ust when we thought there were enough compelling arguments and reasons for building cyber organizational resilience at any given business, NGO, or other entity, Russia’s invasion of Ukraine complicated matters. The Russian war against Ukraine has thrown a whole new layer of geopolitical complication on top of the already dire need for cyber-vigilance in the business and non-profit sectors everywhere and anywhere which remain woefully unprepared for what is in essence asymmetric warfare by nation state actors.
The conflict also brings into sharp relief how the average small, medium, or large business or other type of non-governmental, non-military entity, needs to build proper cyber-governance and preparedness in these challenging times.
In this article, we provide some background on the nature of the cyber-attacks that the Russians are perpetrating on ordinary businesses and other entities currently in Ukraine and elsewhere. Drawing on a model of cyber-organizational resilience – the Virtuous Resilience Lifecycle – we have discussed here before and another piece on the 5 T’s of cyber-crisis readiness discussed here as well - we tie the nature of these attacks back to what an average organization in business or civil society should do to build organizational cyber-crisis governance in these unpredictable and rapidly changing times.
Russia Carries Out Cyber Attacks Against Ukraine Business, Other Entities
Diverse reports show that Russia launched a variety of attacks against Ukraine resources including a series of distributed denial of service (DDoS) attacks against Ukrainian websites in early February. The attacks also targeted Ukrainian banking and defense websites, and were reportedly launched by the Russian military intelligence agency, GRU. In addition, a number of wiper malwares were recognized and associated with the Russian activities including WhisperGate that was used to wipe out the systems it was installed on, HermeticWiper and IsaacWiper.
Substantial evidence shows that these Russian cyberattacks are part of an ongoing series of cyber warfare campaigns targeting Ukraine. Of course, we know that historically there has been a series of attacks dating back several years. Even as recently as 2015, when it invaded the Crimean Peninsula, Russia managed to disrupt the power grid for over 230,000 Ukrainians. A year later, Russia broadened the scope of these attacks and began targeting banking systems and government entities.
The malware used in this campaign wiped out the data on systems it managed to reach. The list of victims also included many businesses that operate in Ukraine, which exemplifies precisely how indirect collateral damages caused by the Russia-Ukraine conflict in cyberspace can impact your organization, regardless of where you are geographically located.
Collateral cyber warfare operations have already proven to often result in what is known as spillover. These large-scale digital skirmishes are not usually associated with precise, targeted operations. An incident in 2017 showed businesses that they do not need to be a direct target to be severely impacted.
The malware known as NotPetya, responsible for shutting down operations at Ukrainian airports, was not contained to the borders of Ukraine. As it quickly spread across the internet, organizations found themselves fumbling around, trying to mitigate the threat and respond to the fallout. Several multinational organizations were stopped in their tracks due to NotPetya, including the worldwide shipping company Maersk, pharmaceutical superpower Merck, and a European subsidiary of FedEx known as TNT Express.
Additionally, new and disturbing purposes for some of these cyber-attacks are also being uncovered as in this recent AP story on how some of these cyber-attacks are designed to collect personal digital data on Ukrainian citizens for post “victory” to enable the persecution, arrest and worse treatment of Ukrainians that invading Russians might designate “enemies” under an imposed Russian regime.
Cyber-Crisis Governance All Kinds of Entities Should Consider Today
Building on our work on cyber-organizational resilience, including “The 8 steps to starting a cybersecurity virtuous cycle” and the “The 5 Ts of cyber-crisis readiness for every kind of organization”, we focus on the 1st and 7th elements of the Virtuous Resilience Lifecycle as applied to cybersecurity and depicted in the Figure below to underscore the need for deep interconnectedness between cyber-governance (#1) and cyber-crisis readiness (#7) at these seriously challenging times.
These two elements should be practically interconnected following three key practices / actions that should be taken within any organization to accomplish this and illustrate some of the governance and technical details on how to get there under each category.
The three critical action items are:
Action #1 – Ensure that the Chief Information Security Officer and his/her team are coordinating closely with other key functional groups throughout the organization and reporting key metrics regularly to the C-Suite and the Board of Directors. It is critical that legal, risk management, audit, operations and information technology meet regularly with the CISO team to understand the evolving threat matrix as well as emerging vulnerabilities.
Action #2 – Ensure that the CEO is holding regular – even weekly – meetings with the CISO, CRO and CTO (and perhaps others like the General Counsel) to understand and get ahead of new cyber threats as they come in, especially as they relate to the changing threat matrix from the Russian/Ukraine war. Especially at a time of regional, potentially global, warfare and disruption, the CEO must show leadership and tone from the top on a culture of cybersecurity and cyber-hygiene.
Action #3 - Ensure that management is reporting regularly – even monthly – to the Board of Directors on the cyber resilience posture of the company, sharing the key data and metrics the board should know about and providing access to the CISO and his/her team for further information. This should include key vulnerability access points such as through the company’s supply chain, employee and contractor population.
Put together, when these three action items work well within any form of entity – regardless of sector, footprint, or mission – a seamless Lean-in Triangular Cyber Risk Governance posture as illustrated below is what emerges and provides the entity with greater comfort that vigilance and resilience are being implemented at top speed:
a global affairs media network
Ukraine War Throws Geopolitical Wrench into Cyber Preparedness
Illustration via Adobe Stock.
