With the looming threat of heightened conflict in Ukraine, businesses around the world should prepare now. Corporate security and intelligence teams have said they are seeing an increase in cyber probes, and the US Cybersecurity and Infrastructure Security Agency and the European Central Bank have both issued warnings about possible Russian cyberattacks. At this stage, companies should take the following steps: 1) Review your business continuity plans; 2) Take a close look at your supply chain; 3) actively engage your peer networks, vendors, and law enforcement around cyber intrusions; 4) Instill a safety mindset in your employees; and 5) Make sure your business intelligence and IT teams work closely together on solutions.
Update: Russian forces launched an attack on Ukraine on February 24.
As warnings of an impending Russian attack on Ukraine proliferate, news networks and social media have featured clips of Russian armed forces training, exercising and preparing for battle. Less visible are the formidable Russian cyber forces reportedly preparing to unleash a new wave of cyber attacks against Ukrainian and Western energy, financial and communications infrastructure. Whether an invasion happens now or not, tensions will remain high and the cyber threat will likely increase, not decrease.
The business implications of the conflict in Ukraine – whether conventional, cyber or hybrid – will be felt far beyond the region’s borders. As a business leader, you’ve probably already assessed whether you have people at risk, operations that might be affected, or supply chains that might be disrupted. The White House recently warned supply chain vulnerabilities stemming from the US chip industry’s reliance on Ukrainian-sourced neon. And Russia also exports a number of essential elements for the manufacture of semiconductors, jet engines, automobiles, Agricultureand medications, such as detailed in a Twitter thread by former Crowdstrike CTO Dmitri Alperovitch. Given the existing strain on US supply chains from the Covid-19 pandemic, adding an additional shock to the system is concerning.
But if you’ve just assessed your cyber posture, it’s probably too late. Effective cyber defense is a long game that requires sustained strategic investment, not a last-minute push.
The conflict in Ukraine presents perhaps the most acute cyber risk American and Western societies have never been confronted. Invasion by Russia would lead to the most comprehensive and dramatic sanctions ever imposed on Russia, which views these measures as economic warfare. Russia will not sit idly by, but rather react asymmetrically using its considerable cyber capability.
The United States Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning the risk of Russian cyberattacks spilling over onto US networks, which follows previous CISA warnings about the risks posed by Russian cyberattacks to US critical infrastructure. The European Central Bank (ECB) has warned European financial institutions of the risk of retaliatory Russian cyberattacks in the event of sanctions and associated market disruptions.
The first cyber skirmishes have already begun, with Ukrainian government systems and banks attacked last week, and vigilant US businesses noting a dramatic increase in cyber investigations. Rob Lee, CEO of cybersecurity firm Dragos, told us: “We have observed threat clusters that have been attributed to the Russian government by US government agencies conducting reconnaissance against US industrial infrastructure, including key sites of electricity and natural gas over the past few months.
The security and intelligence teams of several major multinationals told us that they were anticipating Russian cyberattacks and assessing the potential for second- and third-order effects on their operations. Some companies have indicated that they anticipate an increase in attacks and scams in conjunction with the Ukrainian crisis, with risk assessments generally contingent on whether the company has direct ties to Ukrainian national banks or other critical infrastructure. A corporate intelligence official observed that his cyber team “doesn’t think we’re a likely target,” but is following CISA guidelines. Another also indicated that his company was not concerned about direct threats to its data, as it does not have a presence in Ukraine or Russia, but was monitoring indirect impacts on its customers and business partners in the region.
So if it’s too late to improve your cyber defense and conflict seems imminent, what can leaders do but give up?
The first rule is that a cyber or computer problem quickly becomes a business problem. The first step companies should take right now is to retire, dust off and implement business continuity plans. What would it be like to work in an analog world, or a paper-and-pencil world, for days, weeks or months? When Saudi Aramco was hit by a cyberattack, 30,000 company laptops were turned into clipboards in seconds. Take out your penknife and dive under the crisis response paint. Ask, “If my computer systems fail, how will I track my inventory, manage my accounts, or communicate with my offices and factories?”
Second, take a close look at your supply chain. Your business may face the risk of hidden dependence on Ukraine-based software engineers, code writers or hosted services. Ukraine Reports from the Ministry of Foreign Affairs that more than 100 of the Fortune 500 companies in the world are at least partially dependent on Ukrainian IT services, with several Ukrainian IT companies listed among the top 100 options for outsourcing IT services in the world.
Third, connecting with peer networks, vendors, and the FBI can dramatically improve your chances of identifying and mitigating cyber intrusions. Empower your teams to connect with cybersecurity and intelligence teams from peer companies, as well as federal and local government partners who are closely monitoring the same threats. Make sure your teams know their regional CISA representatives and the local FBI office and that they are on their mailing lists to stay on top of alerts and warnings. Share anomalous or malicious cyber activity with federal and local partners for greater awareness to help build a collective defense.
Fourth, instill a sense of safety in your employees. Enable multi-factor authentication (which, according to CISA director Jen Easterly makes you 99% less likely to be hacked), patching those old vulnerabilities, ensuring passwords are strong, and remembering that phishing is always the number one attack vector, even for sophisticated adversaries – all of which can contribute to better overall security.
Finally, recognize that cybersecurity is closely tied to overall business security and risk. In the face of cyber threats, business leaders too often turn to IT for a solution, but IT security and geopolitical risk assessments must go hand in hand.
Cybersecurity, geopolitical risk, and physical security teams need to work closely together, not in silos. In one instance, a corporate intelligence official told us he had produced a joint assessment with his cyber intelligence team on Russia and Ukraine – the first time they had cooperated in this way. In this case, the crisis built on pre-existing relationships and sparked new levels of cooperation.
If you’re building relationships in times of crisis, it may be too late. It is far better to establish communication and cooperation before disaster strikes. Beware of risk assessments that place too much emphasis on proximity or presence. In a cyber war, innocent bystanders in the distance can be hit by stray cyber bullets or precise cyber sniper fire.
In a crisis, business resilience and business continuity plans become paramount, and these require enterprise-wide attention and solutions. With the imminent threat of war in Europe, which will certainly include cyber, it is time to pull out those contingency plans and test whether they are up to date, realistic and fit for purpose.