Cyber Considerations for Organizations During Times of Conflict

Key takeaways

• Geopolitical tensions and conflicts introduce new levels of risks for businesses within and outside conflict zones.
• Cybercriminal motivations change during conflicts, and CISOs need to anticipate these threat behaviors to better mitigate cyberattacks and their ripple effects.
• CISOs need to factor the human element into their cybersecurity strategies — it’s their business’ greatest asset and biggest vulnerability.
• CISOs need to develop and execute proactive, sustained, and future-proof strategies for ensuring their organization’s cybersecurity — before the conflict begins, when it erupts, throughout its duration, and in preparation for future conflicts that might arise.

Introduction

Download the Primer (PDF)

During this time of rapid technological advancements and shifting geopolitical landscapes, Chief Information Security Officers (CISOs) are confronted with the dual challenge of navigating both the physical and cyber dimensions of conflicts. As political tensions escalate into geopolitical fragmentation and physical conflicts, the cyber realm becomes a battleground in which information is both a weapon and a target.

In today's world, it's vital for organizations to prepare for both cyber and physical conflict even if your business entities are located outside of the expected conflict zone. Conflicts can disrupt supply chains and significantly impact logistics, when the shipment of necessary goods and services become impossible, or they are delivered with significant delays, increased costs, or different quality. A geopolitical conflict may cause increased scrutiny from hacktivists and advanced persistent threat (APT) groups. Organizations must recognize this heightened exposure and the associated calculated risks it entails. Measures that are needed to be taken during a conflict are significantly different from measures that are commonly taken during times of natural disasters. In this article, we provide recommendations that CISOs could use to help prepare for such situations. By observing signs of a growing conflict and taking advanced security measures, CISOs can implement successful attack surface risk management (ASRM) programs for organizations to defend against cyber attacks and other potential risks and threats during a geopolitical or kinetic conflict.

In the realm of traditional business continuity, organizations are tasked with implementing Continuity of Operations Programs (COOP) that focus on fundamental elements of reliability, such as creating backup sites in different locations and developing business contingency plans, among other strategies. This article will not cover these fundamental elements. Instead, we focus on the impact of geopolitical and kinetic conflicts on cyber security, which needs to be considered when formulating a broader COOP strategy. For detailed information on COOP implementation, readers are encouraged to consult resources provided by FEMA and NIST.

We hope that readers could use this document as a guide that provides a comprehensive overview of the necessary adjustments and strategies CISOs need to implement to safeguard their organizations’ assets, maintain business continuity, and uphold public trust amid conflict situations.

The evolving role of CISOs in geopolitical cconflict and cybersecurity

During times of conflict, the CISO's role expands significantly due to the heightened threat landscape and the need for granular control over security measures. CISOs then become strategic leaders who have to navigate, cyber threats, physical risks, and operational disruptions. The shift requires moving from traditional security practices to proactive, adaptive strategies.

Ensuring supply chain integrity becomes crucial during times of conflict, as compromised vendors can unintentionally facilitate cyberattacks. CISOs must work with procurement teams to vet suppliers and establish secure communication channels. They must also enhance coordination with organizational leaders and external stakeholders, including government agencies, industry peers, and international partners, to share intelligence and best practices. The role becomes more integrative, involving regular briefings with the executive team about emerging threats and necessary security investments. CISOs lead crisis response teams, managing incident response, business continuity, and public communication.

The CISO's expanded role during conflict necessitates a focus on workforce resilience. This includes regular training and awareness programs to ensure employees can recognize and respond to security incidents. CISOs must also address the psychological and emotional well-being of their teams, understanding that operating under conflict conditions can affect performance and decision-making.

The role of CISOs during conflict evolves to encompass broader responsibilities and greater strategic importance. The need for granular security control, enhanced coordination, and workforce resilience underscores the critical position CISOs hold in protecting organizational assets and ensuring operational continuity amid adversity.

