The headlines have been appearing for weeks. Russia is preparing to meddle, or is very likely to try to tamper, with the forthcoming EU elections. That this is apparently newsworthy demonstrates more about the nature of the media’s slow reaction to information warfare and the asymmetric threat posed by cyber attack than it does about the alleged protagonist. This isn’t exactly a new phenomenon, as analysts at the FBI and those involved in the investigation into Russian involvement in recent US elections can attest. Ukraine can also offer evidence in support of the claim following attacks on the country’s Central Election Commission during elections in February this year1.
The issue, of course, is that the attacks occur on multiple fronts. This isn’t necessarily about changing votes, it’s about influence and social engineering as much as pure cyber attack. And business should be worried.
The risk to business is not political, rather it’s the prospect of a domino effect during any action by an Advanced Persistent Threat (APT) group and systemic spillover. Does your company trade in the EU? Does it need access to any EU-related websites in order to do business? Then you should take steps now to mitigate. If those sites go down, what’s your level of business resilience? Are you able to trade without access to them? These are the easy questions to ask and answer within a corporate structure and, hopefully, your CIO or IT team can help mitigate. The bad news is, it gets worse.
Should the threat of cyber attack become reality, then everything depends on the methods deployed. Microsoft has already publicly warned governments in the bloc to be aware of the risk, citing recent attacks in Germany2. There, the attackers tried to install malware in the systems of: “three major European think-tanks: The German Council on Foreign Relations; The Aspen Institutes in Europe; and The German Marshall Fund,” EUObserver.com reported.
The problem with a malware attack is obvious. It spreads like wildfire unless contained or killed. And the costs to business both financially and in terms of trading reputation can be staggering. Following a cyber attack on TalkTalk’s systems in October 2015, the Financial Times reported that it cost the company around £40 million and 101,000 customers.
The now infamous June 2017 NotPetya attack which affected Maersk cost the company an estimated $200 million. That attack, like many others, wasn’t actually targeting Maersk. Rather, it started when a Russian APT group known as Sandworm was doing its utmost to breach Ukrainian governmental organisations. As Wired notes3:
“They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data. The attacks followed a sadistic seasonal cadence. In the winters of both years, the saboteurs capped off their destructive sprees by causing widespread power outages—the first confirmed blackouts induced by hackers.”
The killer blow for companies outside Ukraine came when the attackers accessed update servers at Linkos Group. That one act gave them access to a backdoor into PCs in Ukraine and, more importantly, around the world that had M.E. Doc installed. That backdoor was then used to distribute the NotPetya malware code. The rest is history and expensive to put right.
Nation state actors can, therefore, have a significant impact on private business via messy cyber attacks. The question for business is: are you prepared for the worst, or is there an assumption at C Suite level that it couldn’t possibly happen to you?
Last year, GDPR and the NIS Directive were industry buzzwords. Perhaps we should try to ensure that resilience, mitigation and best practice replace them in 2019.