Too often, we see cyber attacks as a game between nerds in the basement. Yet, cyberwarfare has entered the center stage of two wars over the past year. In the Russian attack on Ukraine, cyberattacks on critical infrastructure and lines of communication have accompanied troop movements. During the Gaza conflict, cyberattacks on the West opened a new front in the conflict.
Thus, companies, management, and boards must adapt their cybersecurity strategies. Especially for critical infrastructure providers, cyber resilience cannot solely focus on the monetary impact but on the societal implications.
Join me in exploring the impact cyberwarfare can have on our society and why it is different than ordinary cybercrime.
Cyberwarfare in Ukraine and Gaze
Foreign wars were far from the mainland US for the longest time. Even attacks like September 11 or Pearl Harbor were relatively minor compared to the horrors of war on other continents.
Yet, in our connected world, war suddenly is impacting civilians in the US. The Iranian attacks on Israeli technology used in the US have disabled ATMs and water supplies. Thus, for the first time, a war outside the US affected people’s lives on this side of the Atlantic.
Yet, the Iranian-associated actions were tiny compared to the cyberattacks that accompanied Russia’s invasion of Ukraine. From the onset of the conflict, Russia has attacked Ukrainian Governmental servers and public infrastructure digitally. The targets included government civil defense websites, power plants, and mobile network operators. The sole aim was to cause confusion and hinder the Ukrainian population from seeking shelter from the Russian missile attacks.
Yet, you can see Ukrainians employing similar tactics when targeting Russia. Yet, the one contrast between the two is that Ukraine is targeting primarily companies associated with the defense sector, while Russia is acting indiscriminately against anything in Ukraine.
How did we get here?
Getting into this mess is the work of many generations. Especially when it comes to industrial controllers and utility systems, manufacturers designed them 20 or more years ago without considering today’s interconnectivity.
Thus, cybersecurity was only ever an afterthought for many of these systems. Simple, shared passwords and insecure default settings marked the beginning of the Internet of Things. Given the lifetime of hardware devices, especially industrial controllers, we must deal with these issues for the next 20 years.
Even worse, many hardware manufacturers still do not have the needed team strength to maintain their software. Nor do they have the strength to update outdated dependencies used as a basis for their devices.
Further cyberattacks give nation-states the ability to cheaply execute attacks and disavow them as acts of private groups. Thus, you have a low-risk, high-reward opportunity for them to attack their international adversaries.
We face high financial damage and significant disruptions in our lives. The water outages didn’t last more than a day, and the ATM downtime was annoying. Yet, they had very low risks of casualties. Thus, they might provoke policy changes but are unlikely to become full-fledged conventional warfare. In a sense, they bring war to the West without increasing the risk of war to the West.
Stand Against Cyberwarfare
With the increasing number of state actors attacking our companies and infrastructures, boards must take a different approach to cybersecurity. State and state-sanctioned actors care very little about legal consequences. The country’s leaders disavow the action, change the name of the groups, and are ready to go again. There is no risk of financial penalties or jail time for cybercriminals.
It also means that criminals can be less concerned about protecting their image. It doesn’t matter that IoT devices are straightforward to break into. They have stable employment adjacent to the nation’s intelligence agencies. They don’t need to worry about their reputation within the cyber community.
Consequently, the company’s risk management needs to add a new dimension. It isn’t enough to protect the system, which is most costly to the company. Protecting the systems with the highest customer and societal impact is also necessary. Previously, water suppliers’ payment systems would have been the most prominent target, as criminals can quickly turn credit card data into cash. The water supply and the needed IoT control and monitoring system are a prime target in cyberwarfare. They are less protected and their failure will cause maximum damage.
Consequently, a more holistic view of network security is needed. Anything connected to a network is a target that you need to protect from cyberattacks.
Cyberwarfare is not a Computer Game.
Many seasoned leaders still see cyberwarfare as a computer game. It is something that comes out of the mind of a science fiction writer to create a nerdy hacker movie. Yet, the wars in Ukraine and Gaza have shown us that water and electricity cut-offs by cyberattacks impact our lives.
We should stop seeing cyberwarfare as a nerd’s game and start treating it akin to a terror attack on our companies. While it might not have a military impact, their results can devastate society.