May 12, 2022
An already challenging cybersecurity and cyber-resilience environment has only become more complex and dangerous with Russia's invasion of Ukraine. Cyberattack incidences are on the rise, but there are models which organizations can follow to prepare, write Andrea Bonime-Blanc and Tomar Saban.
J
ust when we thought there were enough compelling arguments and reasons for building cyber organizational resilience at any given business, NGO, or other entity, Russia’s invasion of Ukraine complicated matters. The Russian war against Ukraine has thrown a whole new layer of geopolitical complication on top of the already dire need for cyber-vigilance in the business and non-profit sectors everywhere and anywhere which remain woefully unprepared for what is in essence asymmetric warfare by nation state actors.
The conflict also brings into sharp relief how the average small, medium, or large business or other type of non-governmental, non-military entity, needs to build proper cyber-governance and preparedness in these challenging times.
In this article, we provide some background on the nature of the cyber-attacks that the Russians are perpetrating on ordinary businesses and other entities currently in Ukraine and elsewhere. Drawing on a model of cyber-organizational resilience – the Virtuous Resilience Lifecycle – we have discussed here before and another piece on the 5 T’s of cyber-crisis readiness discussed here as well - we tie the nature of these attacks back to what an average organization in business or civil society should do to build organizational cyber-crisis governance in these unpredictable and rapidly changing times.
Russia Carries Out Cyber Attacks Against Ukraine Business, Other Entities
Diverse reports show that Russia launched a variety of attacks against Ukraine resources including a series of distributed denial of service (DDoS) attacks against Ukrainian websites in early February. The attacks also targeted Ukrainian banking and defense websites, and were reportedly launched by the Russian military intelligence agency, GRU. In addition, a number of wiper malwares were recognized and associated with the Russian activities including WhisperGate that was used to wipe out the systems it was installed on, HermeticWiper and IsaacWiper.
Substantial evidence shows that these Russian cyberattacks are part of an ongoing series of cyber warfare campaigns targeting Ukraine. Of course, we know that historically there has been a series of attacks dating back several years. Even as recently as 2015, when it invaded the Crimean Peninsula, Russia managed to disrupt the power grid for over 230,000 Ukrainians. A year later, Russia broadened the scope of these attacks and began targeting banking systems and government entities.
The malware used in this campaign wiped out the data on systems it managed to reach. The list of victims also included many businesses that operate in Ukraine, which exemplifies precisely how indirect collateral damages caused by the Russia-Ukraine conflict in cyberspace can impact your organization, regardless of where you are geographically located.
Collateral cyber warfare operations have already proven to often result in what is known as spillover. These large-scale digital skirmishes are not usually associated with precise, targeted operations. An incident in 2017 showed businesses that they do not need to be a direct target to be severely impacted.
The malware known as NotPetya, responsible for shutting down operations at Ukrainian airports, was not contained to the borders of Ukraine. As it quickly spread across the internet, organizations found themselves fumbling around, trying to mitigate the threat and respond to the fallout. Several multinational organizations were stopped in their tracks due to NotPetya, including the worldwide shipping company Maersk, pharmaceutical superpower Merck, and a European subsidiary of FedEx known as TNT Express.
Additionally, new and disturbing purposes for some of these cyber-attacks are also being uncovered as in this recent AP story on how some of these cyber-attacks are designed to collect personal digital data on Ukrainian citizens for post “victory” to enable the persecution, arrest and worse treatment of Ukrainians that invading Russians might designate “enemies” under an imposed Russian regime.
Cyber-Crisis Governance All Kinds of Entities Should Consider Today
Building on our work on cyber-organizational resilience, including “The 8 steps to starting a cybersecurity virtuous cycle” and the “The 5 Ts of cyber-crisis readiness for every kind of organization”, we focus on the 1st and 7th elements of the Virtuous Resilience Lifecycle as applied to cybersecurity and depicted in the Figure below to underscore the need for deep interconnectedness between cyber-governance (#1) and cyber-crisis readiness (#7) at these seriously challenging times.
These two elements should be practically interconnected following three key practices / actions that should be taken within any organization to accomplish this and illustrate some of the governance and technical details on how to get there under each category.
The three critical action items are:
Action #1 – Ensure that the Chief Information Security Officer and his/her team are coordinating closely with other key functional groups throughout the organization and reporting key metrics regularly to the C-Suite and the Board of Directors. It is critical that legal, risk management, audit, operations and information technology meet regularly with the CISO team to understand the evolving threat matrix as well as emerging vulnerabilities.
Action #2 – Ensure that the CEO is holding regular – even weekly – meetings with the CISO, CRO and CTO (and perhaps others like the General Counsel) to understand and get ahead of new cyber threats as they come in, especially as they relate to the changing threat matrix from the Russian/Ukraine war. Especially at a time of regional, potentially global, warfare and disruption, the CEO must show leadership and tone from the top on a culture of cybersecurity and cyber-hygiene.
Action #3 - Ensure that management is reporting regularly – even monthly – to the Board of Directors on the cyber resilience posture of the company, sharing the key data and metrics the board should know about and providing access to the CISO and his/her team for further information. This should include key vulnerability access points such as through the company’s supply chain, employee and contractor population.
Put together, when these three action items work well within any form of entity – regardless of sector, footprint, or mission – a seamless Lean-in Triangular Cyber Risk Governance posture as illustrated below is what emerges and provides the entity with greater comfort that vigilance and resilience are being implemented at top speed:
