The conflict in Ukraine is having dire humanitarian consequences and is creating economic disruption. The impacts that many expected in the cyber realm have been more muted. Scott Crawford and Johan Vermij return to discuss what this means for the evolution of the attacker community and what organizations should be considering with host Eric Hanselman. Alignments between state actors and some criminal groups may not be as tight many expected, but it’s clear that we’re in a very new situation.
Conflict in UkraineRead Blog
Subscribe to Next in TechSubscribe
Transcript provided by Kensho.
Welcome to Next in Tech, an S&P Global Market Intelligence podcast with the world of emerging tech [indiscernible]. I'm your host, Eric Ansel, Principal Research Analyst for the 451 Research arm of S&P Global Market Intelligence. And today, we're going to be taking more serious turn and heading into information security topics around the conflict in Ukraine. And I've got 2 returning guests with me, Scott Crawford and Johan Vermij from our security team. Gentlemen, welcome back to the podcast.
Thanks, Eric. Good to be here.
Thanks, Eric. Same here.
So I want to start off with, I think, the question that as information security professionals, we've all really been dealing with, which is how is the conflict in Ukraine really change the information security landscape?
I think the first lesson is probably that it's different from what we envisaged as Cyberwarfare. I think we expected a massive cyber campaign to unfold like we saw with preceding events in Tallinn in 2007, in Georgia 2008, and the BlackEnergy attacks on utilities in Ukraine in 2015. And during the past weeks, we've seen some efforts with new types of malware, for instance, but not quite the effort that we expected.
Well, I think that's -- you raised a really interesting point is that we do have some experience with sort of global conflict. I know Scott and I were talking earlier about the term that seems to have gained a lot of popularity, which is the idea that of conducting hybrid war in which some level of Cyberattack campaign is part of that.
Though in the Ukrainian conflict to your point, I think a lot of us in the information security side expected there to be a lot more supporting cyber activity that was taking place and maybe that's mostly directed specifically.
And maybe, in fact, these are resources that are being used towards social engineering, other kinds of messaging, other aspects of that. But the needle does not seem to have left up to the extent that I think many of us were concerned about.
Yes. I think many of us have been concerned about the APTs that were suspected to be liaised to Russia joint forces. And Conti, as a group, they declared Allegiance to Russia, but that didn't age well as they were immediately cracked from the inside out.
Well, and that's actually something that we should provide a little background. You're talking about there are a whole set of threat actors there that are apparently independent from direct nation state involvement. And the thought is that in many cases, the sort of the expectation was that while they may be independent.
They may have ties. They may have specific allegiances and the Conti crew out there actually seemed to wind up being on the receiving end of a lot of sort of overall underworld and, I guess, attacker community concern that got leveled at them.
Yes, let me jump in here and just note that one of the issues that poses some difficulty with respect to anticipation of activity in this sphere is that it is unpredictable. There -- we do have intelligence on threat actor activity and certainly some of the threat actors that we've seen active in the past that do have relationships geographically in terms of business interests and so on.
There's various aspects of evidence that have been presented by security researchers that do show apparent connections between the threat actors, the activity, the locations involved in the current conflict. And we have also seen some of this activity, as Johan indicated, directed towards assets in Ukraine like the BlackEnergy attacks against the Ukraine power grid that we've seen in the past.
So that's what researchers have been anticipating, but it's still difficult to be very predictive about this. Because really, this is one of the first conflicts that has directly connected activity in the kinetic sphere, if you will. In other words, physical conflict with the potential for cyber activity as well.
We have not had very many of those up to this point, and they have not been -- they have not had the attention of the entire world that this current conflict has had. And the dynamics involved in that global attention, I think, may be having an impact on the threat actors themselves, how this plays out. Who they may be agents for? If they are, in fact, agents for any of the combatants in this current conflict.
Those are a lot of unknowns. We did see significant activity in the lead up to the physical invasion, as Johan indicated. But what's come since is really what's -- what's driving the decisions that are driving further activity from here on. I will say it seems remarkably reserved compared to what we thought we might anticipate at this point, but there's a lot of factors involved in that, that we may not be -- it may not be so visible.
Well, once again, we seem to be at a point at which it's very clear that this is a situation that is very different than anything we've seen heretofore. And there are so many different aspects to the dynamics of the situation that it's a complex beast and one that it's difficult to pattern on our previous experience.
