Today, we in Europe woke up to headlines about attempted cyberattacks by Unit 26165 of Russia’s GRU intelligence service. In a world where the attribution of cyberattacks is a notoriously difficult task, the UK, the Netherlands, and the US made a joint announcement of the foiling of an attempt by four hackers linked to Unit 26165 to attack the Organisation for the Prohibition of Chemical Weapons in The Hague. This highlights the growing cybersecurity risks caused by the wider geopolitical risk environment.
The Dutch authorities have also identified the four men it believes are responsible for the hack. US authorities issued indictments for seven individuals for cyberattacks, wire fraud, identity theft, and money laundering. This demonstrates the increasingly active ways in which Russia is using its cybersecurity capabilities to hit back against those it perceives as threatening its interests.
The coordinated announcements and sharing of information and intelligence show the continued role that national and international security cooperation arrangements play in the West and in Europe for continuing to help the private sector identify and prepare itself to counter geopolitical threats. It is therefore vital that these arrangements are not disrupted by events such as Brexit or the increasing trends against internationalism in many Western European countries at present.
This confirms our view that organizations and CISOs increasingly need to consider geopolitical risks as part of their cybersecurity program threat assessment. So we’d like to highlight the best practices we outline in our reports on geopolitical risks and planning for failure:
- Complete a geopolitical risk assessment at least annually. Consider the areas of your business operations at risk of targeting by a nation-state cyberactor. Factors to consider include industry, geography, product lines, and reputation. Make sure that you understand the realistic threats and how they may materialize. For example, is your business planning anything that could be politically or publicly controversial and therefore make you a target?
- Examine your supply chain closely as part of your risk assessment. While you may not be doing anything that would make you a direct target, your supply chain may be. Understand where business operations with suppliers might make you a target. Are any of your suppliers known targets of nation-state actors?
- Incorporate geopolitical issues into your incident response and scenario planning. Our report on planning for failure outlines best practices for building and maintaining an incident response program. Ensure that you build geopolitical threats and possible attack vectors into your scenario planning. Exercise your procedures on a regular basis. Exercise these scenarios with the board so you know how you will respond.
- Consider the method of attacks commonly used by different geopolitical actors in your analysis. As well as considering the ways in which a geopolitical threat actor affects the business, consider the ways in which an attack will materialize in your business. Different threat actors have different methods: For example, Chinese threat actors are known to favor phishing and low-and-slow approaches, whereas Russian actors have used destructive forms of ransomware such as NotPetya.
Using these best practices, CISOs can help prepare their organizations to face geopolitical threats.