Why CISOs should pay more attention to geopolitics for cybersecurity
Cybersecurity breaches and global political events are clearly linked. It’s not just government assets that are at risk; the private sector is often affected, too. As the threat evolves, how can CISOs adapt and protect their organizations to mitigate wider catastrophes?
The increasingly erratic dance between geopolitical tension and cybercrime has always been a fascination for me, and recent stand-offs between the US and its antagonists have provided plenty of food for thought.
As governments step up their diplomatic efforts to resolve tensions, there is a knock-on effect: malicious activities spill over into the cybersphere. So long as global tensions grow – and grow they will – this proxy war will continue. When geopolitical tensions do appear to ease, we may be lulled into a false sense of security, but the threat hasn’t gone away. These are longer-term plays that don’t care about the news cycle. Even as I write, battles are being fought without a single bullet being fired.
But this is only the start. It has become clear that state-sponsored cyberwarfare can – and will – cause chaos beyond the political sphere, into the private sector. Because there is a tighter connection than many think between political crises and the need to protect personal data.
As the risk and understanding of cybercrime grows, governments retrain their focus, ramping up their investments in cyber defense. As if on cue, cybercriminals pivot. Private businesses become a sitting target for those seeking an alternative route to destabilize nations.
Digitalization allows businesses to grow and innovate in ways we never could have imagined even a decade ago. But it also makes them vulnerable. The more hybrid warfare skews toward cyber, the bigger the threat to private businesses.
Data is power
But why should private-sector businesses be a target? The answer is almost always data. Gaining access to another nation’s data brings immense power and the ability to manipulate how people behave and feel. Even the rumor of a data breach can be enough to damage a population’s psychological stability.
Cybercriminals are single-minded in their goal to interrupt business operations, remove data, damage revenue and leak information.
Financial institutions and insurance companies are an obvious target as they hold a wealth of information about citizens. It’s not for nothing that these sectors are so highly regulated. Infrastructure is another point of vulnerability. By compromising an energy and utilities company, cybercriminals can shut down a country at a stroke.
An attack on an IT business could give criminals access to the backbone of any number of enterprises, including government agencies. The 2020 breach of SolarWinds showed us how far nation-state attacks on the private sector can go; nine US agencies and 100 private companies were compromised as a result, and we don’t yet know the full scale of the damage done.
The increasing adoption of smartphones and social media has opened fault lines in cybersecurity. Populations put their trust in organizations to protect their personal data, and its value is apparent. We’ve seen how sophisticated hackers can disrupt an economy and change the course of a major power – Russia’s influence in the 2016 US election was a chilling example. Intellectual property such as coronavirus research has also been targeted.
This would potentially have given it access to personal data covering around 30% of the population. The risk was too high: the Israeli regulator blocked the acquisition.
Operating in the shadows
You may ask, who is behind these attacks – and why can’t we just shut them down? It’s not straightforward. There is an ecosystem of hacker groups operating behind the scenes, often not directly connected to their paymasters. This shadow industry has grown in response to demand created by geo-tensions. States could shut them down, but some are happy to let these rogue groups flourish because the chaos caused serves them well.
One thing is for sure: the financial incentives are huge. Hackers are getting rich through ransomware. They might pull off a large, lucrative attack on a retail empire, and or sit quietly for years in a system, siphoning data or performing small, targeted breaches. Such unpredictable behavior makes it difficult to plan for all eventualities.
When it comes to defending businesses, the scale of the challenge can be daunting. CISOs need to invest – not only in products, but in talent.
Cybersecurity talent is scarce. Understanding cyber tactics requires a specific set of tools, skills and knowledge; you have to be able to think like a cybercriminal and have an intuitive understanding of technology. Specialist training should be done in a national state facility as part of the intelligence community. People with these skills are in high demand, and often won’t choose to join a bank’s cyber team.
Organizations must then procure the right technology stack. With technology evolving at such an astonishing speed, it can be hard to know where to start – and many struggle to prioritize the budget against other IT expenditures.
Protective strategies will vary across different entities. A big enterprise with many subsidiaries operating in a federated manner will need a different defense structure to a single entity in a single geography. The nature of the threat will vary. The network structure is different in utilities, where you may have physical sites with different vulnerabilities, compared to a financial institution where the data is likely on the cloud.
Many of these decisions sit with the CISO, who will be more than aware of the shifting threat, but may lack the resources to act.
At CyberProof, we recommend businesses strike a balance between a small in-house team and an outsourced vendor, who can provide specialist advice and protection as a managed service. This provides the flexibility to respond to risks as they evolve over time, while keeping a degree of knowledge within the business.
Tackling the threat together
This is the point in the blog post where I would like to point to the future with optimism. But I’m not sure I can. The threat is only going to grow, as more of our lives and businesses exist online and in the cloud. Cybercriminals are always morphing and adapting.
We must pay attention to the balance between offense and defense. Those geopolitical interests that pump resources into the proxy wars and attacks across both government and private sectors are building their resources. Military and security budgets continue to grow, and it’s natural that cyberattack capabilities will be part of that growth. Spill-over to rogue groups will grow, too. Meanwhile, enterprises will allocate more funds to defend themselves. It’s our era’s version of an arms race, and from my perspective, investment on the defensive side is slower than on the offensive side.
We need governments to be more alert to the need to protect private businesses as well as public assets. We need them to guide and work with the public and with the private sector. It’s starting to happen, but not at the pace that the threat is growing.
As is often the case, collaboration is a huge part of the solution. Given the scarcity of talent, decision-makers must work together at a national level between the public and private sector to properly defend personal and organizational data. We can’t rely on individual CISOs, whose resources will be under pressure; CISOs across enterprises and industries must put aside competition and see that we are all in this fight together.
Stay ahead of cyber threats with UST’s Managed Security Services.