Businesses are worrying about being caught in the crossfire of cyber warfare, according to research from Bitdefender – while industry figures warn that the gap between common-or-garden cyber threats and “oh, look what nation states are doing” is becoming ever smaller.
Bitdefender’s latest research report, titled 10 in 10, surveyed around 6,000 C-suite bods responsible for cyber security and found [PDF] that “over a fifth” of these said that cyber warfare was one of the most challenging topics they had to convince their colleagues to take seriously.
The firm’s Liviu Arsene told The Register: “I don’t think they’re afraid of cyber warfare in the sense of directly being targeted, more in line with being collateral victims of cyberwarfare taking out electric power grids, internet. They need to be prepared for these kind of attacks.”
Good thing there are people like, say, Bitdefender on hand to help, eh?
Cyber warfare, at its simplest, involves disrupting computers to achieve a real-world effect. This could be something like a denial-of-service (DoS) attack against a power grid*, intended to cause a power outage, or the infamous Stuxnet malware infection that set back Iran’s nuclear weapon ambitions by several years. It could also include attacks designed to degrade an adversary’s own ability to mount cyber attacks; cyber on cyber.
Not every aspect of such warfare overspilling onto civilian organisations is necessarily as worrying as it might be for nation states. Arsene said: “I remember last year an interesting consequence of cyber warfare was when it became physical. The Israeli government was facing a cyber attack, tracked down the attackers’ location, pinpointed a missile… I don’t think CIOs are worried about being visited by a cruise missile! But they are worried about potential cyberattacks that may disrupt their operations – being caught in the crossfire.”
This chimes to an extent with Bitdefender’s wider survey findings as they relate to CIOs’ and CISOs’ fears.
Being nuked or shelves stripped bare by digital looters?
If their companies were directly targeted, 37 per cent of respondents to the threat intel firm’s survey were most concerned about “loss of customer information,” with a third also being worried about “loss of financial information.” CIOs see cyber warfare’s potential impact on civilian businesses as primarily being conducted to gain useful information for further exploitation.
Only about 30 per cent worried about destruction of the company (“business interruptions,”) with just over a quarter growing grey hairs over fears that firms would lose revenue or market share. Oddly, a fifth thought “legal fines” would be one of the most critical outcomes of cyber warfare waged against their employers.
Report: CIA runs secret cyberwar with little oversight after Trump gave the OK, say US government officials
Part of the problem in communicating the urgency of confronting potential state-level threat actors is defining the term “cyber warfare” in a useful way. Rob Pritchard of the Cyber Security Expert consultancy told The Register:
“If you consider something like Stuxnet or Sony – that wasn’t fallout, they were the targets. I think we can probably draw a bit of a parallel if we look at the progression of hacking as a means of espionage, and how that suddenly impacted a broader range of organisations than might once have been subject to hostile state activity.”
Warming to his theme on both Stuxnet and the Sony Pictures hack, allegedly carried out by North Korean state-sponsored hackers the Lazarus Group, Pritchard continued:
“It caught both the defenders on the hop – how do you go to an industry and brief them on a classified threat when they fall outside your regular community and the various industries themselves were caught out? Chinese cyber espionage was hugely prevalent, but if you were AN Random tech company would you really have believed the Chinese were spying on you ten or more years ago?”
Ingram also pointed to the Notpetya attack, a state-on-state cyber weapon deployment that spilled out to infect the wider world, including victims who probably weren’t anywhere near the minds of the Russians who initially targeted the Ukrainian government.
Arsene agreed, telling El Reg that in his personal experience around half of organisations hit by the sudden global shift to remote working were “caught off guard”. He compared this to preparing for cyber warfare, saying: “They don’t know about these security gaps. Up until now [the situation] was one of complacency.”
Protect and Survive: Ethernet Edition
Inevitably cyber warfare draws comparisons with nuclear warfare: the fallout affects many more people than the intended target, in ways that are perhaps unforeseen compared to the actual attack.
Philip Ingram, a former senior British Army intelligence officer, told The Register: “In 2017 the Shamoon virus attack on Saudi Aramco, who pump 10 per cent of the world’s oil, saw over 30,000 computers physically destroyed in what was believed to be a revenge attack for the Stuxnet malware that attacked Iran’s nuclear enriching facilities. All of these incidents were small-scale focused attacks that caused wider unforeseen collateral damage. Should a full-scale cyber conflict ever start, the potential consequences for anything connected to the internet are frightening.”
Similarly, Arsene pointed to the Shadow Brokers vuln revelations as another example of how cyber warfare tools leak into the wider world, saying: “After [the NSA cyber warfare tools] were leaked, they were weaponised to infect [others] with Wannacry, hundreds of thousands of computers. Initially NSA weaponised that vulnerability, it was a military-grade cyber weapon. Inevitably it was used against everybody, not just governments. It also affected organisations of all sizes and verticals.”
Overall the fear is not of companies themselves being attacked, though that fear is present and with good justification. Rather, in the context of all-out cyber war, the concern of industry as a whole is that malware and digital weapons deployed by nation states will end up being deployed against them, whether by accident (as with Wannacry) or by design, as with the Shadow Brokers’ NSA exploits.
Lest the wakeup call be insufficiently loud it’s vitally important to realise that this is already happening, warned Arsene: “APT-style attacks, carried out by the same skilled individuals, or people with the same skills as those that work for nation states, seem to have made it into the private sector.”
Si vis pacem, para bellum – if you want peace, prepare for war. ®
* Although this is the first thing most people think of when dreaming up cyberwarfare scenarios, in reality squirrels are a far greater threat to nation states’ electrical integrity, according to 2017 research by a cybersecurity researcher fed up of doom ‘n’ gloom headlines and assumptions.