With cyber attacks escalating in frequency and talk of an all-out ‘cyberwar’, we spoke to Dr Antonio Weiss, Senior Partner at The PSC and author of The Practical Guide to Digital Transformation, to ask how big the risk is, what the impact is likely to be and also how well protected the UK is. Dr. Weiss told us:
Could you comment on the risk of cyberwar – how real a prospect is it at this time?
It’s happening now in Ukraine. Ukraine’s national railway system, Ukrainian Railways, was attacked at the start of the war. Many Russian government websites and services have also suffered outage problems. We know Finland has also recently been under attack.
Whilst cyberwar is currently a very real issue in the Ukraine war, cyber attacks – if not necessarily cyberwarfare – have been going on for a long time.
Estonia’s whole government infrastructure was attacked in 2007; leaks from during the 2016 US presidential election were almost certainly due to cyber attacks; and the WannaCry ransomware attacks which affected the NHS in 2017 were believed to have come from North Korean hackers.
Are businesses and organisations sufficiently protected – will the Government be able to protect businesses, or would businesses need to protect themselves?
Most business-leaders put cybersecurity issues towards the top of their concerns, yet there is anecdotally a dissonance between the stated importance of cybersecurity and the actions taken.
At a minimum, all businesses must have a committed leader responsible for cybersecurity in the organisation; businesses must run regular and wide-ranging vulnerability tests across their infrastructure and supply chain; all applications must be continuously updated to protect against attacks; rigorous staff training, best-practice guidance and incident or disaster recovery plans must be in place; and most important, all devices and log-ins must have multi-factor authentication.
Very few businesses – large or small – can say they have all of these in place.
Businesses need to protect themselves. Governments can give guidance and need to protect government bodies and agencies, but just as you cannot expect a government to stop an unlocked, unalarmed car from being broken in to, you cannot expect a poorly protected business to be the government’s responsibility.
What types of organisations are most at risk, and where can they go to receive advice?
We need to change our mindset to one of constant vigilance. Online crime is now the most common form of crime. In short, everyone and every organisation is at risk. Clearly, from a cyberattack perspective, there are different motivations at play. For financial cybercrime, organisations which hold financial and person identifiable information at scale are prime targets. Yet for disruptive cyberwarfare in general – the NotPetya 2017 attacks masqueraded as ransomware attacks but it was impossible to pay the ransom – because the goal is to destabilise nations and societies, government organisations are particularly vulnerable.
Fortunately, excellent organisations already exist providing best-practice advice. The trick is in heeding the advice and realising that even with all the right structures and protocols in place, you are as strong as your weakest link, which is usually human error. In the UK, the National Cyber Security Centre is the go-to place for advice. In the US it’s the Cybersecurity & Infrastructure Security Agency. And in the EU it’s the European Union Agency for Cybersecurity.
How would a cyber war affect civilians?
It would depend on the nature of the cyberattacks. But usually, from experiences in Estonia and elsewhere, it would mean being unable to access government services for a period of time: and given that this includes everything from essential financial support payments through to health and care services, this could be hugely damaging. In a worst-case scenario, critical infrastructure such as power grids or nuclear plants being hacked could be disastrous.
Assuming we were able to ‘win’, what would that look like?
It’s very hard to conceptualise what “winning” a cyberwar would look like. Just like it’s hard to imagine what “winning” a war on war would entail. Though it’s a sobering thought, the closest thing to victory would be to aim for as few cyber-attacks as possible, with as little disruption to civilians arising when cyberattacks are successful. Prevention and mitigation, in essence.
What is the likely aftermath of a cyber war?
At the moment there isn’t a universally accepted equivalence between a cyberwarfare attack and a warfare attack. A cyber-attack on a nation state is not immediately perceived as hostile action. This is partly because it is hard to prove where an attack comes from. But an aftermath where it becomes generally recognised that one nation-state engaging in cyberattacks on another could guarantee retaliatory attacks may help to keep the overall volume of attacks lower and in check.
