It’s been difficult and heart wrenching to follow the ongoing war in Ukraine—especially thinking of the lives of civilians lost and the damage that could take years to rebuild. Unfortunately, the implications of what’s happening there could also soon have more wide-reaching ramifications—everywhere.
The tech community, U.S. and international intelligence, law enforcement agencies, and other Western governments are warning of possible Russian attacks on Western targets. Many in the cybersecurity industry believe that President Putin and threat actors loyal to the Putin regime will retaliate for the sanctions and social isolation being levied against Russia, its businesses, and wealthy oligarchs—and that the retaliation will involve cyberattacks.
In the past two years, several of the most significant attacks on U.S. infrastructure, including Colonial Pipeline and JBS Foods have been attributed to Russia-based threat actors. The BBC recently reported research done by Chainalysis that showed 74% of ransomware payments have gone to Russian-affiliated groups. Russian threat actors and government agencies are highly capable and should not be underestimated. As damage from sanctions and other major interdictions hit Russia hard, the likelihood of potential counterattacks only increases.
Take Time to Review, Improve your Cyber Posture
It's critical for managed service providers to improve our own posture and get businesses and government to act. There is no room for excuses. There is no more influential group equipped to help than those tasked with managing and securing IT systems.
Western democracies and others have been under siege by foreign and domestic cyber threat actors since the existence of network technology. From the theft of business intellectual property, military secrets and personal data to service interruptions, ransomware and other extortion attacks, the impacts have been growing. These attacks result in the destruction of data, entire companies and related jobs. They erode our technological advantages and national security. The resulting interruptions come at a high cost in both human and financial capital. For businesses challenged with protecting the cybersecurity interests of their customers, here are three critical points to consider as you strategize next steps:
1. Repercussions around Cyber Insurance Costs
The timing of the invasion of Ukraine is sadly aligned with other major changes in the risk landscape. For example, there has been a massive shift in insurer behavior. Insurance companies are pushing back against those that do little to protect themselves. They are refusing claims and coverage to those who lied or inaccurately completed insurance risk questionnaires. Cyber insurance underwriters are requiring companies attest to reasonable networking and data defense practices. Brokers are warning clients if they fail to do what they attest to, they will not be covered when a breach or other event occurs.
Several tech-relevant imperatives have developed from the war and other geopolitical situations. Organizations still relying on denial as a defense and insurance for recovery must change their thinking immediately. Due to massive losses and the potential for the attacks to be deemed state sponsored, insurers are also refusing coverage for victims of state-initiated attacks and acts of war. Even if you meet your cyber hygiene requirements, you may find that you have no insurance coverage when the time comes. This also means that if Russia is declared to be responsible for attacks on western countries, those victims may in many cases see their claims denied.
Close colleagues at the insurance executive level tell me we are only seeing the beginning of the new baseline for insurance. Some insurance premium increases have been reported as high as 334% and in many cases are averaging 100% with major reductions in coverage limits. Having managed many insured, global enterprise cases, we recognize that there is clearly more scrutiny of costs to recover. Insurers are pushing victims to just get back up and not spend as much on containment and future defense. For many victims of ransomware, paying the ransom is literally the difference between continuing as a business, or shuttering and going home.
Having insurance coverage is critical because most victims do not have hundreds of thousands to millions of dollars on hand to pay a threat actor. Keep in mind, paying a ransom is at times tenuous because it may well be illegal. Considering the war footing, it is likely they will not just attack western targets, but those attacks will be destructive and not allow for recovery without a comprehensive recovery processes and systems. Anyone considering paying a ransom (if given the option) in the current environment should be sure they are not afoul of the law. And please, let’s all focus on defense, business continuity and disaster recovery without the help of insurance or payment of ransoms.
2. Interruption of Threat Actor Systems
Over the past several months, there has been a remarkable awakening in the U.S. and other Western governments. They have finally begun to take the concerted actions needed to make a difference in the modern cyberwar and specifically the battle against ransomware, data extortion and other significant cybercrime behaviors. This change is clearly disruptive to criminals in the short run but may well have a positive long-term impact as well. The disruption of ransomware gangs’ systems both at home and abroad, interception and tracking of crypto currencies, sanctions, indictments, and extraditions of criminals, and hacking back are making a difference. I also believe that the distraction of Ukrainian cybercriminals and my guess is, the conscription of Russian cybercriminal actors by Russian leaders and their subsequent focus on Ukraine operations, has dramatically reduced commercial ransomware and extortion operations. There are many groups from the IT Army to Anonymous attacking Russia in the fight to defend Ukraine. Unfortunately, it will have little-to-no long-term positive impact on the destructive activity and retaliatory attacks.
3. Concerns about Tech Outsourcing
The potential for computer systems owned or used to support Western companies being either seized by Russian military or left behind by Ukrainians for Russia to find is real. Some estimates put Ukrainian outsourcing to the world at $5 billion dollars per year. Clutch reports there are 885 companies listed as Ukrainian and doing outsourced IT support and app development. It's unreasonable to think that as Ukrainian contractors were forced to abandon their offices, desperately trying to get their families to safety before fighting for their homeland, they had the time to think about client data. This is 100% understandable; however, it does not change the point.
Many companies’ data, potential access information, network documentation, source code, client information, and other critically sensitive data, could already be in the hands of Russians. Customers who could be impacted should be taking defensive action now. This should also be a wakeup call to others outsourcing to foreign companies—consider this contingency and be prepared for the worst-case scenarios.
Beyond the immediate and future geopolitical instability, the war will directly impact many of us in the world of technology. More specifically, those of us charged with defending and rescuing organizations from cyber-attacks must reevaluate our own operations and futures. We must press harder for education, prevention, response and real business continuity and disaster recovery options over typical prayer and insurance coverage. We need to change our behavior as a community and get away from set-it-and-forget-it tools and wishful thinking. Now is a perfect opportunity to change minds.
Kevin McDonald is CISO at Alvaka Networks, co-chair of CompTIA’s Cybersecurity Advisory Council, and member of the CompTIA ISAO SME Advisory Committee.
Add CompTIA to your favorite RSS reader
