Considerations for private sector companies under threat from cyber attacks by nation states
On 16 April 2018, the United Kingdom (UK) and the United States (US) issued an unprecedented joint alert warning of Russian cyber attacks. This alert highlighted that the threat was not just against government targets, but against private sector companies, especially those considered to be vital to the national and economic security of a country.
In the aftermath of the poisoning of the former spy, Sergei Skripal, and his daughter allegedly by Russia on UK soil, and in the escalation of tensions after the recent US, UK and French missile attacks against Syrian targets, the geopolitical faultlines between nations and businesses have been blurred.
As demonstrated by the daily coverage across the globe, the increased risk of a cyber attack to critical infrastructure – especially, energy companies, transportation, financial institutions, healthcare, etc. – is at an all-time high. It is imperative that companies assess their cyber-based business risks, understand the cascading impacts, and prepare across the corporate enterprise.
While critical infrastructure may be directly targeted, other types of industries and companies may also get caught in the cross-fire. In June 2017, the NotPetya virus, which was rooted in an attack by Russia on Ukraine, also had cascading impacts on non-critical infrastructure companies, which suffered from significant losses in sales because of operational disruptions.
This asymmetric form of war - where nations are using cyber attacks against businesses as a weapon - will have numerous operational, financial and reputational consequences for companies.
In addition, as of early May 2018, when the EU Directive on the Security of Network and Information Systems (NIS) becomes law in European countries, critical infrastructure companies will be required to report to the relevant national authority if such an attack were to happen. Any company found in violation may face a penalty of up to £17 million.
It is not enough to invest in technical security measures – an advanced nation state threat like Russia can and will penetrate through the best of defences. Companies – especially those operating and supporting critical infrastructure - need to be prepared and be ready to respond quickly.
Key Questions to Consider:
- Do you have a company-wide cyber crisis plan in place, especially one that takes into consideration cyber attacks with physical consequences – e.g., inability to provide electricity; breaches of water treatment plants; inability of customers to withdraw money from bank accounts; explosion of an oil and gas pipeline; impacts to security in multiple geographies at the same time?
- What are the key cyber-specific questions that Boards and Executive Committees and Crisis Management Teams should be asking in order to obtain situational awareness around business impacts and reputational consequences?
- How do you integrate both information sharing and response coordination across the entire corporate enterprise?
- Do you know all of the various key non-regulatory, government stakeholders in each of the countries in which you operate?
- How do you navigate the various conflicting government (national, regional and international) stakeholders? These are entities focused solely on cyber – e.g., the National Cyber Security Centre in the UK; ANSSI in France.
- Do you know what resources they may bring? How will you be prioritised if the attack impacts multiple entities within a country?
- Do you know how to deal with a nation / intelligence / law enforcement classifying an attack? How does that work if you need to notify regulators, the market or the public?
The above are some of the initial issues that companies will need to navigate in an increasingly complex environment, heightened by the geopolitical risks that are unfolding on a daily basis. A mythical, distant cyber war is no longer relegated to spy movies and dinner conversations. For companies, especially those considered to be critical infrastructure, the risks are real. Impacts are consequential. Preparedness is key.