By Avishai Avivi, CISO, SafeBreach
The face of cybersecurity is evolving. Cybercrime and its implications have grown into an inescapable fact of our daily lives, affecting everyone from the general consumer to Fortune 500 corporations. Cyberattacks have even begun to creep into the military sphere, with the threat of all-out cyber warfare looming large over conflicts across the globe.
As a result, government attitudes towards cybersecurity have undergone a dramatic change. 2022 saw governments around the world creating—or at least more heavily debating — cybersecurity regulations to help secure enterprises and organizations from evolving cyber threats. The UK, for example, passed the Telecommunications Security Act, which implemented tougher security standards on Internet service providers (ISPs) to minimize breaches that could expose the private data of millions of consumers. And for the first time, the US-based Cybersecurity and Infrastructure Security Agency (CISA) urged enterprises to choose a more proactive approach to defend themselves against cyberattacks, recommending automated continuous validation of security controls to protect against the constantly evolving threat landscape.
With this in mind, it’s worth taking a deeper look at how cybercrime and cyber warfare have impacted government attitudes towards cybersecurity.
What is cyber warfare?
The term “cyber warfare” is itself contentious. There has been much debate surrounding its definition, with some experts even questioning whether we can truly distinguish between cyber warfare and traditional warfare.
However, the RAND Corporation, an American global policy think tank, does give us a reasonable working definition.
“Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks through, for example, computer viruses or denial-of-service attacks.”
Considering contemporary society’s near total reliance on computers and information networks, it’s easy to see why governments would want to shore up their defenses against potential cyberattacks, particularly at a time of geopolitical unrest. We have already seen glimpses of the havoc cyberattacks can wreak on a nation’s infrastructure. The most memorable of these perhaps was the Colonial Pipeline incident in 2021, which caused gasoline prices in the US to skyrocket, sparked a wave of panic buying, and resulted in President Joe Biden declaring a state of emergency.
How are government attitudes changing?
As previously noted, the prospect of cyber warfare has brought about important changes in the way governments approach cybersecurity. The US government has long emphasized the importance of collaboration between the private and public sector in protecting critical national infrastructure (CNI). However, the 2023 US National Cybersecurity Strategy puts a new, much stronger emphasis on regulation, expressing the need to:
- Establish cybersecurity regulations to secure critical infrastructure
- Harmonize and streamline new and existing regulations
- Enable regulated entities to afford security
This is in stark contrast to the 2018 strategy that only mentions regulation once in the entire forty page document, and in fact, goes so far as to criticize the idea. The two documents represent far more than the ideological differences of different administrations. They show how the federal government shifted its views on cybersecurity in response to significant, world-changing events.
Roughly two years after the unveiling of the 2018 US Cybersecurity Strategy, COVID-19 swept the globe, irrevocably changing the world as we know it. In March 2020, much of the US was locked down, forcing many employees to work from home. By June, the FBI reported a 75% increase in cybercrime.
Just under a year later, in May 2021, the Colonial Pipeline incident occurred. DarkSide, a cybercriminal group with ties to Russia, launched a ransomware attack on a pipeline system originating in Houston, Texas, that supplies gasoline and jet fuel to much of the Southeastern United States. The attack caused mass fuel shortages, halted flights, and brought about a state of emergency.
In February 2022 the Russian army stormed Ukraine’s borders. War had returned to Europe. The invasion provoked widespread condemnation from world leaders and sparked an atmosphere of geopolitical unrest that persists to this day. Moreover, throughout the war, Russia has repeatedly launched cyberattacks on Ukraine to varying effects. Russia also engaged in traditional kinetic attacks to destroy Ukraine’s access to the internet.
These events undoubtedly helped influence the U.S. government’s attitudes towards cybersecurity. From COVID-19 to the Colonial Pipeline attack to the eruption of war in Europe, it became clear that state-sponsored cyberattacks on US infrastructure were no longer out of the question. The development of more stringent regulations was a natural outcome.
What role should the private sector play?
The prospect of cyber warfare has dragged the private sector into conflicts to an extent that hasn’t been seen in the US since the Second World War. Private organizations are now a legitimate target for military campaigns. For nations such as the United States, who have grown unaccustomed to fighting battles – kinetic or otherwise – on their own soil, this is a particularly worrying prospect.
As a result, the private sector has a significant role to play in national security, and this doesn’t only apply to organizations that could be considered CNI. Any organization could be targeted by state-backed hackers, for a number of reasons. The nature of modern business supply chains means that any organization could be seen as an attractive target, as they could be the first step on the way to breaching a larger, more critical organization.
In light of this, it’s more important than ever for the private sector to take responsibility for their cybersecurity. Their responsibility now goes beyond the protection of their reputation, finances, and customer data, and into the realm of keeping their nation safe. This is absolutely key to understanding why global superpowers such as the US are bringing in more stringent regulation and recommendations, and why automated continuous security validation is so important. Organizations must be able to tell whether or not they are at risk, and tools such as breach and attack simulation (BAS)—which provide a way for organizations to continuously validate the efficacy of their security ecosystem, identify gaps, and take meaningful remedial action – are essential to providing that information.
Could cybersecurity be considered CNI?
We’ve already touched upon the importance of cybersecurity for CNI, but this begs the question whether cybersecurity could actually be CNI. The Center for the Protection of Critical National Infrastructure (CPNI) defines CNI as:
“National Infrastructure are those facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends. It also includes some functions, sites and organizations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public (civil nuclear and chemical sites for example).”
Considering that all of the industries that would fall inside those parameters rely on cybersecurity to continue operating, then surely cybersecurity, by definition, should also be considered CNI.
CNI sectors are considered critical because if any failed, a country could cease to function. Moreover, CNI suffers more frequent, diverse, and sophisticated cyberattacks than any other sector; this means that should the cybersecurity sector fail, an entire nation’s CNI could fail with it.
In summary, it’s clear that the mere prospect of cyber warfare has had a major impact on government attitudes towards cybercrime. While, from a security perspective at least, this change is welcome, it does mean that private organizations will be increasingly pressured to take responsibility for their cybersecurity. Employing security tools, like BAS for example, that provide deep insight into an organization’s environment is more important than ever. Whether we like it or not, more stringent cybersecurity regulation is on the horizon, and businesses must be prepared.
About the Author
Avishai Avivi is the Chief Information Security Officer at SafeBreach, the pioneer in Breach Attack and Simulation (BAS.) Avi brings more than 30 years as a senior information security leader with companies such as Wells Fargo, E*Trade, and Experian, where he created and implemented security programs with a focus on best practices and control maturity. Avi’s security career started with the Israeli Defense Forces Unit 8200 and has included multiple roles and domains across information security, product R&D, professional services, customer support and strategic leadership. Avi holds a dual MBA from UC Berkeley’s Haas School of Business and Columbia University’s Business School. He is CISSP, CISM, CRISC, CISA, CIPM and CIPT certified and holds the Stanford University Strategic Decision and Risk Management program certification.
Avi can be reached online at linkedin.com/in/aavivi and at http://www.safebreach.com