Click here to view the PDF version.
Well 2022 is not off to the start we were hoping for, to put it mildly. We seem to have had all the biblical afflictions in the last couple of years (short of locusts and famine – fingers crossed) and 2022 started off in the same vein. There but for the grace of God we go.
In this issue we highlight some of the potential cyber consequences from the Russian invasion of Ukraine, Jimmy shares his view on the Zero-trust concept & how it is applicable to personal Cyber Security & Working From Home – even more relevant with the ongoing weather events on the East Coast of Australia.
State sponsored hackers – conflict in Ukraine & possible fallout for Australian businesses.
Probably the best take we have seen coming out of the many column inches (or pixels more accurately) is a piece by Ciaran Martin entitled “Cyber Realism in a Time of War” – Professor of Practice at the Blavatnik School of Government, University of Oxford, who from 2014 to 2020 set up and then led the National Cyber Security Centre of the United Kingdom, part of the intelligence agency GCHQ.
Here are some excerpts from his comprehensive analysis of Cyber warfare, which highlights the limitations of Cyber attacks in modern warfare and goes some way to debunk the notion that the next war would be fought & won in cyber space.
Cyber Realism in a Time of War
It turns out that the next war was not fought in cyberspace after all. Or at least the start of it has not been.
There has been no shortage of predictions over the past two decades about the importance of the digital domain in conflict since John Arquilla and David Ronfeldt warned that “cyberwar is coming” in a Rand Corporation paper back in 1993.
As recently as November 2021, British Prime Minister Boris Johnson remarked in a testy exchange with Tobias Ellwood, chairman of the committee of the House of Commons that oversees defense, that “the old concept of fighting big tank battles on the European land mass are over … there are other big things that we should be investing in … [like] cyber—this is how warfare of the future is going to be.”
Ellwood, a strong critic of the British government’s decision to cut Army personnel in favor of investment in cyber capabilities, replied, “You can’t hold ground in cyber.” And on military tactics, if nothing else, Russian President Vladimir Putin seems to have agreed with him. Despite being one of the world’s foremost offensive cyber powers, the Russian invasion of Ukraine has, thus far, been utterly conventional in its brutality as the horrific pictures from Kyiv, Kharikiv and other cities show on an hourly basis. And Ukraine’s heroic resistance is similarly centered on the traditional understanding of war.
The Cyber Threat to Ukraine’s Western Allies
Even though cyber operations have featured to an unexpectedly small extent in the conflict so far, the West still remains at higher risk of serious disruption—as distinct from catastrophic attack—via the cyber domain than it was before the invasion. To point out the misrepresentation of cyber capabilities, their limitations, and the lack of use of them so far in the conflict is to invite allegations of complacency. It should not; a nuanced understanding of the actual risks makes for better preparation for them.
There are two reasons why Western governments’ advocacy for implementing a posture of heightened alert—or “shields up,” in the catchy slogan of Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA)—is the right one. The first is accidental “crossfire” damage in cyber operations. There is still every chance that Russia will decide to mobilize its cyber capabilities against Ukraine to a greater extent than it has so far, particularly if cyber is seen to have a potential role in demoralizing and disrupting the Ukrainian population and the ability of Ukrainian society to function. The nature of the networked world means that those attacks may not be cauterized within Ukrainian systems.
In June 2017, the Russian military intelligence service, the GRU, launched one of its periodic cyber operations against a range of Ukrainian targets in the so-called NotPetya attack. The attack misfired, and spread globally, devastating the ability of multiple Western companies to function, causing around $10 billion in commercial damage. Maersk, the shipping giant, was heavily disrupted. Merck, the pharmaceutical company, just won its court case in January 2022 and was awarded an insurance payout topping $1.4 billion to cover its NotPetya losses. Many businesses, from the global law firm DLA Piper to Cadbury’s chocolate production facilities in Hobart, off the south coast of Australia, were badly disrupted. The irony of the NotPetya case, as with the globally devastating WannaCry hack a month earlier by North Korea, was that had the hackers done their jobs better, the global impact would have been far less. Should there be an intensification of Russian cyber aggression against Ukraine, which there may well be, especially if the war drags on, the risk of such a repeat miscalculation increases.
Professor Martin then outlines the 4 limitations which prevent Cyber War from becoming the main method of waging (& winning) wars:
Ease. Just as cyber capabilities don’t have the impact of missiles or ground troops, they can’t be directed like them either.
Effectiveness. Some of the more difficult cyber operations could have an obvious and useful impact at a time of war, such as disrupting military logistics or undermining air defenses. Outside of war, extremely complex operations, such as that undertaken against the Iranian nuclear program in 2011 via the Stuxnet worm, can give real-world strategic gain to those carrying it out. But these are usually very difficult to do. Stuxnet took years. Easier operations could be mounted against privately owned civilian critical infrastructure. As with sanctions, the aim here is not to harm, but to influence.
Escalation. So what would have such an effect? Here is where the risks of escalation would come in. If there was an attack of unprecedented sophistication on a British or American power grid, it would be blindingly obvious who had carried out it. The portrayal of cyber as a domain where there could be a decisive but secret intervention is one of the most dangerous mischaracterizations of the domain.
Ethics. This is unlikely to be on Putin’s decision tree, but it will and should be on the West’s. Health care is the obvious example.
