on the goal of the act.
On why this type of attack is attractive, especially in the context of cyberwarfare, Gibson suggests that it’s about impact:
... At the end of the game, the malicious players normally try to get to an upper-end capability head of a network or into a source code like SolarWinds or something like that to where they can implant and then influence thousands through that way versus spending hours trying to get in and get a onesie twozy type of an attack.
- Pete Gibson
CIO/CTO, Friendly's Restaurant
In the SolarWinds situation, the Texan company’s “Orion” software was targeted by Russia’s Foreign Intelligence Service in an effort to get access to sensitive data from its many high-profile clients, including a number of US agencies.
The malicious code, which was downloaded by a number of Orion’s 33,000 users during routine software updates, issued attacks that involved installing additional malware, leaving all affected organizations vulnerable.
By open source software hacks
I think that some of the most concerning, most recent attacks have been around the open source community.
- Sandy Dunn
CIO/CSO, BreachQuest
The many benefits to using open-source software, like lower costs and flexibility, mean that it is widely adopted. And that it is widely adopted makes it an attractive target for supply chain-level cyber attacks.
In particular, Dunn cites the “recent NPM attacks” involving “protestware.”
The NPM registry is an online database of software packages using Javascript programming language. In March of this year, one developer released a new version of his own commonly used open source software package — with meaningful edits.
Different versions of the packages included code that either overwrote (deleted) as many files as possible in devices with Russian or Belarusian IP addresses or included a “peacenotwar” package — which left a .txt file with an anti-war message on devices.
The move proved controversial as many argued that — despite the peaceful message — ethically, malware and open-source software should never mix.
Another risk with open-source software is that bad actors, having access to the code, can identify vulnerabilities that could let malicious code and malware in. Accordingly, information security specialists are hypervigilant in identifying these weak points so that they can be patched quickly.
However, it can be a scramble during the window of opportunity between vulnerability, patch, and update. Per Miller, at the time of recording, there was “a lot of rumblings about a new vulnerability in the Spring framework.”
The vulnerability in question could allow an attacker to execute malicious code remotely — making the threat level critical. “Here we go again,” Miller said, as this appeared to be similar to the now infamous Log4j vulnerability from late last year.
By the influence of misinformation
Cyber warfare extends beyond the scope of pointed and financially devastating attacks. While few acts of cyber warfare are officially claimed by their perpetrators, others are challenging not only to attribute but to identify in the first place.
Like spying or the initial stages of an APT, the “success” of misinformation and propaganda depends on its ability to be distributed undetected. This is perhaps why misinformation is one of the most interesting cyber warfare techniques, according to Dunn.
I think the most interesting thing is misinformation, actually. I mean, the use of memes, the use of propaganda…
- Sandy Dunn
CIO/CSO, BreachQuest
Dunn added that the fake news phenomenon during the 2016 presidential election in the US is a form of warfare, that “any time there’s any type of meddling that impacts a nation … to cause a disruptive impact,” it qualifies.
Miller agrees, suggesting that election interference will be a perennial concern, that, “When it comes to our [US] elections in particular … what we saw were very concerted efforts, and we still see it.”
And with social media, it’s never been easier to deceive.
Back in 2020, there are a lot of people running around talking about election security as related to deep fakes, right? And, well, why didn't that come to fruition? Well, because there are far easier channels. It's a lot easier to spin up misinformation farms with hundreds of people posting through phony accounts…
- Alyssa Miller
BISO, S&P Global Ratings
A reminder that a high-level threat doesn’t necessarily have to be high tech. And a caveat: that misinformation doesn’t sleep between elections.
By the hoarding of zero days
Taking a broader view of the type of attacks … think about how interesting it is that we have governments who hoard zero days to be able to attack [others nations.]
- Sandy Dunn
CIO/CSO, BreachQuest
A “zero day” vulnerability is a vulnerability that is either unknown, unresolved (by patching) or both. When bad actors find them, they’re likely to keep them quiet for the present or future purpose of exploiting it.
Governments do the same thing. “Hoarding” zero days means amassing a number of them for the same purpose. Keeping these weak points private gives governments an upper hand, but doing so puts all software users at risk — not just the would-be targets.
In that way, the country’s own citizens and businesses can be victims of collateral damage from cyber warfare — which is why the practice is ethically dubious, according to Dunn.
How to protect your business from the threat of cyber warfare
While understanding the threat landscape can make protection feel daunting, implementing excellent cybersecurity means facing the fear of developing threats head on in order to build the best defense possible.
On this point, our panel of C-suite cybersecurity experts can help: Here are their top tips on how to protect your organization in the current cyber threat climate.
1. Prioritize.
Understand your business’ unique vulnerabilities and start by safeguarding against the most important threats. In other words, “untangle the noise for them,” says Dunn. “Them” in this context being members of your team and leadership.
When it feels impossible to safeguard against everything, it’s important to “understand [threats] in the context of [y]our business a little better and decide what are the right steps for [you] to take and prioritize,” according to Miller.
2. Educate your team.
In real estate, it’s “location, location, location.” In cybersecurity, it’s:
Education, education, education.