Well, the interesting thing is that I think we can throw out the classic threat actor matrix out of the window. If we look at Cyberwarfare, we think in terms of nation states and like in the Russian cyber warfare doctrine, already in 1995 [indiscernible] said that it sees a Cyberattack as an act of war that could lead to nuclear retaliation.
So it's obvious that the U.S. and other countries are very careful in responding or acting in this situation and that we don't see nation states going to cyber war. But that it's the hacktivists starting the war with Anonymous declaring war on Russia.
Having some success. A Ukrainian company offering a considerable amount of prize money for their hackathons to hack Russians. So it's not nation states against nation states, but it's hacktivists starting the war on Russia and Belarus.
Your point about Anonymous raises an interesting point as well, Johan, because when you say anonymous declares war, what exactly does that mean? I mean Anonymous is at best a loose collective of those willing to participate in any particular exercise.
And it's really up to the individual actor as to what they do, how they do and why they do it and whether or not they claim an affiliation with something like Anonymous or not. So that's a very loose -- we like -- in the traditional sense, we want attribution.
And we want traceable evidence that relates to specific acts that could be attributed to specific actors with specific motives. That's really, really difficult with something like an anonymous where that can get very murky very quickly.
It's even difficult sometimes with respect to threat actors that extensively operate in the private sector, but may, in fact, represent nation-state interests. Those connections may be difficult to surface and prove, which is one of the reasons why those types of operations exist in the first place. So we're dealing with an awful lot of unknowns here. I don't want to invoke prior...
Don't go there, Scott. No, no, no.
I'll just say that there are things that are unknown and we'll leave it at that. But yes, I mean the outlines of what this means for -- what exactly is Cyberwarfare that will it differ from one instance to another?
Does this actually constitute what we would consider Cyberwarfare. These are things that are very murky about the landscape of cyber with respect to this conflict yet. And I would speculate that, that may be one of the reasons why we haven't seen some of the more drastic activity that we've had that we have not yet seen.
We need to be a little bit careful about. It's very easy to go into FUD with something like this, meaning fear, uncertainty and doubt. Because we've seen the prior evidence the potential impact of attacks can be very severe. That doesn't mean they're necessarily going to materialize.
And one of the things that the actors have to consider in such a conflict is the potential blowback to them as well as who they may be working with. So yes, there's a lot of reticence on the Cyber front. No doubt that maybe restraining some activity, we would have to see what would actually precipitate that activity if it comes.
Well, this is a point that you had made about the evolution of what we're seeing in ransomware. And I think our audience is going to be really familiar with a lot of the general concerns about ransomware. But they may not have seen some of the behind the scenes of politicking that's taken place.
In that there is some -- that concern for independent actors that they don't necessarily want to be particularly visible or they don't want to be seen as acting irresponsibly in other than a criminal sense.
And you see things like blowback on organizations that attack hospitals, for example. -- and other socially unacceptable activities, not that criminal activities in general are not broadly socially unacceptable. But this is something that there are some really complex dynamics that are at work here.
Yes, indeed. And we've already seen some examples of just that sort of allegations are crossing the line in attacks in the kinetics space just in the last few days. So yes, I would expect that some of those limitations do hamper actors across the board here.
And maybe actually working to mitigate some of the more serious attacks. But again, that's unknown. We have yet to know what's going -- what would precipitate something like that, if it would, out of this conflict.
So given that -- I think to summarize, we've been saying is that this is a very new space with a set of various forces in play that are really hard to get hold of, what should organizations be considering?
I mean, what -- from an organizational perspective, or what are things that typical enterprises should be thinking about in terms of -- and I use the term cautiously, we refer in information security about the blast radius of things.
And given that we are now in a situation in which there is a kinetic aspect to this with human damage, but what should organizations be considering around this? And are these things that may potentially be masking other concerns? What should enterprises be doing at this point to ensure that they are covering the kinds of concerns and risks that may shake out from this?
Well, in our recent spotlight conflict in Ukraine and turning point for cybersecurity. We expected a possible fallout to fiscal assets such as targeting energy resources, transportation and financial systems. And we saw Anonymous doing exactly that in Belarus.
But in terms of the fallout and blast radius, if you look at NotPetya for instance, that was targeted at Ukrainian companies, it crippled half the world as it's spread on to supplier systems. So there's always that supply chain attack to call it like that, in which an asset in one country is targeted. And it ripples throughout the supply chain to others?