Understanding the changing threat landscape

Geopolitical tensions and cyber risks

During peacetime, countries often collaborate, and there is frequently cross-border collaboration between businesses that improves opportunities for all cooperating parties. However, situations may change dramatically when there’s risk of a political — or worse, kinetic — conflict. Economic sanctions and cyber measures, such as geofencing, network restrictions, and data sovereignty actions, may significantly impact businesses.

The impact of sanctions on business processes and cybersecurity

During times of conflict, sanctions often affect business processes and defense capabilities. Economic sanctions, usually imposed by one or more countries against a target nation, can severely restrict access to vital technologies and financial resources, affecting international trade and the global market. This can lead to disruptions in the supply chain, hindering businesses’ ability to operate efficiently. An illustrative example is Iran, which has faced extensive sanctions from the United States and the European Union over its nuclear program. North Korea also faced Another illustrative example is North Korea, which has faced extensive sanctions from the United States and the United Nations over its nuclear weapons program. These sanctions have significantly restricted North Korea’s access to global financial systems and advanced technologies, compelling the country to invest heavily in developing its cyber offensive capabilities to bypass these limitations.

North Korea has used cyber-attacks to retaliate against perceived adversaries and compensate for its constrained traditional military options. One notable example is the 2017 WannaCry attack, where the North Korean group known as the Lazarus Group, an alleged state-sponsored hacking organization, caused significant operational issues with a ransomware attack that infected hundreds of thousands of computers across 150 countries, including critical infrastructure. Additionally, the Lazarus Group has been implicated in various high-profile cyber-crimes, where $81 million was stolen through fraudulent SWIFT transactions.

As businesses and defense sectors grapple with these restrictions, the overall economic and security landscape is significantly altered, with a pronounced emphasis on cyber resilience and adaptability. The increased frequency and sophistication of North Korean cyber operations has highlighted the urgent need for robust cybersecurity measures and international cooperation to counter these threats. Sanctions compel CISOs to meticulously examine their supply chains and customer relationships to ensure compliance, while also incentivizing the sanctioned entities to enhance their offensive cyber capabilities. This increase in cyber capabilities could pose additional risks, potentially impacting the security posture of CISOs across various industries.

Sector-specific risks

Different sectors may face unique risks based on their operational nature and the data they handle. For example, the financial sector is particularly vulnerable to cyber-attacks aimed at disrupting economic stability or stealing sensitive financial information. Similarly, the energy sector faces risks from attacks that could lead to disruptions in power supply, reflecting a direct convergence of cyber and physical security threats. Understanding these sector-specific nuances is crucial for CISOs to tailor their risk management strategies effectively.

Preparing for conflict: Strategies and best practices

Differences between recovery and mitigation plans for conflict and disaster recovery

During global conflicts, COOP faces more complex challenges. Wars can disrupt information systems and vendors, leading to prolonged disruptions. Cyberattacks target critical infrastructure, financial systems, and communication networks, increasing the risks of sabotage, espionage, and physical destruction. COOP plans must be highly adaptive, incorporating rapid responses to cyber threats, secure communication, and alternative operational methods.

Global conflicts impact both physical and digital supply chains and vendor reliability, causing shortages, delays, and loss of key suppliers. This requires reevaluating supply chain dependencies and developing alternative sourcing strategies. COOP involves close coordination with government agencies, heightened security protocols, and potentially relocating operations to safer areas. Ensuring employee safety and well-being becomes paramount, necessitating emergency evacuations, secure work environments, and mental health support.

Supply chains and trade limitations during a conflict

Conflicts can disrupt both digital and physical supply chains alike, affecting logistics, delivery, and the availability of goods and services. Experience from past conflicts ighlights the need for supply chain resilience, with CISOs responsible for implementing contingency plans to manage disruptions. Additionally, the emergence of trade barriers demands rapid strategic adjustments, which can be alleviated through strategic stockpiling and diversifying suppliers.

