At the end of November, the SafeBreach team brought together two of our most experienced cybersecurity professionals—our CISO Avishai (Avi) Avivi and Director of Security Research Tomer Bar—for a discussion on cyber warfare and its impact on national cybersecurity. Guest host Jenny Radcliffe, ‘The People Hacker’ and world-renowned social engineer, and Kevin Fielder, CISO at the FNZ Group, joined in on the conversation. The group covered a wide range of topics in a far-reaching and fascinating conversation. In case you missed it, we’ve recapped the five most important takeaways for you below.
#1: It can be difficult to know where to draw the line—is cyber warfare actually war?
One of the first points acknowledged by our panel was that while conventional warfare is largely a plain, unavoidable fact, the term “cyber warfare” is much more difficult to define. What is the main goal of cyber warfare? According to Kevin, it’s often stealing intellectual property, which is nothing new. He made the observation that much of what could be defined as cyber warfare could just as easily be classified as traditional, good-old-fashioned espionage, not necessarily all out war.
Avi echoed this sentiment, but pointed out that classifying attacks isn’t the main issue. He argued that while many attacks would not be classified as an act of cyber war, there have likely been incidents that crossed the threshold into a legitimate act of war. The real problem, according to Avi, is figuring out an appropriate response, which he argues is “much less clear cut” than classifying attacks.
Kevin also reminded us that while cyber warfare incidents are typically harder to attribute than traditional warfare incidents, this doesn’t mean that small, rogue groups of cybercriminals are capable of starting world war three. Using the example of IRA terrorist attacks in 1970s England, Kevin pointed out that ”nobody blamed the nation as a whole.”
At the end of the day, cyber warfare is drenched in ambiguity when it comes to its definition, the appropriate responses to it, and even attribution. Cyber warfare is an incredibly modern concept, and there simply are no clear-cut answers to the questions that surround it. It will take years—and likely a few missteps—before we truly know where to draw the line.
#2: Cyber warfare does not obey the same rules as kinetic warfare, but does interact with it.
It’s worth pointing out here that due to cyber warfare’s elusive qualities, it is not seen in the same light as traditional, kinetic warfare. The physical destruction inherent with kinetic warfare is typically not present in cyber warfare. As Avi reminded us, there are often “no missiles and no physical damage, but some cyberattacks can cross that threshold and become kinetic.” And the threat to national cybersecurity can still be significant. The example given here was the Colonial pipeline ransomware attack, which shut down the East Coast’s fuel supply for several days. Avi hypothesized here that “if this attack targeted the entire US, I think it would have been considered an act of war.”
Tomer also added a further terrifying prospect to the conversation, asking what would happen if the same group had instead targeted “a hospital network, which could lead to significant loss of life,” much as they did during the WannaCry attack on the UK’s National Health Service (NHS) in 2017. Cyber criminals have unlimited opportunities to create such havoc because, unlike traditional warfare that can only be waged with access to the weapons of a nation-state, cyber warfare can be waged by anyone with an Internet connection.
Avi outlined the more complex issue at play, reminding us that: “We’ve become so reliant on our digital supply chain that something might not be considered an act of war, but could have effects that could prove just as disrupting. An example I always give is a ‘fake’ verified Twitter account suggesting they were Eli Lilly and were about to make insulin free, which caused their share price to plummet. That was just a prank, but imagine if there was malicious intent behind it. Imagine the havoc that could be caused.”
#3: Cyber warfare is not just a concern for nation-states, but corporations too.
Cyber warfare may be something that conjures up images of war rooms, military uniforms, and back-room conversations between intelligence agencies, but the reality is these kinds of incidents can affect any organization. Whether this is a nation-state looking to wreak havoc in a hostile state’s economy or a hacktivist taking aim at an organization for some kind of politically motivated reason, thinking you are not a target is no longer an option.
As Kevin reminded us, businesses are not exempt, even those that may not think they fall into the category of critical national infrastructure. He gave the example of a payments provider in the UK with the ability to stop a huge amount of British high street payments, which would have the potential to wipe billions off the economy. These are the kind of terrifying hypotheticals that “place us on a road to societal breakdown,” host Jenny Radcliffe reminded the audience.