Well, and the other thing I'll also note is that, of course, in any crisis, it winds up leading to a whole set of social engineering focused appeals for relief. I guess, folks should be also more aware of potential e-mail targeting, fundraising scams, those sorts of things.
But it does seem like a lot of the focus that a lot of those areas that we're working on with supply chain really wind up being a big part of this, Johan, to your point. And I think that's one of those things we've seen in supply chain attacks.
That the extent to which organizations can ensure. That they're appropriately vetting their suppliers, their infrastructure and ensuring that they've got protections in place to be able to manage a compromise of any of their internal systems.
We've certainly seen that, but one of the things that practitioners are telling us about supply chain and third-party awareness. It's very, very difficult to get insight into their immediate dependencies let alone beyond those.
But I do think that's going to drive further investment in areas like supply chain security. As far as threat visibility and being aware of the potential for compromise. Threat detection response is the #1 area that in our survey-based research that enterprise has told us that they expected to deploy in the next 6 to 24 months.
It was the top category kind of across the board. So -- we've already seen quite a bit of that over the course of the last year, but even more investment in threat detection and response and probably additional investment as well in what we called broadly outside in security visibility.
In other words, visibility, not only into attacker activity through threat intelligence, but also the attacker's view of the target. So things like attack surface management, security controls testing and validation, risk-based vulnerability assessment, things of that sort. To get a better handle on how does the adversary see us as a target?
And what does our resilience look like as presented to the adversary, what investments can we make to harden that and to improve our visibility into threat activity that is targeting us. So those are areas where we expect organizations already have invested quite a bit over the last year.
At least $5 billion alone just in M&A activity with that outside in landscape, threat intelligence and that sort of awareness, but also investment in supply chain security as well as security for operational technologies, the industrial Internet of Things, the physical assets that might be targeted through digital means. All of that, we expect to see investments.
Additionally, there's another aspect to the blast radius from this event is that it will affect Russian vendors of software. Just recently, on March 15, the German Federal Office of Information Security issued a warning stating as much that Russian products may be used in cyber operations.
One of those things that, again, whether or not the vendors are aligned with a combatant state or not, the fact that there is concern is going to raise issues and may create difficulties.
Indeed, and some of the things that may be unescapable about the impact of a conflict where the outlines of what that means in the cyber realm are not clear, are still shaping up. And even begs the question, will this current conflict set a precedent for future conflicts.
It may. But given the variable nature of what cyber engagement actually looks like in a conflict, one conflict may differ greatly from another. So yes, you have to get more uncertainty about what this really means.
Well, and I think that really sort of sums it up. Well, Scott, there's a lot of uncertainty in terms of where we fit.
And one final point, if I may, Eric, on some of the tactics that organizations are taking to mitigate their risk, cyber insurance has become part of the arsenal for many organizations. But cyber insurers have sustained quite a lot just over the last couple of years just from attack types like ransomware alone and they're raising the bar on coverage and qualifying.
So shifting your risk to a cyber insurer may not be what you thought it might have been just a few years ago. Because the insurer may well require you to make the investments in resilience that you thought you could offload through risk transfer to a cyber insurer.
In fact, it was just a lawsuit in January. Merck, the pharmaceutical company won a $1.4 billion lawsuit against insurer because its insurer had excluded impacts from the NotPetya attack that Johan referred to because acts of war were not in coverage with that policy at the time. So even that landscape of cyber insurance is changing in the wake of activity that traces itself back to the conflict that we see now.
It sounds like a lot of the awareness of protections that have really kicked out in the last year. And Scott, I know you'll be sort of waiting for that mean time to a mention of the SolarWinds attack. There it is.
There it is, late.
All right. I was able to hold it off for a bit. But kidding aside, this does seem to be something that, in fact, there has been progress and that it's raised awareness about some of those concerns about compromise of software systems that you have within your environment.
Solar winds for SmartWare was a management system that was compromised and was used as an entry point for attackers for a whole range of different systems. But that awareness does seem to be paying off. So again, a little brightness there in terms of a lot of that thought. But as you said, attack service management is really that next stage of ensuring that you have the outside in view.
Yes. One thing to keep in mind with respect to detection. Once the adversaries tactics have been discovered, they lose that advantage. They've tipped their hand. And the ability to detect that activity has gotten a lot better over the last few years. It's not comprehensive yet, and it's always a changing playing field.