Identifying and protecting critical assets

Identifying and protecting critical assets becomes more crucial as these assets, which range from data centers to network connectivity to logistics hubs, often become affected during conflicts. The prioritization of these assets ensures that risk assessments are carried out and protective measures are appropriately allocated to prevent significant losses.

Human factors during the conflict

A crucial but often understated element of security management is the human dimension. Its importance cannot be disregarded in any resilient organization's strategies. In times of stress or confusion, which are common during conflicts and cyberattacks , there is a heightened risk of errors originating from individuals within an organization. This risk is further exacerbated by the threat of disinformation campaigns and social engineering attacks, which often exploit the chaos of conflicts to manipulate employees into disclosing sensitive information or making critical mistakes.

Recognizing this, CISOs must prioritize establishing effective training programs to enhance the skills and awareness of their workforce concerning emerging security risks. Additionally, implementing strong support systems that provide assistance when needed can bolster employee morale and confidence in facing adversities. Clear communication is another indispensable tool; it ensures that everyone understands roles, responsibilities, procedures, and the significance of maintaining operational resilience. Collectively, these measures help reduce human-induced vulnerabilities, promoting a culture of security mindfulness that enhances an organization's overall defensive capabilities against diverse threats.

With this focus on enhancing the human aspect, CISOs can ensure their workforce is prepared and equipped to handle challenges during times of crisis, ultimately fortifying organizational resilience in a comprehensive manner.

Legal and ethical considerations during conflict

Violating sanctions or other domestic restrictions can lead to significant legal problems to operating businesses. Organizations must proactively strategize to anticipate and adapt to changes in the legal landscape. For example, the designation of entities by authorities, which may have legal implications for international transactions (including payroll for remote workers in different jurisdictions), requires careful legal assessment. The unpredictability of political changes should be fully assessed with specifics of regional regulations and the ever-changing political situation. Conflicts can also lead to unexpected ethical and legal dilemmas for people and businesses. What might have been standard practice in peacetime could become contentious, leading to internal and external conflicts of interest. It's vital to establish clear guidelines and robust oversight mechanisms during these times.

Public perception

The public's perception of a company's actions during a conflict can affect its brand and operational credibility. Conflicts stir emotions, and they can also lead to employees expressing opinions publicly online that are at odds with the company’s official stance, reflecting negatively on their employer. Transparent communication and responsible business practices are critical in maintaining public trust and reputation.

Cybersecurity in the face of geopolitical conflict

The shift in cyber risks for organizations during conflict

During conflicts, the cyber risks faced by organizations escalate in both frequency and severity. State-sponsored cyberattacks have become more common, with adversaries using sophisticated techniques to infiltrate critical infrastructure, disrupt operations, and steal data. Motivations range from espionage and sabotage to economic disruption and psychological warfare. Organizations are targeted by rival nation-states, hacktivist groups, and cybercriminals exploiting the chaos for financial gain. These increased cyber threat activities necessitate advanced security measures and robust incident response plans.

The shift in cyber risks involves targeting a broader range of sectors. While defense and government are primary targets, other critical sectors are also at increased risk. The interconnected nature of modern infrastructure means an attack on one sector can cause widespread disruption. Additionally, misinformation and cyber propaganda create further risks, requiring organizations to combat false narratives and maintain stakeholder trust. This complex threat landscape demands a comprehensive cybersecurity approach, including attack surface risk management procedures, cross-sector collaboration, continuous threat intelligence, and proactive defense strategies to ensure resilience.

Changes in cyber actor behavior during critical events

Cyber actors adapt their strategies during crises, exploiting geopolitical conflicts to intensify activities, such as espionage, disinformation, and sabotage. Recognizing these signs early is critical for preemptive defense measures. Historical precedents, such as the campaigns targeting Ukraine since 2014 and more recent ones attributed to Volt Typhoon, underscore the necessity for CISOs to anticipate these shifts in threat actor behavior. Proactive monitoring and robust cybersecurity defenses have become indispensable in these times.

