A cybersecurity risk practitioner often remembers the following formula:
Risk = Likelihood × Impact
If risk were a static computation of likelihood and impact, there would be no need for CERT reports such as what a typical email inbox looks like, for a security analyst. Clearly, the threat landscape matters. Geopolitics provides inspiration to understand this concept.
Offensive Cyber Operations are Part of Geopolitics
Offensive cyber operations are part of a broader range of tools in intangible warfare, alongside psychological operations and economic warfare. These usually relate to state actors who coordinate a range of intangible warfare operations as part of an overall war operation.
Other threat actors, such as “hacktivists” and private hacking groups that are not always state-controlled, seek to exploit such battlegrounds for their own objectives, such as commercial profit (ransomware) or false flag operations.
Either way, geopolitical decisions affect the threat landscape in both physical space and cyber space. We can see this through a time-based analysis of Ukraine.
Ten Years of Ukraine’s Cybersecurity History: Rough Picture of Critical Cyberattacks
Since 2014, Ukraine has been central to a broader geopolitical battle between Russia and the rest of Europe. Some tactics in the cybersecurity domain included the attacks on Ukraine’s power grid in 2015 by Sandworm, and in 2016 by ELECTRUM who was also directly associated with Sandworm. At that time, experts argued that Ukraine’s cybersecurity legislation was weak, with a report from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in 2018 suggesting Ukraine’s lack of proactive cyber defense resulted in it being reactive vis a vis threat actors. In this case, critical civilian infrastructure was targeted, primarily to destabilize Ukrainians psychologically.
Fast forward to 2022, when Russia launched a kinetic invasion on Ukraine on 24 February 2022. However, kinetic maneuvers cannot be viewed in isolation in the context of warfare. Cybersecurity attacks happened both before and within the window of kinetic operations. On 14 January 2022, a major cyberattack occurred prior to kinetic invasion. Throughout the kinetic campaign, cyberattacks on Ukraine continued. As the European Parliament report pointed out:
“The financial, public and ICT sectors were targeted the most. A particularly harmful trend is the targeting of Ukrainian non-profit organizations, which are a vulnerable target due to their generally low preparedness and lack of resilience measure.”
This time, the types of infrastructure being targeted are more diverse. One way of prioritizing cyber defense is through identifying critical infrastructure. But it may not be so trivial.
What Really is Critical Infrastructure?
Cybersecurity risk practitioners are familiar with risk management frameworks from a civilian angle, such as COBIT, NIST and FAIR frameworks that ISACA covers. Typically, cyber risk is a subset of other risks an enterprise risk management (ERM) framework will factor, alongside business, operational and technology risks.
But the ERM does not adequately answer the concerns of the government. The government, having a mandate to provide assurance to their citizens and non-citizen residents, has to answer some questions its people will ask, such as:
- Can critical infrastructure be trusted upon to run smoothly?
- Can I believe what the government says about the state of critical infrastructure to go about my daily life?
- Can I trust that the government has adequate defenses to deal with threats that endanger my daily life?
In the days that predated cyber warfare, these concerns only materialized through kinetic warfare or sabotage operations. But this is no longer true in the modern age, where non-kinetic operations to target a government’s ability to provide assurance over critical infrastructure are an unfortunate fact of life.
From a legislation perspective, there is no international standard on what “critical infrastructure” entails. For example, in Singapore, the Cybersecurity Act defines said sectors as:
The CII sectors are: Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government.
But in Hong Kong, the proposed Critical Infrastructure Bill in July 2024 includes the following as critical infrastructure:
- Energy
- Information Technology
- Banking and Financial Services
- Land Transport
- Air Transport
- Maritime
- Healthcare Services
- Communications and Broadcasting
Meanwhile, the Cybersecurity & Infrastructure Security Agency (CISA) in the US defines 16 sectors, which include sectors such as food and agriculture, materials and waste, as well as nuclear reactors.
The decoherence is because of how different legislatures have viewed what they perceive as critical to them. For example, Hong Kong’s curious omission of “water” is due to Hong Kong’s main water supply being from Guangdong (specifically Donjiang). That is naturally out of scope of Hong Kong’s laws.
