The low cost of conducting cyber-attacks and the impunity of the perpetrators has led to an increase of both the incidents and their severity, including government-sponsored acts.
Amid the growing geopolitical rivalry in cyberspace, the emphasis by great powers is placed on spying on adversaries and strategically using existing information to weaken opponents.
So far, the cyber dimension of Russia’s war in Ukraine has translated into few damages for international firms, but companies must remain vigilant and brace for unintended consequences.
Implications for International Business
Companies should increase their cybersecurity, since Russian cyber operations against Ukraine are likely to have accidental effects outside the immediate conflict zone.
Beside a cyber risk assessment, building redundant parts into systems can drive firms' cyber resilience.
A major quarrel over who pays for cyber incident damages is fought between companies and insurance firms, with the former having had some success recently.
State of Play The rise of cyber offensive capabilities renders cyberspace more dangerous
Cyberspace consists of the network of information technology infrastructures and resident data, including the internet, telecommunications networks, computer systems, and Internet of Things (IoT) devices. The main drivers of cyber threats are the low cost of conducting such attacks and the likely impunity of the perpetrators. While criminals often conducted cyber-attacks in the past, attacks have also become state-driven. For the past eight years, Russia has led disruptive cyber operations against Ukraine’s energy sector (shutting down power plants), election infrastructure (meddling with tallying of votes), public sector (using data wiper malware), and financial institutions (overloading of bank websites). In turn, within a few hours of Moscow’s invasion of Ukraine, the hacker group Anonymous responded by declaring a “cyber war” on the Russian government. Anonymous disabled the websites of Russian state TV channels, the Kremlin, and the Duma. To protect its critical infrastructure, the EU is revising its directive for network and information systems security (NIS2) to require telecoms providers, banks, energy grid operators, and other critical services to promptly report cyber incidents to national authorities. The Cyber Resilience Act, another EU legislative act expected for Q3 2022, introduces joint certification standards for IoT devices.
Key Issues Cyberspace as new playground for great power competition
Russia has for years worked towards creating a national state-controlled alternative to the privately-owned internet that is common in most other countries. The increasing regionalization of the internet raises the cost for businesses that have to comply with diverging national technical standards and that have to establish local data storage centers. The Kremlin has also been notorious for leveraging cybercriminal groups to achieve geopolitical goals. It has tolerated cybercrime activities emanating from Russia as long as these spared Russian businesses or individuals. When Western businesses and government entities were targeted abroad it played into Russia’s goal of highlighting the weakness of democracies. Non-state actors provide plausible deniability for Russia. During the major cyberattacks on Estonia in 2007, Russia fended off any criticism by claiming non-state actors had conducted these attacks. This rhetoric continues until today.
An important dimension of geopolitical cyber rivalry is spying on adversaries and strategically using information to weaken opponents. In Germany, Russian hackers targeted members of the Bundestag in the 2021 Ghostwriter campaign, supposedly aimed at leaking information to embarrass the MPs and compromise their online presence. As Putin’s current war against Ukraine shows, the military dimension of cyber operations appears to be for now much subtler, given that no cataclysmic cyber operation has yet been observed against Ukraine with the exception of the cyberattack against satellite network provider Viasat, which limited the Ukrainian military’s situational awareness at the onset of the invasion. In cyber, intelligence also aligns with ideological factors. China is one of Russia’s few partners in the global cyber competition, assisting Moscow to shield off the Russian information environment from the world. Sino-Russian technological transfer may face major challenges, especially due to US sanctions on Chinese equipment. If Russia used the equipment in its own products, it would violate sanctions and it would be unable to export any of that equipment abroad.
Geo-economic consequences for international firms
Geo-economic consequences for international firms So far, the major geo-economic consequences of the current cyber rivalry have been unintended. The Russian NotPetya malware was meant to target Ukraine. But, as the code was written hastily, it also disrupted the global operations of German multinational Beiersdorf, logistics giant DHL, Danish shipping company Maersk and many others. It is believed to have been the costliest cyberattack in history. Insurance companies have been in the spotlight in the discussion about how to mitigate the costs of such attacks. In January 2022, Merck, a pharmaceutical company also affected by NotPetya, won a lawsuit against insurer Ace American. The insurer had claimed that the malware was an “Act of War”, which it cannot cover. A U.S. court decided, however, that Ace American had failed to update their policy language to include cyberattacks as acts of war and that Merck will be compensated for damages of up to $1.4 bn. Much damage can be avoided when businesses conduct a cyber risk assessment, mapping their assets, identifying potential risks, and defining mitigation measures. To ensure the continuation of business operations, redundant parts must be built into systems, thus increasing resilience. For example, backups which are segregated from the rest of the company can quickly turn companies operational again after a ransomware attack. In a business where the confidentiality and integrity of data is of utmost importance, encryption within company networks as well as multifactor authentication can fend off most attacks.