A common theme you will find in almost every Executive Platforms-organized industry event is about moving from reactive to proactive, about identifying and mitigating risks before things go wrong. From Food Safety to Biopharmaceuticals, and from Sustainability to Human Resources, people in leadership roles always want to be out in front of their organization’s challenges. Foresight beats hindsight in just about every business decision you can imagine.
For some reason, cybersecurity does not get the same treatment as everything else. People like to turn a blind eye to the software, hardware, and infrastructure the world runs on when looking for weaknesses to strengthen before they become a problem.
Perhaps that is unfair. Perhaps it would be fairer to say the overwhelming reason why addressing cybersecurity and infrastructure security concerns is that anyone not personally responsible for dealing with those issues will be immediately confronted by the scale, complexity, and cost involved in doing anything beyond the bare minimum.
Data breaches have been in the news with increasing frequency for years now, and while they are always concerning, society seems to have accepted that sometimes personal information is going to end up in the hands of bad actors, and sometimes people who have been trusted with things like email addresses, credit card numbers, and health records will let us down.
The thing work saying from time to time is all those data breaches you hear about are only just the background noise of what is possible. What we are seeing from the outside end results looking through a mirror darkly at inner working we do not understand is the people with the knowledge and ability to breach networks learning their craft and practicing it for relatively low stakes. The worst of them may try to ransom the information back to the organizations they stole it from, but realistically so little damage is being done on an ongoing basis that cybersecurity remains, “Someone else’s problem.”
We need to get out of that mindset.
Now we did get into thinking that way honestly and innocently enough: Very few people are intuitive when it comes to information technology; since the earliest days of computer networking there have always been experts paid to take care of these things for us; when the public at large does get excited about something regarding cybersecurity, it is almost always without a clear understanding of what is wrong or how to fix it.
Still, a curtain is being pulled away right now that reveals the true size of the threat, and its dimensions far exceed what can be foisted off on your company’s IT department with a clear conscious.
Sorry, What is Being Pulled Away Right Now?
The war in Ukraine is still unfolding as this blog is being written —and the history of that conflict will take years to write in detail— but one of the already emerging stories is constant cyberattacks on Russian websites, telecoms, media broadcasters, and infrastructure. Experts have been saying for years that DDoS attacks (distributed denial-of-service attacks that overwhelm IT with bogus traffic) and data breaches were what amateurs and rare bad actors could get up to on their own. To date, we have only rarely seen the capabilities of state-run, state-funded cyber-warfare.
Probably the most famous example of a government-sponsored cyberweapon known to the public was Stuxnet, a computer worm that unlike most malicious software was created not to wreak broad havoc, but specifically to figure out if it was on a computer controlling centrifuges enriching uranium. Upon finding itself in such a computer, the worm adjusted the speed of the centrifuges until the devices shook themselves apart. Created in probably 2005, by 2010 when its existence became known Stuxnet destroyed at least 20% of Iran’s nuclear centrifuges and may well have slowed Iran’s weapons program enough to force that country to negotiate a deal before completing a bomb.
While Stuxnet is an amazing example, it is perhaps too carefully designed to avoid collateral damage to serve as a benchmark for what other state-authorized and state-funded cyber weapons can do. Without a doubt the Ukraine conflict is seeing at least limited use of weapons never seen before, and the real-world experience of using these as-yet-untested capabilities is only going to refine and enhance what they are capable of moving forward.
How Does State-Sponsored Cyberwarfare Impact Businesses?
Aside from the obvious threats of cyberweapons during a time of war, it is worth remembering that the state-funded cyberwarfare organizations are not populated by lifelong loyal government employees who live honest, upright lives and would never harm even a fly. How many of those amateurs and bad actors we mentioned earlier will draw a government pay cheque at some point in their lives because they are talented at something very few people can do? And following that reasoning forward, what are the chances none of those people will ever return to private employment or self-employment in the future? Cyberwarfare may be in its relative infancy, but in the same way the airplane, the tank, and the submarine transformed armed conflict in the early 20th Century, the new game-changer will be cyber weapons, and right now a lot of experts are seeing some of their theories and pet projects find real-world applications. The lessons being learned right now are going to make the world even more dangerous in the future.
