Cyber-Resilience Is Not Just for Conflict (or October)

Technology Policy Cyber security

Cyber-Resilience Is Not Just for Conflict (or October)

Posted on: 31st October 2022
Melanie Garson
Cyber Lead, Internet Policy Unit

The danger of designating an awareness month is that it is easy to forget the problem being addressed exists all year round. Like resolutions made in January, commitments made in the excitement of an awareness month often fail to be acted upon in the long term: usually by February, 80 per cent of new-year’s resolutions have been dropped. Similarly, as the buzz of October’s global cybersecurity month begins to wear off and policymakers turn to other critical domestic and global issues from the energy and cost-of-living crises to the environment, even the best-laid plans for improving cyber-resilience and maximising the opportunities that it can bring may be waylaid.

While attention was focused on the fears of a potential but, fortunately, not-yet-materialised “cyber-armageddon” when the Russia-Ukraine conflict broke out, malicious cyber-attacks are nonetheless on the increase, up 28 per cent globally in the third quarter of 2022 than in the same period last year. Australia found itself the target of a series of significant attacks including one of the largest cyber-breaches in history, the attack on the Singtel-owned telecoms company Optus, as well as on Australia’s largest private-health insurer Medibank, and one of its largest supermarket chains, Woolworths. And as the school year started, the second-largest school district in the United States, in Los Angeles, found itself suffering from “significant disruption to its network infrastructure”, which affected 600,000 students.

Simultaneously, countries are escalating their digitalisation journeys to provide for their citizens more effectively, mitigate the impacts of the various global health, food and energy crises and compete more effectively in the international arena. In 2022, 60 per cent of global GDP is expected to rely on communications technologies. And while many feel removed from the cyber-threats levelled at those nations actively supporting Ukraine, the conflict has driven the increased politicisation of cyber-criminals. Emerging digital economies cannot afford to become the low-hanging fruit as other nations bolster cyber-shields in response to geopolitical tensions, leaving cyber-criminals seeking to avoid being embroiled in geopolitically motivated cyber-attacks to grab easier pickings elsewhere.

Rapidly digitalising states are finding themselves caught in this crossfire, with cyber-criminals now attacking the heart of poorly defended nation states. These countries are often the least equipped to defend against attack. The cyber-attack on Costa Rica by the Russian Conti ransomware gang that started on 17 April 2022 led to the country having to declare a national state of emergency. This incident was followed by a crippling attack on Peru’s National Intelligence Directorate that risked the disclosure of confidential documents vital to Peru’s national security. Beyond the collapse of the country’s medical-appointment system through a subsequent attack by Conti Group ally, the notorious Hive Ransomware Gang, who targeted Costa Rica’s Social Security Fund (CSSF), in addition to the 30 public institutions already under attack, took the unprecedented step of attempting to fuel public disorder in the face of the newly constituted government’s refusal to pay the ransom demand.

I appeal to every resident of Costa Rica, go to your government and organize rallies so that they would pay us as soon as possible if your current government cannot stabilize the situation? Maybe it’s worth changing it?

Ransomware group Conti’s message to the government of Costa Rica

It was estimated that these attacks cost Costa Rica approximately $30 million a day and will cost around 13 billion colones (around $20 million) to restore and rehabilitate the country’s systems.

Such ransomware attacks against government institutions in Latin America show no sign of easing, and there have been further attacks on the Brazilian Secretary of State for Finance in August, the Dominican Agrarian Institute, Argentina’s judiciary and, most recently, the state legislature in Buenos Aries.

Across the Atlantic, Balkan countries have felt the impact of this rapidly growing trend. In August, Montenegro’s state infrastructure was hit by an unprecedented set of cyber-attacks attributed to the pro-Russian Cuba Ransomware Group that affected ten state institutions for at least 20 days. In September, Bosnia’s state IT systems suffered the most serious attack in its history and Moldova and Slovenia also reported coming under cyber-attack over the last few months while, last week, both the Polish Senate and Slovakian Parliament came under attack, with investigations pointing to a multi-directional attack from Russia.

And although Albania’s attack was more clearly linked to a state, the crippling attacks by Iranian state-based hackers on its parliament, prime-minister’s website and E-Albania portal, demonstrates the fundamental vulnerabilities of states as they rapidly digitalise without commensurate investment in building cyber resilience.