Attackers can always innovate and potentially innovate beyond what can be detected today. But still, the investment has been yielding effort. And so there is hope for organizations to take advantage of what has happened in evolving things like threat detection in the last few years. So it's not a hopeless situation, but it will be interesting to see how it unfolds.
Well, I'm going to actually reveal a secret that may tip certain security teams' hands, which is that there is this human issue about how you invest to manage risk. And especially in security, it's -- there's always been that challenge of humans do a really bad job at valuing long-term risk.
And so that makes it hard to catalyze investment. But as we know in the security world, when crises occur, those are things that can be something -- a useful lens through which to view your overall security footprint, what your posture is and where you fit. This is a situation in which, hopefully, this will raise awareness yet again.
What are the areas where organizations should really be considering putting this leverage to work? Is this primarily an attack service management? Is this overall security education? If we've got something -- if we've got a catalyzing event that's going to raise awareness, what we do to help focus that and where should that focus line?
If you're going to ask what the organization should invest in, I'd say, yes. Kind of across the board, but then that begs a cliche you hear a lot in the security space, which is expense in depth. We're not going to spend our way to greater resilience, but one of the things we can do is invest in consistency of approach.
There are things that could be done to improve overall cyber health and hygiene. In fact, just maintaining good cyber hygiene is a chronic issue for organizations. Just getting a handle on things that look as basic as software patching and update, get complicated very quickly by the realities of the modern distributed enterprise work from anywhere, the complexity of modern applications and so on.
So it's not simple to address. But laying a solid foundation for that, one of the areas where organizations still have difficulty is, of course, finding and retaining people with the expertise to do the job necessary. And this has introduced a lot of opportunity for service providers.
In fact, we've seen roughly twice as many of our survey respondents when we ask them, are you going to make an investment in things like managed security services. over the course of the coming year. The percentage of those responders has virtually doubled in 2021 versus 2020.
And similarly, with those that don't have services in their plan, similarly drop by half over that same period of time. So looking at the service providers as an opportunity to capitalize on expertise, to get guidance on consistency in implementation are one of the things that we expect organizations to invest in.
As well as in these sound health measures across the board, Cybersecurity education, anti-phishing, phishing awareness, attack awareness. Good measures to harden the attack surface generally and to maintain that visibility into the adversary landscape that I mentioned earlier.
So one of the things that I also want to just touch on before we close up was we're getting a lot of inbound inquiry around providing assistance. Especially in a conflict of this nature where there clearly is so much suffering. And I just mostly want to identify that from a technology perspective, there's not much I think that from our team we're specifically aware of.
Other than looking out for the refugees from the conflict and offering them as much support as possible. As far as where that goes, we'll have to see sort of where that shakes out. But again, I don't know if either of you have thoughts on what are next steps?
I absolutely agree, Eric, that we should keep the refugees and the people still in close proximity to the conflict in our thoughts and prayers. And for now, I think the tech community, there's not a lot we can do to change the outcome of this conflict. But I think there will be a role to play when this is settled in rebuilding Ukraine, for instance.
The country has lots of IT specialists, major IT hubs in Kyiv, Lviv, Odessa and Kharkiv with many, many educated, highly educated and scientifically educated developers and security specialists. So it would be an option for the technology community to use that skill set that we lack and leverage to rebuild that country.
That's a really good point that's -- and again, I think one of the things we've seen from the technology side is that there has been such a strong connectivity in the tech community. But that it's going to be that rebuilding and restoration process, which is a lot of that focus. Yes, a good point. Thanks, Johan.
Yes. I would just underscore that. I've worked in the past with organizations affiliated with the United Nations. I know there is a pretty solid international structure for support, but that's not -- organized and institutionalized approaches aren't the only recourse.
And in fact, the security community is doing pretty good about looking out for its own. And so if there's anything I would say is just keep in touch with the people that you know. Be available to be of service in any way that you can to those who need it and just keep your ears and eyes open for opportunity as it arises.
Thanks, Scott. I think these are important thoughts to keep in mind. Well, I want to thank you both for being on the podcast. That is it for this episode of Next in Tech. Thanks to our audience for staying with us.
I want you to join us for our next step episode where we'll be talking about technology hiring with Nathan Goodwin and really identifying what this transition is for what's been a challenging environment. I hope you'll join us then because there is always something Next in Tech.
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor's Financial Services LLC or its affiliates (collectively, S&P).