It would be difficult to estimate how many times Executive Platforms has talked about Digital Transformation over the last decade. There are more than 90 posts on our epthoughtleaders.com website, and that is just the content we formally shared publicly. Whatever the real number, it comes up in every event, from manufacturing and supply chains to food safety and finance, even human resources as a profession is undergoing the 4th Industrial Revolution where the Industrial Internet of Things is seeing machines talk to machines and process unimaginable volumes of data in real-time.
All of that is vulnerable, and even the systems with cybersecurity in place may be worried about the wrong kind of attack for the wrong motives. Today’s data breaches and DDoSs are serious and warrant countermeasures. What happens when assembly lines start tearing themselves apart the way Stuxnet shook apart centrifuges? When global supply chains start routing wrong, as is almost certainly impacting Russian logistics at this point? What about when the wrong medicine goes to the wrong hospital, or when records of what has been bought and sold by who and when disappear and cannot be recovered? Imagine power stations turn off, cell towers ceasing to function, perhaps even every internal combustion engine attached to a computer refusing to start?
The list of what could go wrong is almost unimaginable, and in light of recent events the US Federal Government has urged companies to take urgent action on the following list of recommendations:
- Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system
- Deploy modern security tools on your computers and devices to continuously look for and mitigate threats
- Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors
- Back up your data and ensure you have offline backups beyond the reach of malicious actors
- Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack
- Encrypt your data so it cannot be used if it is stolen
- Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly
- Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources
Now this list, while comprehensive, is also just a starting point. What really needs to happen in businesses across the United States and around the world is to recognize that a lot of the things that we take for granted are ‘just supposed to work’ are only working at the moment because no one has been motivated beyond boredom or the possibility of earning some easy money from actually stopping them. We know there are cyber weapons that can do enormous damage. We are seeing some of them deployed in Ukraine and Russia right now, and while their impacts may be lost among the louder explosions at the moment, their long-term damage will almost certainly exceed expectations and only inform future cyberweapon development.
Here are some questions to ask about your business:
- How comfortable are you saying your company is being proactive about this threat?
- Who is in charge of your organization’s cybersecurity right now? Who do they report to, and how often do they get to engage with senior leadership about their ideas and concerns? How are they funded and supported at the moment, and what does their wish list for further resources look like?
- As your company has invested in digital tools, how has it kept pace with the cybersecurity requirements of those tools? What about your company’s legacy assets? Has anyone inside or outside the company audited your existing IT infrastructure for vulnerabilities? If so, how long ago was that done, and how often is the auditing repeated?
- Does your company have a plan for what to do in the event of cyberattack? Are senior leadership, management, and frontline workers on the same page when it comes to what to do and how to work together in a moment of crisis?
- How are you staying informed and up to date on this issue in light of recent developments? Who do you talk to, and what are you reading to make sure you are knowledgeable on this issue on an ongoing basis?
Head of Content & Research
Geoff joined the industry events business as a conference producer in 2010 after four years working in print media. He has researched, planned, organized, run, and contributed to more than a hundred events across North America and Europe for senior leaders, with special emphasis on the energy, mining, manufacturing, maintenance, supply chain, human resources, pharmaceutical, food and beverage, finance, and sustainability sectors. As part of his role as Head of Content & Research, Geoff hosts Executive Platforms’ bluEPrint Podcast series as well as a weekly blog focusing on issues relevant to Executive Platforms’ network of business leaders.
Geoff is the author of five works of historical fiction: Inca, Zulu, Beginning, Middle, and End. The New York Times and National Public Radio have interviewed him about his writing, and he wrote and narrated an animated short for Vice Media that appeared on HBO. He has a BA Honours with High Distinction from the University of Toronto specializing in Journalism with a Double Minor in History and Classical Studies, as well as Diploma in Journalism from Centennial College.