So there are practical, strategic, and, in the case of the West, ethical limitations on the potential for escalation in cyberspace. That is not to say it won’t happen. A desperate Putin could launch whatever capabilities are at his disposal, and even with all these limits on the potency of cyber capabilities, repeated hostile attacks could cause major disruption (though most probably not death and destruction) in the West. And in any case, enough non-escalatory threats are already out there through spillover and the use of proxies to justify the current state of high alert.
What This Means for Western Cybersecurity Posture
At this early stage, the conflict so far tells us something about the limitations of cyber capabilities in both directions in this conflict. And the early stages of this war provide two important lessons of cyber realism for Western policymakers and their societies.
The first is realism about the limitations of cyber capabilities. For the reasons already explained, cyber capabilities give neither side a big red button to decisively alter the course of events. The war thus far has emphasized the limitations of cyber as a tool of war rather than its centrality to it. A more realistic consideration and public discussion of the role of cyber as a tool of statecraft—both the risks it poses and the capabilities it provides—is urgently needed. Cyber capabilities provide the potential to disrupt, delay, annoy, rob, steal from, spy on and influence an adversary. They therefore have a place in and outside of conflict, but they are not magic invisible weapons.
Read the full article here.
For us here in Australia, that means our critical infrastructure are unlikely to be targeted in the early stages of the campaign, but “accidental crossfire” may result in disruption. Our critical infrastructure networks are highly attuned to these threats & unlikely to succumb to frontal attacks. As Prof Martin says, it takes a long time to execute a successful hack on these organisations, and it is more likely “accidental leakage” will contaminate and disrupt rather than cripple. These “leakages” will impact business, and there is a high likelihood that Russian hackers will sooner or later turn their attention to “low-hanging fruit” (or businesses) in wealthy, unprepared countries who will pay ransoms to remove the malware & unwittingly support Russia’s war effort.
So what should you and your team do to protect your business?
How? One of the best way to address these vulnerabilities is to implement a Zero Trust framework to your IT ecosystem and we’ll explore how in more detail below.
Jimmy’s view: Zero Trust concept & how to apply it to your own digital ecosystem
John Kindervag, an industry analyst at Forrester (re)popularized the term “zero trust” but it was coined by/before April 1994 by Stephen Paul Marsh for his doctoral thesis on computational security at the University of Stirling (UK).
Zero trust is a framework that assumes a complex network’s security is always at risk to external and internal threats.
Zero Trust requires all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
The Zero Trust concept became more prominent in the early 2000’s when the industry started to move their infrastructure to Cloud Platforms, and realised that it opened up a Pandora’s box of vulnerabilities from operating in relatively less secure environment, ie no longer physically contained within a network, within a business premise.
As adoption increased, the need for securing these networks (initially) and then the traffic within (and outside) of these networks. With Cloud Platforms, data moves in and out of networks into the Cloud at scale, and measures had to be implemented to secure the data.
Zero Trust addresses these vulnerabilities by validating every single digital exchange continuously, and is constantly evolving as new Cloud Platforms and interconnected capabilities are developed – think bank transactions, digital identity etc…
Jimmy says that everyone in the IT industry has a Zero Trust “target”, but the practical application of the concept is “non-trivial” – in layman’s terms – pretty tricky because of the number of “applications” used (typically by different vendors/manufacturers) and their different architectures. So you can’t apply the same protocol for say, online banking transactions and lodging your tax return through mygov as they use different software.
To make things even more complicated, when businesses have several offices, or even more commonly nowadays, employees work from home or on the road, then you have no control over what networks they use and that is a massive vulnerability both to the individual and the business.
As Jimmy points out, many businesses are operating partially or completely on the Working From Home model, which requires adaptation of standard IT managed services to address the vulnerabilities of the home environment (think children streaming pirated movies, multiplayer games, social media platforms etc…).
To apply Zero Trust to this un-managed digital environment, measures to secure devices, networks and behaviours must be implemented.
Listen to the full conversation here.
So what can business owners do?
The starting point for any concerned business owner or director – as the responsible and potentially liable individual – will be to assess their current cyber security stance, and ask probing questions of their IT provider.
Security questions will go beyond the basic antivirus software to more advanced cybersecurity protection measures such as what is being done in the areas of:
A key vulnerability NOT covered by IT providers or internal IT departments is the ease of access of the home digital environment, through the phenomenon of Working From Home, which has grown exponentially in the last few years, and literally exploded since the pandemic began.
Hoplon Cyber Security was born of the unmet need for affordable & effective deployment of Cyber Security measures for SMEs (under 20 employees), Professionals Working From Home & Individual Households, who all share this key vulnerability of the home ecosystem.
Smart devices have only increased these vulnerabilities, as these small interconnected mini-computers have no built-in defences (cost factor) and come with factory settings designed to maximise ease of use and ease of connectivity. This means that they are easy to locate, access and penetrate by external parties to the household.
Hoplon Cyber Security’s main focus is to prevent malicious access of the home digital ecosystem using the Zero Trust framework and principles.
Hoplon Cyber Security is based in Brisbane, locally owned & operated & tailors its solutions individually for each customer.
The Hoplon Cyber team is always reviewing the rapidly evolving products & services in the industry to ensure market-leading protection & peace of mind for its customers.
Hoplon Cyber Security are here to help – call us on 1 300 312 862 for a complimentary consultation.
You can also head to our website for a free risk assessment to determine your current cyber security stance & vulnerabilities.
Stay Cyber Safe in 2022.
The Hoplon Cyber Team.
1 300 312 862
175 Melbourne Street
South Brisbane QLD 4101