The current cyber dimension of the Russia-Ukraine conflict and how it may escalate were discussed by Ciaran Martin, founding CEO of the UK’s National Cyber Security Centre (NCSC), during the keynote address at the Infosecurity Magazine Online Summit – EMEA 2022.
Martin began by noting that so far, “the cyber dimension has been quieter than many of us might have expected.” However, the past 24 hours have seen two announcements that have brought the scale of the threat posed in cyberspace into sharp focus. These were from “opposite ends of the cybersecurity spectrum.” The first was the notice issued by US President Joe Biden, warning US organizations to be prepared for imminent high-level cyber-attacks. Given the success of US intelligence relating to the conflict so far, “I don’t think they’d be doing that lightly,” observed Martin.
The other was the announcement by the charity The Scottish Association for Mental Health that it had suffered a ransomware attack, significantly impacting its systems. While these two announcements are in very different areas, it is likely both relate to threats “emanating from the Russian Federation.” Martin added: “It’s quite possible we’re dealing with a complex ecosystem of Russian criminality and Russian malicious cyber activity.”
Fundamentally, these two distinct announcements show that we’re both in a period of heightened tension in cyberspace and “we’re at risk from our enduring cyber vulnerabilities.”
Martin then explained why the Russian invasion of Ukraine means we are in a period of heightened tension. He pointed out that this is not the beginning of the conflict between the two nations, which in reality started in 2014 since the Russian annexation of Crimea. Since that time, Russian state-sponsored actors have launched numerous sophisticated cyber-attacks targeting Ukrainian critical infrastructure. These include taking out power grids, the NotPetya attack in 2017 and the wiper malware attack hitting numerous organizations on the eve of the Russian invasion of Ukraine in February 2022.
“We haven’t seen the cyber war that many predicted”
Due to these kinds of incidents, it has been something of a surprise that we haven’t currently seen any widescale disruption to Ukraine from cyber-attacks since the invasion began, noted Martin. “We haven’t seen the cyber-war that many predicted,” observed Martin. Currently, there is a lot of “cyber noise,” with groups with loose links to either side undertaking low-scale attacks, such as taking government websites offline.
Nevertheless, Martin discussed three reasons to be concerned about cyber-threats that may be round the corner, which help explain why the Biden administration issued its latest warning.
- Spillover: Martin highlighted the NotPetya attack on Ukraine in 2017, “which spread and wormed its way through the world, disrupting everything from the world’s largest shipping company all the way through to the disruption of Cadbury’s chocolate production facilities in Tasmania off the South Coast of Australia.” Martin said it is quite likely that Russia will employ similar unsophisticated cyber-operations, which could impact organizations worldwide.
- The danger of forgetting the lessons of 2021: Martin reminded the audience that last year saw numerous devastating cyber-attacks on critical services in Western societies, such as the ransomware attacks hitting the US East Coast fuel pipeline and Ireland’s healthcare service. Many ransomware attacks emanate from Russia, where notorious groups like REvil and Conti are believed to be allowed to operate by the Kremlin. The arrests of REvil gang members earlier this year showed that Vladimir Putin could control these threat actors. However, “similarly he can unleash them.” Therefore, we must be aware of the “potential for ransomware to tear through the soft underbelly of business, government and charities.”
- Combining the two: Martin also outlined the potentially devastating impact of the Russian government combining these two types of threats, “causing as much mayhem as they can.” While he doesn’t believe this approach will be imminent, organizations need to get their cyber defenses in better shape to prepare for this possible blitz in the coming months and weeks.
Martin then outlined three lessons we should take from the current conflict about cyber in a time of war.
- Cyber isn’t the primary tool of war: Contrary to what many experts were predicting, cyber has been a peripheral part of the conflict, accompanying traditional military operations. The Ukraine conflict reinforces that the reality of war is that it is “brutal, physical and murderous.”
- Get the security basics right in the short term: Martin stressed it is important for organizations not to panic but instead reinforce security basics to keep themselves secure in the short term. This includes protecting organizations’ ‘crown jewels,’ updating incident response plans and ensuring that threat intelligence and analytics is up-to-date as possible.
- Put the threat in proportion: It is important to ask some hard questions about “why we are worried at the minute,” according to Martin. He noted that it would be very difficult, if not impossible, for Russian threat actors to paralyze countries like the UK by simultaneously taking down critical infrastructure systems. “That disruptive cyber-attack on a whole country seems beyond anybody at the moment,” commented Martin. Instead, the main concern is the frequent disruption to critical services through attacks on organizations in areas like healthcare and energy.
He noted: “We know our defenses against that sort of disruption across the totality of economy and society just aren’t up to it and that leaves us vulnerable.”
This requires a long-term fix, which needs to start now. In particular, this involves addressing the legacy backlog in IT systems and thinking more strategically about our secure digital environment, building security into systems.
Martin concluded with the following message: “Hold our nerve, don’t panic for now, and apply good security practices as we watch this awful crisis.”