Cybersecurity in this era of polycrisis

A year since Russia invaded Ukraine, the geopolitical context is increasingly tense and volatile. The world faces several major crises in what has been coined a 'polycrisis,' a cluster of global shocks with compounding effects. The dire global economic outlook coupled with rising inflation, supply chain disruption, energy shocks, extreme weather events and geopolitical instability heightens the threat of potentially disruptive cyber operations. Geopolitical tensions increase cyber risk while cyberattacks exacerbate geopolitical dynamics.

The EU Cybersecurity Agency (ENISA) recently issued an alert about several Advanced Persistent Threat (APTs) actors conducting malicious cyber activities against businesses and governments in the EU. Moreover, according to the latest data from Google, there has been a spike in state-sponsored cyber attacks, with a 300% increase targeting users in NATO countries, compared to 2020.

In February 2022, the satellite communications provider Viasat was targeted, provoking outages across Europe hours before Russia launched its invasion. Even though the Ukrainian army was the main target, the attack also impacted internet services for tens of thousands across Europe and disconnected remote access to about 5,800 wind turbines across Germany. In the spring of 2022, the US cybersecurity authority and other allies released a joint Cybersecurity Advisory warning that Moscow-aligned cybercriminals had been devising cyberattacks against critical infrastructure. Given the likelihood of a prolonged war and of a renewed Russian offensive, malicious cyber operations can be expected as part of a concerted hybrid warfare effort.

In the Western Balkans, Albania is another poignant example of a geopolitically motivated cyberattack. Between May and July 2022 and again in September, government servers suffered a series of ransomware attacks attributed to Iranian-sponsored hackers. In response, Tirana called for the support of NATO and cut diplomatic ties with Teheran. According to PM Rama, Albania is still under constant attack.

In the context of the war in Ukraine, the weaponisation of gas supplies and attacks on energy infrastructure - such as the sabotage of the Nord Stream pipelines - highlighted the threats to critical infrastructure. The energy sector has become a primary target of geopolitically motivated cyberattacks, while also being indirectly affected by spill-over effects. Some key examples include the Colonial pipeline ransomware attack in 2021, costing over $4.4 million, and the 2022 ARA cyberattack, which disrupted oil and gas supplies in Europe.

Amidst rising prices and reduced gas supplies, the EU has vowed to end reliance on Russian energy imports by 2027. Meanwhile, the US is set to become the global leader in liquified nature gas (LNG) exports, thus playing a major role in European energy security. A 2022 Bloomberg report revealed that at the onset of the Russian invasion, 21 US-based LNG industries were affected by a large-scale hack. The FBI also reported that Russian hackers have been scanning the systems of energy companies and other critical infrastructure in the US.

The energy crisis is also boosting the shift to renewables, making such industries a potential target of cyberattacks. In April 2022, three German wind energy companies were breached by the Russia-based Conti cybercrime group. Sustainable energy infrastructure has profited from IT/OT convergence, reaping operational and financial benefits albeit increasing the vulnerability surface. Such risks will grow exponentially as renewables are predicted to generate 60% of global energy by 2035. The disinvestment from fossil fuels requires greater levels of cybersecurity: green transition must go hand-in-hand with cyber resilience.

As COVID-19 and the Ukraine war have shown, the global supply chain is extremely complex and fragile. Organizations’ cybersecurity is influenced by the quality of security across their supply chain. The 2023 Global Cybersecurity Outlook also finds that 27% of business leaders and 14 % of leaders perceive third-party organizations to be far less cyber-resilient than their own organizations. According to a major semiconductor-equipment manufacturer, a breach at one of its suppliers would cost $250 million in the next quarter. An attack on a single vendor can trigger a reaction endangering an entire network with potentially devastating consequences, as happened in 2017 when the NotPetya ransomware spread beyond Ukraine, reaching more than 60 countries with over $10 billion of damage worldwide. Similarly, the 2020 attack on SolarWinds' IT management software Orion; the 2021 ransomware attack on customers of software vendor Kaseya; and the 2017 WannaCry ransomware that spread across 150 countries and brought the UK’s National Health Service to a standstill.

In such an unstable geopolitical context and challenging economic environment, it is fundamental for private and public sectors to strengthen cyber resilience to mitigate future disruption. According to the World Economic Forum’s Global Risk Report 2023, cybercrime and cyber insecurity are ranked among the top 10 global risks in the next two to ten years. The 2023 Global Cybersecurity Outlook also found that 91% of business and cyber leaders believe that a far-reaching, catastrophic cyber event is somewhat likely in the next two years. Against the backdrop of such scenarios, in which cyber incidents and their cascading effects can have devasting impacts on society, cybersecurity must become a priority.

Achieving cyber resilience is one of the biggest cybersecurity challenges: it is not a one-time or a one-actor effort. Data suggests that a harmonised approach that stretches across borders and businesses is necessary. Private sector collaboration can foster cyber maturity across the industry. The Centre for Cybersecurity drives collective action with multistakeholder communities to develop and scale forward-looking solutions and promote effective practices through its industry-focused cyber resilience initiatives in oil and gas, electricity and manufacturing.