While attention might often be drawn to these large-scale attacks, the African Union’s ambitious strategy to have every person in Africa connected by 2030 is being stymied by around 1,800 attacks per week with potential losses of $4 billion annually. TransUnion South Africa was compromised in March by Brazilian hacking group N4aughtysecTU demanding $15 million for release of 4 terabytes of data, and Africa’s largest supermarket chain ShopRite was hit by the RansomHouse group in June, putting the data of millions of shoppers at risk. With critical sectors that are rapidly digitalising particularly at risk, including research and education, public administration and health care, the need to redouble efforts in cybersecurity across the continent, where it is estimated that 90 per cent of businesses are operating without cybersecurity protocols, is even more acute.

Asia is also finding itself consistently under attack with a 21 per cent increase compared with the third quarter last year, and the United Arab Emirates has been particularly targeted with a 151 per cent year-on-year increase. And the recent incidents in Australia point to a 72 per cent increase of attacks in the ANZ region.

As countries digitalise their most critical sectors, cyber-criminals are also evolving and becoming more unpredictable, finding more creative ways to implement ransomware attacks and access valuable data. Digitalising health services may provide immediate benefit to citizens but simultaneously puts the country’s cyber-health at risk, with one in 42 health-care organisations impacted by ransomware attacks. Fragile elections are constantly at risk of interference from foreign actors seeking to sow information disorder, such as the PRC-connected Dragonbridge, affecting people’s decision-making when casting their votes. And the heart of some countries’ future planning – their education and research functions – is under attack with the education sector experiencing a 44 per cent increase over the last year.

With the rapid drive towards hyper-connectivity and the integration of the 3 billion people who are yet to come online together with the 43 per cent of people who do not yet use mobile internet even when coverage is available, there is an urgent need to ensure that connectivity is secure and resilient. It requires investment in a new cyber-reality that can ensure the continuity of business and national institutions in the face of even the most creative ransomware threats. It is essential that a commitment to cyber-resilience be based on trying to ensure that every investment in ICT can be fully realised as a capability rather than a vulnerability.

It is estimated the 60 per cent of 2022’s global GDP relies on digital communications, and approximately 70 per cent of new value created in the next ten years will rely on digital platforms. Investment in digital infrastructure can stimulate an average of between 0.4 and 0.7 per cent growth in GDP. Investment in Cabo Verde’s ICT infrastructure not only helped it rapidly roll out Covid-19 vaccinations but also stimulated the country’s real GDP to grow by 7 per cent in 2021 after its economy contracted by 14.8 per cent in 2020. Investments in digitalising health, environmental sustainability, education and violence prevention will not be fully realised without the commensurate investment in cyber-resilience.

However, what is often missing in the conversation about building cyber-resilience is the enormous opportunity that it brings. Cyber-policy conversations often focus on the risks without turning to the opportunities. As countries moving to strengthen supply-chain security, those which are able to evidence commitments to cybersecurity and cyber resilience will be able to seize the opportunity to become more trusted partners. Building a cybersecurity industry is in itself a driver for economic growth and innovation as reflected in the UK’s Cyber Strategy 2022. And those countries investing in their cyber-resilience will have an increased voice at the table shaping norms and regulation regionally and globally.

However, national-level problems need national-level solutions. As the former technical director of the UK’s National Cyber Security Centre, Ian Levy, wrote in his last blog as director, “is it reasonable to ask a ten-person software company to defend themselves from the Russians?” Countries need to start moving from a 3G approach to cybersecurity to a 6G approach to cyber-resilience with a focus on their critical industries and most valued data for their sustainable growth and innovation. This includes looking at protections for the education and media sectors alongside health and energy. It includes building an inclusive and forward-thinking workforce from policymakers to penetration testers that understand the opportunities and risks of cyber-resilience. It also includes harnessing the relationship with big tech that can provide crucial back-up in times of crisis. And it includes building diplomatic leadership and representation to have a voice at the table to ensure that global cyber-resilience isn’t eroded by the fragmentation of the internet and diverging standards.

The end of October should not mark the end of cybersecurity month but the start of cyber-resilience year. Every month should be a cyber-resilience month. In 2015 and 2016, Russia succeeded in bringing down the Kyiv electricity grid through a cyber-attack. The recent barrage of bombing attacks on Ukraine’s power grids is a testament to harnessing key partnerships for cybersecurity and resilience. Its ability to rapidly protect and move its sensitive data out of country meant that the government has been able to continue providing services and keep crucial data safe.

And while, for Ukraine, cyber-resilience is still core to fighting for its existence, it is not only critical in times of conflict. In the virtual domain just like in the real world – we are not safe unless we are all safe.

Lead Image: Getty Images

Find out more