The Audience Ultimately Still Matters Most: Different Risk Pictures
One consistent theme with the analysis above is how governments have realized they needed to address the gaps between ERMs for companies and the concerns governments have over their ability for them to provide cybersecurity assurance.
Because of the different risk pictures between regulators and commercial entities seeking compliance with cyber risk, the risk practitioner should understand the core concerns of the relevant parties seeking an interest in understanding cybersecurity risk. The table below, while not fully instructive of all the relevant stakeholders involved in a cybersecurity risk discussion, should highlight how the risk practitioner should be able to answer different questions that pertain to the different stakeholder’s core concerns.
| Stakeholders | Key Question | E.g. Key Concernsk | Key Pictures to Present |
|---|---|---|---|
| Finance |
Is the cyber risk within enterprise risk appetite and tolerance? |
If a cyber incident happens, can we cover our financial liabilities? |
Quantitative risk picture: Identify clearly how appropriate risk treatment saves the enterprise money. Qualitative risk picture: Identify clearly how aspects such as reputational risks are addressed to maintain trust in the enterprise. |
| Crisis Communications |
Do our customers believe our enterprise is trustworthy enough from a cybersecurity standpoint? |
If a breach is purported to happen, can we definitively say what we will do? And how will customers be reassured? |
Work with crisis communications on processes on breach investigation, communication with relevant teams (e.g. legal, IT) and have TTXes and other exercises to validate efficacy. |
| Government Regulators |
Will trust in the government be eroded if a cybersecurity incident happens? |
Will the government be able to work with the enterprise to jointly deal with the impact of a cyber incident, especially non-quantifiable? |
Risk pictures: Show how thorough the cyber risk picture is beyond ERM, also taking into account non-monetary risks such as trust. Compliance matrix: allow bureaucrats to quickly identify what can, and cannot be done from a cyber perspective to set a baseline. |
Proactive Risk Management: Intelligence-Driven Updates and the Interdisciplinary Nature of Threat Intelligence
We would return to the initial formula we began with:
Risk = Likelihood × Impact
If we agree risk is not static and is dependent on geopolitical implications, how do we do a better job of appraising our stakeholders whenever the risk picture changes?
The answer in the cybersecurity community mirrors somewhat (not exactly) to the military: threat intelligence.
Unlike in the military, risk practitioners do not need to engage in field intelligence (thankfully). But cyber threat intelligence (CTI), if approached with the right methodology, can be immensely helpful in helping our case.
Let us use an example to understand what “right methodology” entails. Suppose we are presented with emerging information that a certain State X is engaging in offensive cyber operations, through both direct and proxy means, against State Y. Would that be of relevance to us?
We can look at it from an attacker-centric lens and ask ourselves some key questions:
- Is our enterprise important enough to be targeted?
- If “no”, could the enterprise still be hit as collateral damage from a mass campaign?
- What is the relationship, both perceived and actual, between our enterprise and States X and Y?
- Actual: formal relationship such as the enterprise being domiciled in State X or Y, or is in a state that declared a formal political position on said conflict.
- Perceived: perhaps your enterprise has been associated with State X or Y due to a significant customer base, or the nationality of the CEO/other key officers.
- What is State X targeting?
- Look at this from various categories: sector, size of enterprise, likely attack complexity required?
- What is/are their motives?
- Financial? Revenge? Compromising trust in State Y?
- How about revenge cyber operations from State Y against State X?
- Is there available data on the tactics, techniques and procedures (TTPs) being used? (hint: MITRE ATT&CK)
As you can identify, many of these questions are not so much cybersecurity questions as they are attempts to understand the situation picture through a geopolitical lens (since the context of the example scopes the emerging situation to be one of a nation-state adversary). The questions change depending on the nature of the threat actor (e.g., a commercial threat actor would warrant understanding the situation picture through a business/financial lens, whereas a hacktivist threat actor would require understanding of the situation from a socio-political lens).
Beyond simply coming to the conclusion that geopolitics indeed can affect a cyber risk practitioner’s work, it is also important to understand the context to which different methods of analysis, both quantitative and qualitative, as well as different lenses of analysis, can enrich the risk analysis picture. In particular, the geopolitical lens offers us views on likely advanced threat actors that other typical lenses may not cover, arising from an attacker-centric perspective whose motivations are more psychological and political than financial.