Advanced persistent threats

In conflict scenarios, the intensity of advanced persistent threats (APTs) significantly increases. These threats involve prolonged cyber operations orchestrated to target certain government organizations and private businesses to steal information and disrupt operations. The APT attacks may be backed by nation-states and may have connections to the governmental organizations. APT attacks are often sophisticated and make use of a variety of tactics and methods to gain a footprint into their target. These tactics include social engineering, spear phishing, watering hole attacks, design and development of custom engineered malicious software, and development, procurement, and use of zero-day exploits.

As cyber conflicts escalate, the rules of engagement for APT groups often shift. These groups may increasingly collaborate with cybercrime groups to exploit compromised infrastructure or gain additional access. They may also target organizations and units, which, under normal circumstances, are usually off-limits due to fear of political backlash or rules of engagement. Expansion of targets can lead to disruptive attacks against healthcare organizations or critical infrastructure, such as the electrical grid.

Cybercriminal actors

Cybercriminal actors may want to exploit the growing confusion during times of kinetic conflict and abuse the situation for financial gain. Boundaries may be stretched and certain targets (such as the healthcare industry or critical infrastructure) that cybercriminals previously avoided are more likely to be targeted during periods of conflict. Cybercrime actors have also been observed to shift their motives from pure financial gain to political attacks during a geopolitical conflict.

Increased hacktivism

Hacktivism is common in any geo-political conflict, and the frequency and scale of these activities are more likely to increase significantly during such times. Examples include the Russia -aligned Killnet group and several hacker groups who are active in the Israel-Hamas conflict. A complicating factor is that in some cases, nation-state actors disguise themselves as known or previously unknown hacktivist groups.

The role of disinformation

Disinformation campaigns tend to escalate when there is a political conflict, or when a military operation breaks out. For example, Russia’s war against Ukraine has shown cyber operations with a larger scale and faster pace in countries that support Ukraine. Historical cyber campaigns offer critical lessons on the evolving nature of cyber threats amid political conflicts. For instance, disinformation and public opinion manipulation campaigns can affect the actions, decisions, and reputation of the company. From these campaigns, it becomes clear that CISOs need to implement comprehensive cybersecurity measures that go beyond traditional IT (information technology) security. These measures includes fostering a culture of cybersecurity awareness throughout the organization, employing advanced analytics for threat detection, and ensuring that robust incident response strategies are in place. Furthermore, the integration of cyber intelligence with operational procedures can significantly enhance the organization’s ability to predict and preempt potential cyber attacks.

Disinformation campaigns against government and local businesses are also frequently observed. It is important for businesses to establish and maintain reliable means of communication with the public to deal with disinformation.

Adapting the risk and attack surface model

In the context of heightened geopolitical conflicts, CISOs are revising and enhancing their organization's risk and attack surface models. This adjustment is critical as it involves identifying and mitigating potential vulnerabilities that could be exploited in the evolving threat landscape associated with political unrest.

Understanding the expanded attack surface

The first step in adjusting the risk model involves comprehensively understanding the expanded attack surface. This includes not only traditional IT infrastructure but also technologies such as IoT devices, cloud services, and remote work environments along with the ability to access infrastructure from untrusted devices during emergencies. Each of these elements introduces vulnerabilities and potential entry points for cyber-attacks. For instance, emergency access from non-trusted devices and remote work environments involves less secure networks, which adversaries can exploit to gain access to organizational data. If a part of the business is in the conflict zone, it is also important to consider situations where physical access to the offices and buildings is restricted for days or even weeks. Power outages can last significantly longer than usual, and it is essential to keep key business processes functional and secure despite those constraints.

The expanding role of the CISO

Strategic leadership and granular control

The cyber threat landscape is dynamic, particularly in a geopolitical context. Regular reassessment of the risk and attack surface model is necessary to adapt to new threats as they emerge. This involves not only technological upgrades but also continuously revising policies and procedures to ensure they remain effective under changing circumstances. Having a thorough understanding of ongoing conflicts, geopolitics, and sector-relevant intelligence sources is crucial for anticipating the potential impact on the sector, including the timing, location, and nature of these effects.

