Business top brass are terrified their companies will simply be collateral damage in a future cyber-war

Organizations need not fear a direct hit – someone knackering the internet or the grid would be enough


Businesses are worrying about being caught in the crossfire of cyber warfare, according to research from Bitdefender – while industry figures warn that the gap between common-or-garden cyber threats and “oh, look what nation states are doing” is becoming ever smaller.

Bitdefender’s latest report, titled 10 in 10, surveyed around 6,000 C-suite bods responsible for cyber security and found [PDF] “over a fifth” of these said that cyber warfare was one of the most challenging topics they had to convince their colleagues to take seriously.

The firm’s global cybersecurity researcher Liviu Arsene told The Register: “I don’t think they’re afraid of cyber warfare in the sense of directly being targeted, more in line with being collateral victims of cyberwarfare taking out electric power grids, internet. They need to be prepared for these kind of attacks.”

Good thing there are people like, say, Bitdefender on hand to help, eh?

Cyber warfare, at its simplest, involves disrupting computers to achieve a real-world effect. This could be something like a denial-of-service (DoS) attack against a power grid*, intended to cause a power outage, or the infamous Stuxnet malware infection that set back Iran’s nuclear weapon ambitions by several years. It could also include attacks designed to degrade an adversary’s own ability to mount cyber attacks; cyber on cyber.

Not every aspect of such warfare overspilling onto civilian organisations is necessarily as worrying as it might be for nation states. Arsene said: “I remember last year an interesting consequence of cyber warfare was when it became physical. The Israeli government was facing a cyber attack, tracked down the attackers’ location, pinpointed a missile... I don’t think CIOs are worried about being visited by a cruise missile! But they are worried about potential cyberattacks that may disrupt their operations – being caught in the crossfire.”

This chimes to an extent with Bitdefender’s wider survey findings as they relate to CIOs’ and CISOs’ fears.

Being nuked or shelves stripped bare by digital looters?

If their companies were directly targeted, 37 per cent of respondents to the threat intel firm’s survey were most concerned about “loss of customer information,” with a third also being worried about “loss of financial information." CIOs see cyber warfare’s potential impact on civilian businesses as primarily being conducted to gain useful information for further exploitation.

Only about 30 per cent worried about destruction of the company (“business interruptions,”) with just over a quarter growing grey hairs over fears that firms would lose revenue or market share. Oddly, a fifth thought “legal fines” would be one of the most critical outcomes of cyber warfare waged against their employers.

war

Report: CIA runs secret cyberwar with little oversight after Trump gave the OK, say US government officials

READ MORE

Part of the problem in communicating the urgency of confronting potential state-level threat actors is defining the term “cyber warfare” in a useful way. Rob Pritchard of the Cyber Security Expert consultancy told The Register:

“If you consider something like Stuxnet or Sony – that wasn't fallout, they were the targets. I think we can probably draw a bit of a parallel if we look at the progression of hacking as a means of espionage, and how that suddenly impacted a broader range of organisations than might once have been subject to hostile state activity.”

Warming to his theme on both Stuxnet and the Sony Pictures hack, allegedly carried out by North Korean state-sponsored hackers the Lazarus Group, Pritchard continued:

“It caught both the defenders on the hop – how do you go to an industry and brief them on a classified threat when they fall outside your regular community and the various industries themselves were caught out? Chinese cyber espionage was hugely prevalent, but if you were AN Random tech company would you really have believed the Chinese were spying on you ten or more years ago?”

Philip Ingram, a former senior British Army intelligence officer, also pointed to the Notpetya attack, a state-on-state cyber weapon deployment that spilled out to infect the wider world, including victims who probably weren’t anywhere near the minds of the Russians who initially targeted the Ukrainian government.

Arsene agreed, telling El Reg that in his personal experience around half of organisations hit by the sudden global shift to remote working were “caught off guard”. He compared this to preparing for cyber warfare, saying: “They don’t know about these security gaps. Up until now [the situation] was one of complacency.”

Protect and Survive: Ethernet Edition

Inevitably cyber warfare draws comparisons with nuclear warfare: the fallout affects many more people than the intended target, in ways that are perhaps unforeseen compared to the actual attack.

Ingram told us: “In 2017 the Shamoon virus attack on Saudi Aramco, who pump 10 per cent of the world’s oil, saw over 30,000 computers physically destroyed in what was believed to be a revenge attack for the Stuxnet malware that attacked Iran’s nuclear enriching facilities. All of these incidents were small-scale focused attacks that caused wider unforeseen collateral damage. Should a full-scale cyber conflict ever start, the potential consequences for anything connected to the internet are frightening.”

Similarly, Arsene pointed to the Shadow Brokers vuln revelations as another example of how cyber warfare tools leak into the wider world, saying: “After [the NSA cyber warfare tools] were leaked, they were weaponised to infect [others] with Wannacry, hundreds of thousands of computers. Initially NSA weaponised that vulnerability, it was a military-grade cyber weapon. Inevitably it was used against everybody, not just governments. It also affected organisations of all sizes and verticals.”

Overall the fear is not of companies themselves being attacked, though that fear is present and with good justification. Rather, in the context of all-out cyber war, the concern of industry as a whole is that malware and digital weapons deployed by nation states will end up being deployed against them, whether by accident (as with Wannacry) or by design, as with the Shadow Brokers’ NSA exploits.

Lest the wakeup call be insufficiently loud it’s vitally important to realise that this is already happening, warned Arsene: “APT-style attacks, carried out by the same skilled individuals, or people with the same skills as those that work for nation states, seem to have made it into the private sector.”

Si vis pacem, para bellum – if you want peace, prepare for war. ®

Bootnote

* Although this is the first thing most people think of when dreaming up cyberwarfare scenarios, in reality squirrels are a far greater threat to nation states’ electrical integrity, according to 2017 research by a cybersecurity researcher fed up of doom ‘n’ gloom headlines and assumptions.

Similar topics


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022