Tomer brought up the Sony hacking incident as an example, where North Korean actors stole and revealed Sony IP in a wide-ranging attack, viewed by some as a response to a perceived slight on the North Korean leadership,
Avi provided a sobering reminder that this is “not a fair fight. Nation states versus corporations in terms of budgets, ability to defend, etc., leaves organizations severely unmatched,” making it all the more important that they take the appropriate steps to keep themselves safe.
#4: Cyber warfare has only just begun.
Everyone involved in the panel had been told about or experienced activities that could be considered cyber warfare. Kevin recalled his contacts in the water industry concerned about cyberattacks that could change perceived water pressure levels, leading to mains around major cities to burst. Tomer told us about multiple wipers used during the early stages of the invasion of Ukraine to support the kinetic side of the war, which he believes will be used moving forward in future conflicts. He also mentioned critical infrastructure attacks in and around the Gaza strip, and Israel more generally, where Iran attempted to poison the general populace by changing the PH levels at water plants.
But a more pressing issue, our panel agreed, was the future. In particular, attacks on the integrity of data. From a financial or insurance perspective, compromising data could be devastating. Avi even suggested that threat actors could attack healthcare providers to change people’s blood type records, the negative consequences of which are both obvious and immense.
All of our participants felt that we have yet to see the true impact of cyber warfare. Avi made the point that, unlike kinetic warfare, cyber warfare can be waged with widely available equipment. This means that illegitimate, unsanctioned actors can get involved in a conflict in their free time. As nationalist ideology flares up across the world, this could be a very dangerous thing. State-backed actors are, to an extent, restrained by their superiors. Much like in a business, decisions have to go through rounds of approval, or trickle down from above. Nation-state actors are likely not ordered to “do their worst,” because it could cause an unwanted escalation. Lone wolves who believe they are acting on behalf of their nation could launch much more severe, unsanctioned attacks, which have the potential to destabilize geopolitics from the comfort of their own home.
#5: Security teams and CISOs need to be ready for the worst, but they cannot buy their way out of this problem.
Thinking about what the business community can do to combat the threat of cyber war, the panel concluded that it is not just about cyber teams, but operational resilience (e.g., backup data centers, providers, and systems). Kevin made the case for threat hunting, being aware of the known vectors, and having a last resort plan if the worst does happen: “For a few days, would you be able to work on paper?”
Kevin made the case for business continuity plans (BCPs). Modern businesses must have a BCP in place to ensure operational resilience in the wake of a successful cyber attack. While drafting a BCP may seem a daunting task, there are a wealth of resources available to help guide organizations looking to bolster their operational resilience. Perhaps the most comprehensive of these resources is ISO 22301. This is a list of requirements laid out by the International Organization for Standardization (ISO) to guide organizations in putting together a BCP and ensuring their security and resilience.
Avi then made the point that, aside from bolstering resilience, it’s essential that organizations work on their basic cyber hygiene. Many high-profile cyber attacks and data breaches could have been prevented by the most rudimentary of cybersecurity measures. Avi suggested that organizations implement firewalls, enable multi-factor authentication (MFA) wherever possible, and provide employees with basic cybersecurity awareness training. Jumping in, Kevin suggested that organizations turn to online resources if they are unsure of where to start—the “10 Steps to Cybersecurity” from the UK’s National Cyber Security Center (NCSC) is a particularly comprehensive guide and a helpful resource to get started.
Tomer finished the conversation by reminding us that “80% of cloud attacks happen because of misconfiguration.” While organizations invest millions of dollars in security tools every year, simply having those tools doesn’t reduce their risk if they are not appropriately deployed, configured, and continuously validated. “Enterprises need to ensure they are training, testing, and configuring properly against targeted attacks against their own sectors, but also on general or automated attacks.” This may include credential stuffing attacks or phishing scams.
Want to learn more? Check out the on-demand webinar to hear the complete conversation with our expert panel. Ready to see what continuous security validation is all about? Connect with a SafeBreach cybersecurity expert or request a demo of our advanced BAS platform today.