New and heightened cyber risks following Russia’s invasion of Ukraine fuel new urgency to build resilience
Governments around the world are concerned about the growing risks of cyberattacks against their critical infrastructure. Recently, the cybersecurity agencies of the “Five Eyes” alliance countries warned of a possible resurgence of these attacks “in response to the unprecedented economic costs imposed on Russia” following that country’s invasion of Ukraine.
The advisory noted that “certain cybercrime groups have recently publicly pledged their support to the Russian government,” with the threat of such cyber operations coming “in retaliation for perceived cyber-offensives against the Russian government or the Russian people.”
According to Andy Garth, Head of Government Affairs at ESET, such activity is “a global problem with state actors and their proxies, with some states willing to provide safe havens where criminal groups can operate with impunity.”
“In the case of the conflict in Ukraine, some criminal groups are now engaging in cyber espionage allegedly at the behest of their Russian hosts. Indeed, it is also prudent to prepare for an increase in cybersabotage and disruption incidents, as cyberattacks add to the retaliation toolkit and the risk of spillover increases,” says Garth. There is also an increased risk of unintended consequences as vigilante groups enter the fray on both sides.
A new approach to cyber resilience
Prior to the invasion, governments around the world were already considering cybersecurity strategies to counter ever-growing cyber threats from state actors and criminal groups. But new risks perceived by governments since February are fueling a new urgency to build cyber resilience.
March 15andUS President Joe Biden sign the American Cybersecurity Act 2022, requiring companies dealing with critical infrastructure to report significant cyberattacks to CISA within 72 hours and all ransomware payments within one day. More than just a disclosure law, the new regulations aim to shift the perception of a cyberattack from a private company to a public threat. This legislation is part of a trend, following the Colonial Pipeline Attack in May 2021 when President Biden reported a new role for cybersecurity and called for a whole-of-government approach to cyber threats.
Along with new powers, CISA is also expected to see its budget rise next year to $2.5 billion, which is An additional $486 million over 2021 level. On top of that, Biden infrastructure bill allocates $2 billion to cybersecurity, of which $1 billion is earmarked for improving cybersecurity and the resilience of critical infrastructure.
At the same time, the European Union has followed a similar path with several new directives and regulations and additional funding aimed in particular at strengthening the EU’s cyber resilience and the role of EU institutions, as well as facilitating a more great cooperation between the organs of the Member States. Operationally, in response to the Russian invasion, the EU deployed for the first time the Cyber Rapid Response Team to help Ukraine mitigate cyber threats.
The EU proposal NIS2 guideline aims to strengthen security requirements, ensure supply chain security and streamline reporting obligations. NIS2 also greatly expands the scope of critical entities falling under high-level mandatory security requirements. Sectors such as healthcare, R&D, manufacturing, space or “digital infrastructure”, including cloud computing services or public electronic communication networks, will now require stronger cyber-resilience policies. Similarly, the European Commission is proposing new legislation to focus on the financial sector with theDigital Operational Resilience Act(DORRA) and IoT devices with the Cyber Resilience Act, which will be introduced after the summer.
The need for intelligence sharing and closer cooperation in detecting threats is also the underlying objective of the project. EU Joint Cyber Unitwhich aims to protect the EU’s critical infrastructure against cyberattacks. While his the exact role and structure is still being decided, it should have an operational character that to assures better exchange of intelligence on cybersecurity threats between Member States, the European Commission, ENISA, CERT-EU and the private sector.
The Commission has also proposed new regulations to strengthen CERT-EU, transforming the structure into a “Cybersecurity Centre”, with the aim of strengthening the security postures of EU institutions.
Garth points out that these efforts are a “recognition among governments (and EU institutions) of the scale of the challenge of protecting the digital assets of nation states against growing and evolving cyber threats.” He stresses the need for a “whole-of-society approach and partnerships with the private sector at its core”, “no government can tackle these threats alone”. quoting the UK National Cyber Security Strategy 2022 where this type of collaboration can be seen in areas such as education, resilience building, testing and incident response.
But what risks do governments face?
Governments have a unique characteristic: they store all the data concerning their activity as well as the data of their citizens. Therefore, they are a most desirable target. This common threat to states is brought at the United Nations level to agree on “off limits” areas where cyber operations should not be carried out, such as health systems. The reality has diverged from this, with an ongoing cyber contest between the great powers and [non-binding] agreements to AND level being ignored.
These competitions play in the “grey zone” where states can engage under the premise of plausible deniability and a constant game of cat and mouse in the area of cyber espionage, including information theft and attacks on critical infrastructure, sometimes causing real disruptions in the world entire countries. Recent cases such as the use of the Pegasus spyware illustrate that eavesdropping is alive and well even among friendly states. As Garth puts it, “espionage has been around for a long time…as many intelligence practitioners are likely to agree, it can provide useful intelligence with modest risk as long as you don’t get caught.”
Likewise, targeted ransomware attacks are a growing concern – not just to get the biggest payout, but to maximize the value of data stolen from established criminals market platforms
Attacks against supply chains can endanger not only government agencies or a specific institution, but also critical sectors of a country’s economy. The widespread impact of attacks like the one against Kaseya making it more difficult for governments to react, creating truly disruptive consequences for businesses and citizens. But just as some states are content to risk indiscriminate disruption and damage, others launch targeted attacks targeting specific industrial units and systems with the aim of destroying parts of a nation’s critical infrastructure.
Getting everyone to work together is the real challenge
Governments do not have the easy task of maintaining legacy systems, addressing skills shortages, building cyber awareness in the workplace, managing an expanding attack surface, integrating new technologies and deal with sophisticated attacks. Preparation takes time and it is necessary to adopt a zero trust approachunderstanding that attacks will occur and must be mitigated where they cannot be avoided.
It is difficult to apply the usually multi-layered infrastructure of government offices. Despite their size, it is often easier to protect the systems of centralized authorities, but dealing with the huge number of local and decentralized offices makes it almost impossible. Despite gradually increasing funding, there are too few cybersecurity professionals, making it much more difficult to defend against evolving threats.
Citizens are increasingly aware of cyber threats, often due to high profile and frequent reports in the media, keeping the spotlight on the issue, funding awareness programs, especially those aimed at the less tech-savvy and vulnerable people, is essential to success. Even so, humans making mistakes continue to be the main entry point for cybercriminals, which is why it is now essential to take advantage of developments in machine learning and artificial intelligence, generally deployed in products and services such as EDR and real-time threat intelligence.
A common problem requires joint action
Synergies between the public and private sectors are a necessary response to the growing threat posed by cyberattacks. The Ukrainian crisis and previous work done to protect Ukrainian critical infrastructure is an important example of what can be hit.
In parallel, Garth suggests actively involving organizations such as the UN, OECD and groups like the G7, G20, so that “the international community shines a spotlight on state cyber activity, calling for and taking action where necessary against those who ignore established norms, suppressing criminal groups and their ability to monetize their criminal activities, but also working together to build cyber resilience across the world, including in developing countries”.