Organizations Preparing for Cyberwar

Perhaps—just maybe—2022, mainly due to the Russian invasion of Ukraine and the use of offensive digital operations, will go down as the year executives started taking the threat of cyberwarfare as a realistic risk against their operations.

This week, device security platform provider Armis took a stab at quantifying the current state of cyberwarfare and gathering organizations’ sentiments on their overall preparedness.

Of course, businesses have always needed to incorporate geopolitical risks into their decision-making. About 23 years ago, with the rise of e-commerce, more companies and government agencies had to add digital threats into their geopolitical risk calculus. The internet made the world much smaller and placed businesses (should they be deemed on the “wrong” side of a conflict) in the crosshairs of previously far-flung digital activists and nation-state threat actors.

However, the concept of cyberwar has always been and continues to be foggy. Where do cybercrime and cyberwar begin and end? What attacks are cyberwar versus old-fashioned espionage? When do disinformation and propaganda campaigns go beyond traditional offensive statecraft and become acts of war?

There’s currently no firm agreement on the answers to these questions, but there needs to be. How organizations and nation-states respond to cyberthreat provocations and what constitutes an act of war versus traditional adversarial statecraft that doesn’t cross that line is an important topic and deserves serious treatment and attempts at definitions.

The Armis study, State of Cyberwarfare and Trends Report: 2022-2023, takes an arguably broad definition of “cyberwar.” The study defines it as “the use of cyberattacks, causing comparable harm to actual warfare and/or disrupting vital systems or services. Some intended outcomes could be espionage, sabotage, propaganda, manipulation of public opinion, intimidation, or disruption of critical services.”

As the Center for Strategic and International Studies (CSIS) analyst James Andrew Lewis wrote in Thresholds for Cyberwar, “A cyberattack would be an individual act intended to cause damage, destruction, or casualties. There is a gray area, of course, when we think about disruption, particularly the disruption of services and data, and when this disruption rises to the level of the use of force. The threshold should be very high for calling a disruptive activity an act of war or attack.”

In that post, Lewis defines cyberwar as “the use of force to cause damage, destruction or casualties for political effect by states or political groups.”

Still, there are interesting and valuable findings in the survey. According to Armis, it commissioned a survey that questioned just over 6,000 IT and security professionals working at firms with more than 100 employees within the U.S,, UK, Spain, Portugal, France, Italy, Germany, Austria, Switzerland, Australia, Singapore, Japan, the Netherlands and Denmark. The study is also based on data from the Armis asset intelligence and security platform to contrast survey results against real-world trends.

The survey found 33% of respondents are indifferent or unconcerned about the impact of cyberwarfare on their organization. This could be reasonable, after all, if an organization is taking the steps it needs to remain resilient in the advent of disruption, such as DDoS attacks, ransomware, and other forms of disruption (lengthy power or telecommunication outages) via implementing a sound security and business continuity and disaster recovery posture — there are not many more things most organizations can do regarding nation-state activity other than try to stay out of the digital lines of fire.

Overall, a majority of respondents (64%) agree that the war in Ukraine increased the threat of cyberwar, and interestingly 45% of respondents reported an act of cyberwarfare to their authorities. The survey also noted an increase in threat activity on their networks between May and October 2022 compared to the previous six months. Still, the report didn’t specify if that increase was fueled by acts that could be considered cyberwar or traditional cybercrime.

Similarly, C-Level executions stated that their organizations experienced more threat activity during May and October 2022.

CxOs from industries including food and beverage (44%), telecommunications (44%), automotive (43%), retail/ wholesale (42%), and technology (42%) experienced higher-than-average threat activity.

Notably, Armis’ analysis found the largest, based on percentage, threat activity increased against critical infrastructure organizations, with the healthcare vertical being the second most targeted.

The survey found attacks against the healthcare industry remain robust, with 45% of healthcare respondents stating that they’ve endured the same threat activity on their network between May and October 2022 compared to the six months prior. However, 28% said they’d experienced more threat activity when evaluating the same timeframes.

Further, (70%) of respondents said they are somewhat or very concerned about the impact of cyberwarfare on the entirety of their organization, their company’s critical infrastructure (72%), and their company’s services (68%).

Not surprisingly, the healthcare vertical and those responsible for securing OT critical infrastructure said that their business leaders recognize the risks. Respondents said boards of directors are changing the organizational culture towards cybersecurity in response to the threat from cyber warfare. That’s true for 74% of respondents for OT security and 72% of healthcare, medical and pharmaceutical respondents.

Finally, the survey found the overall cybersecurity risk environment is slowing digital transformation efforts, with 55% of respondents saying they have either stalled or even stopped digital transformation efforts as a result of cybersecurity issues, and in many countries, the percentage of respondents saying that they’ve braked on their digital transformation efforts is relatively high: Australia (79%), the USA (67%), Singapore (63%), the UK (57%), and Denmark (56%).

The rise in attacks on OT coincides with the research firm Gartner’s prediction that by the end of this year, attacks on cyber-physical systems that result in fatal casualties will reach more than $50 billion in costs. Gartner also predicts that by 2025, cyber attackers will have weaponized OT environments to successfully harm or kill humans. “Even without taking the value of human life into account, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. Gartner also predicts that most CEOs will be personally liable for such incidents.”