New and exacerbated cyber-risks following Russia’s invasion of Ukraine are fueling a new urgency towards enhancing resilience
Governments around the world are concerned about growing risks of cyberattacks against their critical infrastructure. Recently, the cybersecurity agencies of the countries comprising the ‘Five Eyes’ alliance warned of a possible rise in such attacks “as a response to the unprecedented economic costs imposed on Russia” following the country’s invasion of Ukraine.
The advisory noted that “some cybercrime groups have recently publicly pledged support for the Russian government”, with the threat of such cyber-operations coming “in retaliation for perceived cyber offensives against the Russian government or the Russian people”.
According to Andy Garth, ESET Government Affairs Lead, such activity is “a global problem with state actors, and their proxies, with some states willing to provide safe havens in which criminal groups can operate with impunity”.
“In the case of the Ukraine conflict, some criminal groups are now engaging in cyberespionage allegedly at the behest of their Russian hosts. Indeed, it’s also prudent to prepare for increased incidents of cybersabotage and disruption as cyberattacks are added to the retaliation toolbox and the risk of spillover increases,” says Garth. There is also a heightened risk of unintended consequences as vigilante groups enter the fray on both sides.
A new approach to cyber-resilience
Before the invasion, governments across the globe were already considering cybersecurity strategies to counter the ever-escalating cyberthreats from state actors and criminal groups. But the new risks perceived by governments since February are fueling a new urgency towards building cyber-resilience.
On March 15th, US President Joe Biden signed the Strengthening American Cybersecurity Act of 2022, requiring companies dealing with critical infrastructure to report substantial cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and all ransomware payments within one day. More than just a disclosure law, the new regulation is intended to change the perception of a cyberattack from a private company matter to a public threat. This legislation comes as part of a trend, following the Colonial Pipeline attack in May 2021 when President Biden signaled a new role for cybersecurity and asked for a whole-of-government approach to cyberthreats.
Together with new powers, CISA is also set to have its budget next year increased to $2.5 billion, which is an extra $486 million from the 2021 level. On top of this, Biden’s infrastructure bill allocates $2 billion to cybersecurity, of which $1 billion is allocated towards improving the cybersecurity and resilience of critical infrastructure.
In parallel, the European Union has followed a similar path with several new directives and regulations and additional funding aimed especially at enhancing the EU’s cyber-resilience and the role of EU institutions, as well as facilitating greater cooperation between member state bodies. On the operational level, in response to Russia’s invasion, for the first time the EU deployed the Cyber Rapid Response Team to assist Ukraine with mitigating cyberthreats.
The EU-proposed NIS2 Directive aims to strengthen security requirements, address the security of supply chains, and streamline reporting obligations. NIS2 also significantly broadens the scope of critical entities falling under mandatory high level security requirements. Sectors such as health, R&D, manufacturing, space or “digital infrastructure” including cloud computing services or public electronic communication networks will now require stronger cyber-resilience policies. Similarly, the EU Commission is proposing new legislation to focus on the financial sector with the Digital Operational Resilience Act (DORA) and IoT devices with the Cyber Resilience Act, which will be presented after the summer.
The need for sharing intelligence and closer cooperation in threat detection is also the underpinning objective of the proposed EU Joint Cyber Unit, which aims to protect the EU critical infrastructure against cyberattacks. While its exact role and structure are still being decided, it is expected to have an operational character that ensures a better exchange of intelligence on cybersecurity threats among the Member States, the European Commission, ENISA, CERT-EU, and the private sector.
The Commission also proposed new regulations to strengthen CERT-EU, converting the structure into the “Cybersecurity Center”, with the aim of strengthening the security postures of EU institutions.
Garth points out that these efforts are a “recognition within governments (and EU institutions) of the scale of the challenge in protecting nation-state digital assets against growing and evolving cyberthreats”. He highlights the need for a “whole-of-society approach and partnerships with the private sector at its heart”, “no government can address these threats alone.” citing the UK’s National Cyber Strategy 2022 where this kind of collaboration can be seen in areas such as education, building resilience, testing, and incident response.
But what risks do governments face?
Governments have a unique characteristic: they store all the data concerning their activity as well as their citizens’ data. Therefore, they are a most desirable target. This common threat to states is led at the United Nations level to agree “off limits” areas where cyberoperations should not be conducted, such as healthcare systems. The reality has diverged from this, with an ongoing cybercontest between the major powers and [non-binding] agreements at UN level being ignored.
These contests play out in the ‘gray zone’ where states can engage each other under the premise of plausible deniability and a constant cat-and-mouse game in the sphere of cyberespionage including stealing of information and attacks on critical infrastructure, sometimes causing real world disruption to entire countries. Recent cases such as the use of Pegasus spyware illustrate that eavesdropping is alive and well even among friendly states. As Garth says, “snooping has been around a long time … as many intelligence practitioners are likely to agree, it can provide useful intelligence with modest risk as long as you don’t get caught.”
Likewise, targeted ransomware attacks are a growing concern – not only to obtain the largest payout, but to maximize the value of stolen data on well-established criminal marketplace platforms
Attacks against supply chains can endanger not just government agencies or a specific institution, but critical sectors of a country’s economy. The widespread impact of attacks like the one against Kaseya make it harder for governments to react, creating truly disruptive consequences for both businesses and citizens. But as some states are content to risk indiscriminate disruption and damage, others launch focused attacks targeting specific industrial units and systems with the aim of knocking out parts of a nation’s critical infrastructure.
Getting everyone to work together is the real challenge
Governments don’t have an easy job, maintaining legacy systems, tackling skills shortage, building cyberawareness in the workplace, managing an expanding attack surface area, integrating new technologies, and facing down sophisticated attacks. Preparedness takes time and there is need to adopt a zero trust approach, understanding that attacks will happen and must be mitigated where they cannot be avoided.
This is hard to apply the typically multi-layered infrastructure of government offices. Despite their size, it is often easier to protect the systems of centralized authorities but dealing with the immense number of local and devolved offices turns this into an almost impossible mission. Despite gradually increasing funding, there are too few cybersecurity professionals, making it much harder to defend against the evolving threats.
Citizens are increasingly aware of cyberthreats, often due to high profile and frequent reports in the media; keeping the spotlight on the problem, funding awareness programs — particularly those aimed at the less tech-savvy and the vulnerable — is critical to success. Even so, humans making mistakes continues to be the major entry point for cybercriminals, which is why taking advantage of developments in machine learning and artificial intelligence is now essential, typically deployed in products and services like EDR and real-time threat intelligence.
A common problem requires joint action
Synergies between the public and private sector come as a much-needed reaction to the growing threat presented by cyberattacks. The Ukraine crisis and previous work done to protect Ukrainian critical infrastructure is an important example of what can be achieved.
In parallel, Garth suggests involving organizations such as the UN, OECD and groups like the G7, G20 dynamically, so that “the international community shines a spotlight on state cyberactivity, calling out and taking action where necessary against those that ignore established norms and cracking down on criminal groups and their ability to monetize their criminal endeavors … but also works together to enhance cyber-resilience across the globe, including in developing countries”.