- Sandy Dunn
CIO/CSO, BreachQuest
Don’t take for granted that your team knows what you do. The only way to build intuition around suspicious links or emails is to educate regularly. After all:
The most dangerous person is inside your network, but also the person that can help you the most is inside your network.
- Sandy Dunn
CIO/CSO, BreachQuest
3. Have a comprehensive security program.
According to Miller, you have “got to have that comprehensive program, and it's got to function as a program.”
Of course, that program should lay out the fundamentals of excellent hygiene, such as securing your:
Access: Use a password manager to eliminate weak passwords, control access, and implement multi-factor authentication.
Network: Avoid network interception by encrypting your connection and data in transit by deploying a virtual private network (VPN).
Database: Build a strong and secure defense against leaks and malware with a separate, secure, encrypted, and backed-up cloud database.
Endpoints: Be sure to enable default antivirus and antimalware tools that might already exist with your operating systems on all workstations, desktops, and laptops.
4. Make it easy.
Cybersecurity is an asset, not an obstacle.
Make sure that “[Y]our engineers feel empowered and enabled with the right tooling and processes to really make [secure compliance] happen without slowing down the business,” Miller suggests. And Dunn agrees:
Right, Alyssa [Miller], I mean I would say right now that we've all recognized that there is no way if you're still manually doing anything … you've got [to have] automation to protect any organization.
For example, make automatic updates the default and enable your team with the cybersecurity software that makes secure password protocols possible.
5. Lead by example.
Be mindful of your personal cybersecurity:
...If you're a C-level executive, watch your LinkedIn, watch your personal accounts. I mean, really pay attention and question everything. Don't trust anything on the internet.
- Pete Gibson
CIO/CTO, Friendly's Restaurant
6. Foster a culture of transparency.
Among trusted members of your team, honesty is the best policy.
Having a robust cybersecurity program is key, but a zero-tolerance policy is likely to backfire, according to Gibson, who said “I would rather understand we might have had an issue than to find out about it when I got a real issue in-house.”
Gibson suggests rewarding your team for flagging suspicious activity and being transparent about breach attempts in lieu of staying silent to keep the peace.
Miller agrees and suggests that, though this may be a hot take, businesses should open up about their breaches — within reason:
We need [lawyers’] help to find a balance here, and that is being more open with your organization about things that have happened. When we have a breach or we have an incident within an organization, we're always so secretive, right? … And I understand the legal motivations for that, but there's got to be a balance here where we can actually use those lessons learned in that small group and communicate it through the organization.
- Alyssa Miller
BISO, S&P Global
7. Focus on incident response.
Take a backwards approach and look at your incident response.
- Sandy Dunn
CIO/CSO, BreachQuest
When a breach is all but certain, “how you react is really important,” Gibson said. Miller agrees:
We need to build resiliency and not just defenses.
- Alyssa Miller
BISO, S&P Global
Proper incident response means establishing security protocols and an action plan that can be deployed the moment the incident is discovered.
8. Test your organization regularly.
Make sure you have good security requirements and you're testing those.
- Sandy Dunn
CIO/CSO, BreachQuest
And “Don’t be afraid to start looking underneath the rocks and ask the harder questions,” suggests Gibson. Adding that it’s important to follow up by asking “who's looking for those vulnerabilities? [Or] are we just waiting for someone to let us know outside there's a vulnerability?”
While protocols are important, it’s equally important to follow up on these. A “set it and forget it” approach simply won’t do for cybersecurity.
9. Eliminate unnecessary vulnerabilities.
Dunn suggests to “reduce your attack surface” by maintaining good security practices within your organization.
Some vulnerabilities can’t be avoided and should be safeguarded as much as possible. While others can be eliminated entirely. For example, not everyone in the company needs access to your most sensitive credentials and data: Locking down credential access with strong passwords and limiting permissions is an easy win.
10. “Don’t let a good breach go to waste”
Miller explains that what many CISOs get wrong about post-breach communication is wasting the opportunity to get the support they need to build a stronger cybersecurity front.
All of those components that are so hard to win support for – we've got an opportunity right now to show how they bring business value, and that is so so crucial when you can sit down and say ‘here's how we're going to … make this better.’
- Alyssa Miller
BISO, S&P Global
Final word
The cyber threat landscape in 2022 is a tough one. One expert explained that to stay safe:
You have got to be playing Super Bowl Championship-caliber ball all the time.
- Pete Gibson
CIO/CTO, Friendly's Restaurant
At the same time, tech executives can benefit from awareness surrounding the high-threat climate to get financial support for the comprehensive cybersecurity programs they need to protect their organization.
With education, proper planning, and cybersecurity software, businesses can build in secure practices as second nature. “Where now security isn't this thing that sits as a gate to our development, but it's something that's inherent to what we do,” said Miller.
Finally, compassion is key for our team members behind the screens. It’s imperative that tech leaders set their own teams up for success as much as possible. After all:
We would never expect our security guards that sit at the front of our building to defend against the … military, and yet every CISO, every security team, and every small business across America is expected to be able to protect their organization against military-level attacks.
- Sandy Dunn
CIO/CSO, BreachQuest