Hard truths from Ukraine: The government cannot save us in cyberwar
Amid our first global, multilateral, wholly unpredictable cyberwar, it is up to each of us to defend ourselves. No intelligence agency is certain how the cyber dimension of the Ukraine conflict will evolve; no military can stop a cyberattack. The situation catapults every digital organization into unknown territory.
If you think the battles on air, land and sea so far have defied expectations, consider the parallel cyber conflict. Three sober truths make this a perilous moment for us all -- especially as the Russian army’s logistical setbacks may make heightened cyber aggression against private interests more enticing.
The first truth: in the digital sphere, presidents and generals are not always in control. Some cyberwarriors are freelance privateers pursuing their own agendas. The Ukrainian government recruited digital adepts worldwide on Telegram and supplied them with a sort of mayhem manual: "We are creating an I.T. army," tweeted Ukraine’s minister of digital transformation, Mykhailo Fedorov. "We need digital talents ... We continue to fight on the cyber front." 285,000 sympathetic cyber warriors stepped up, according to Kyiv-based journalist Anastasiia Lapatina. "Dozens of strategically important websites have been struck down, including that of the National Bank of Belarus. In addition, the enigmatic hacking group Anonymous declared it was "officially in cyber war against the Russian government," and claimed credit for shutting down the Kremlin website and jamming official Russian broadcast channels.
But malware has besieged Ukrainian websites and computers, too, likely launched by Russian state actors or their proxies.
The inherent instability of this type of multi-front asymmetrical warfare poses severe risk to private interests -- however geographically distant, reluctant, or unwilling they may be to become combatants. As if to punctuate this point, British Airways cancelled all short-haul operations on February 26 owing to a mysterious, catastrophic IT failure -- exactly when Aeroflot, the Russian flag carrier, was being locked out of virtually all European markets.
Toyota on February 28 halted vehicle production across Japan as supplier communications fell victim to a "system malfunction" suspected to have been caused by a cyberattack. "This has never happened before," said Tomohiro Takayama of Toyota supplier Kojima industries.
Vulnerable organizations cannot appeal to their governments to be insulated from such cyber blowback, even if they’re merely unintended targets. Such shielding capability at the nation-state level either does not exist or is very well concealed so far.
The second hard truth: fixing blame for a cyberattack is almost always a dicey business. Even "routine" attacks come laced with red herrings between the lines of code that complicate retaliation. This typical inability to positively identify a culprit has, up to now, served as a brake on impulsive revenge attacks. (The fact that Anonymous is so hard to pin down presents an opportunity for Russian false-flag operations. Russia could self-inflict cyber damage, blame Anonymous, and create a fresh pretext for further offensive action.) A retaliatory counterstrike might carom in some unexpected way and wreak unforeseen havoc.
Organizations contemplating private counteroffensives in cyberspace must think twice about potential wildfire effects. Government-run models of escalatory scenarios are frightening. The results range from disruption of potable water systems to disablement of power grids, pipelines, and refineries.
The third painful truth: cyber defenses today are a fragmented hybrid of public and private initiatives. Banks, health care systems, and energy companies do not maintain private armies, roll tanks, or drop bombs. In cyberspace, however, private organizations must make their own investments in defensive measures -- and keep them current. In the event of large-scale cyberattacks they are rarely briefed by governments.
In this murky, unstable theater of warfare, then, the security of Western democratic institutions and social systems depends not only on statecraft or military might, but on the decisions of numberless private organizations. Weakness is contagious; an organization that fails to protect itself offers a vector for black hats to leverage against others.
Many, however, seem not to have gotten the memo. A disquieting survey by Vectra AI found 80 percent of company security teams believed they had "good" or "very good" visibility into attacks that penetrate firewalls -- yet cybercrime costs hit an estimated $6 trillion in 2021 and were rising even before the Ukraine crisis. Virtually all corporate cyberattack victims believed they had robust defenses in place.
These difficult days should extinguish the last flickers of such complacency. The Ukraine conflict instructs us to invest in cyber preparedness, not post hoc crisis management. Every organization must review its cyber risk tolerance -- and business continuity plans in case cyber trouble disrupts real-world operation.
Cyber defenses centered on protecting the perimeters of corporate networks are increasingly outmatched by modern cyberattacks -- especially in these days of remote workers on unsecure home systems and cloud data storage. AI-enabled rapid detection and remediation offers a far more effective security strategy. Because the overall digital landscape is so ungoverned and lawless, and because public resources are not equipped to save private digital assets, we have no option but to maximize our cyber defenses one organization at a time.
The concerted, momentous steps taken across the West in recent days to support Ukraine allow us to end on a hopeful note. Cooperative, forceful examples set in diplomatic, military, and economic realms have no precedent in the 21st century. We must advocate for similarly concerted, innovative, AI-powered defenses in cyberspace.
The safer, more secure digital future we all want is within our grasp. But it will not blossom by itself. It will not be delivered by presidents or generals. It must be fought for by all of us.
Hitesh Sheth is President and CEO of Vectra AI, a leading threat detection and response company based in San Jose, California.