Written by David Wesley, research program manager.
The invasion of Ukraine has raised concerns that Russia may launch a cyberwar against the west. In recent years, cyberattacks have become more frequent, wreaking havoc on organizations around the world. Many attackers are petty cyber-criminals seeking a quick financial reward, but some of the more devastating attacks have been perpetrated by state-sponsored actors. Even the largest multinationals cannot escape the risk that such attacks pose to their longer-term viability. Mee and Schuermann (2018) note that cyberattacks are already costing $1 trillion, far more than natural disasters. They even suggest that a large scale attack on critical infrastructure could lead to the next financial crisis.[i]
The most devastating attack in history occurred on June 27, 2017, when Russia unleashed the NotPetya ransomware, crippling numerous western companies that became collateral damage in Russia's ongoing conflict with Ukraine. The attackers hoped to disrupt Ukrainian Constitution Day by disabling the country's infrastructure (banks, hospitals, and the energy grid) and to deter western companies from doing business there. I recently wrote about the supply chain impact of the NotPetya cyberattack in a case study with my colleagues, Luis Dau and Alexandra Roth, also from the D'Amore McKim School of Business. We know from our study, Cyberattack: The Maersk Global Supply-Chain Meltdown, that hackers accessed the infected systems weeks or even months prior to the attack. During that time, they may have been involved in espionage against Ukrainian organizations and international companies. Launching a ransomware attack not only disabled computers, it wiped their data and any evidence that could implicate the hackers and identify what information had been stolen.
Ironically, Russia's attacks against Ukrainian and western targets have helped to fortify many businesses against cyber intrusions. In the days leading up to the recent invasion, Russia increased cyberattacks on Ukraine and western businesses, but only had limited success. For all the publicity Russia has received about its cyber warfare capabilities, state-sponsored hackers have depended heavily on software tools stolen from the United States National Security Agency (NSA). And these threats have long been patched by most software vendors.
Maersk is an example of how cyberattack victims have improved their digital resilience. After the NotPetya attack, the global shipping and logistics company worked with IBM to upgrade its entire supply chain infrastructure using the latest blockchain technology, which is a cryptographically protected distributed ledger of all transactions that is nearly impossible to alter or destroy. Maersk has also implemented other upgrades that were recommended prior to the attack, such as multi-factor authentication, which involves having something that you know, such as a password, and something that you have, such as a phone app or key fob that generates random authentication codes. Increasingly, multi-factor authentication is using biometrics, such as facial recognition or fingerprints, adding additional layers of protection.
Likewise, Ukraine spent heavily on digital resiliency, developing its own central bank digital currency and other blockchain tools and creating a ministry for digital technology. In the days after the invasion, attempts to disrupt Ukraine's digital infrastructure failed. In response to the invasion, Ukraine formed an “IT Army” of volunteers, which worked with the Anonymous Collective to launch a cyberwar against Russia and Belarus. Almost immediately, Russian government websites, banks, railroads, and numerous businesses were disabled and remained so for days. Russian television stations were hacked to broadcast pro-Ukrainian messages and information about the war. And information about Russian military resources was stolen and posted on the Internet.
Throughout the invasion, western technology companies have been working to ensure that European and American networks are protected. For example, Microsoft mitigated an attack on Ukraine in less than six hours. SpaceX, an American space company founded by Tesla's Elon Musk, provided Starlink satellite dishes to Ukraine to prevent communications disruptions. Google and Apple suspended their payment systems in Russia, while the Ukrainian government used Google Pay to raise funds for humanitarian and military support. Other technology companies, such as AirBnB and EPAM Systems have suspended operations in Russia and Belarus and are providing aid to Ukraine and Ukrainian refugees. In short, Russia's cyber capabilities are no match for the combined resources of western technology firms, governments, and volunteers.
Despite these early victories, cyberattacks remain a serious threat, especially for older unpatched software and systems. For smaller companies, the impact of a cyberattack can be devastating. “The U.S. National Cyber Security Alliance found that 60 per cent of small companies are unable to sustain their businesses over six months after a cyber attack.”[ii] At the same time, small and medium size businesses, municipalities, and non-profit organizations often face funding constraints that limit their ability to invest in systems upgrades and training.
At a minimum, all organizations should have:
- 1. A broad approach to cybersecruity that includes regular software updates and patches.
- 2. Training and incentives that promote safe computer practices, such as not reusing passwords, not opening file attachments from unknown sources, and not clicking on embedded email links.
- 3. A cybersecurity culture that begins with every member of an organization, not just engineers, computer scientists, and IT support staff.
Such steps can prevent the most common attacks, but they will not protect against “zero-day” attacks (malware that has never before been seen on the Internet), such as the NotPetya attack that impacted Maersk. One could challenge the assumption that cyberattacks threaten a company's survival, and perhaps the Maersk case has shown that large companies can survive an attack. But in the longer term, as information systems become more critical to organizations, cyber threats will demand higher levels of vigilance and ongoing investments in cyber defense and mitigation tools.
[i] Paul Mee and Til Schuermann, “How a Cyber Attack Could Cause the Next Financial Crisis,” Harvard Business Review, September 14, 2018, accessed November 29, 2018, https://hbr.org/2018/09/how-a-cyber-attack-could-cause-the-next-financial-crisis.
[ii] Gary Miller, “60% of Small Companies That Suffer a Cyber Attack Are Out of Business within Six Months,” Denver Post, March 24, 2017, accessed October 24, 2018, www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/.