Employee training and awareness

Human error has always been one of the largest security vulnerabilities. In times of geopolitical conflict, the risk of social engineering attacks, such as phishing campaigns exploiting political themes, can increase. Regular training and awareness programs are crucial to keep employees informed about the latest security practices and threat tactics. This training should be tailored to include information on the specific types of threats that may increase during political conflicts, emphasizing the importance of vigilance during these times.

Collaboration and intelligence sharing

Given the complexity and scale of geopolitical cyber threats, collaboration and intelligence sharing with other organizations, industry groups, and government agencies like national Computer Emergency Response Teams (CERTs) ave become invaluable. This collective approach can enhance an organization's situational awareness and preparedness by providing access to shared threat intelligence, best practices, and coordinated response strategies.

Scenario planning and response

Operating in conflict zones: Challenges and protocols

For businesses primarily operating within conflict zones, the stakes are exceptionally high. CISOs must implement comprehensive security protocols, engage with local stakeholders, and continuously assess the ground situation to adapt strategies accordingly. Businesses in the conflict zone might have additional limitations (such as limited access to the buildings, limited network and internet connectivity, power outages, physical breaches, third-party access to IT assets, and higher risks of insider threats) that CISOs need to take into account. To mitigate these threats, assets should be distributed geographically wider to minimize chances of simultaneous damage, and simultaneous power and connectivity outages. Game developers in Ukraine, which have had to deal with blackouts, air raid sirens, and military conscription, offer an example of how companies with offices in a conflict zone have adapted to the new situation.

Interacting with Conflict Zones

Organizations engaging with conflict zones — whether through local interactions, supply chain operations, or by supplying goods to those areas without being physically based there — encounter distinct and complex challenges. Ensuring the security of the supply chain and the safety of local business units requires a nuanced approach that considers both local and international implications. Interactions with conflict zones can violate international sanctions and restrictions, and significantly affect the organization's reputation. Also, if any parts of critical supply chains are dependent on the locations within conflict zones, this significantly changes the risks for critical business processes. Hardware components or software may be delivered with significant delays, and suppliers might not be able to comply with service-level agreements (SLA) and quality control, due to the conflict.

Outside of conflict zones (neither supplying, interacting)

Even businesses not directly linked to conflict zones must be vigilant. The global nature of information and cyber warfare means that no entity is entirely insulated from the repercussions of a conflict. Any public statement, changes in the rules that affect international supply chains or countries that produce software or hardware can trigger state-sponsored, criminal, and hacktivist attacks and affect company reputation. Preemptive cybersecurity measures and strategic planning are crucial to protect against potential indirect threats.

Course of action

Steps that can be taken in advance of conflict

Organizations should start their preparations well before any conflict arises. These preparations include:

• Assessing if an organization is a target of interest, establishing strong cybersecurity measures, diversifying supply chains, and building relationships with international and local allies.
• Conducting regular training and simulations to ensure readiness.
• Have a clear understanding of which business critical assets and services are located outside the country. Monitor long-term supply chain contracts and determine which are at risk or have a chance to be disrupted to be ready to substitute them.
• Creating crisis management teams and assign roles and responsibilities.

Steps that can be taken before conflict

As signs of impending conflict become clearer, organizations should intensify their preparedness efforts. These efforts include:

• Reinforcing cybersecurity defenses to counter increased cyberespionage and disinformation, securing additional resources and suppliers, and ensuring that all contingency plans are up-to-date and actionable.
• Simulating or testing scenarios of unavailability of hardware, software, and services from major suppliers with temporary switching to alternative suppliers, and be ready to switch to alternative suppliers any time.
• Preparing for the increase of hacktivist activities. Reinsure infrastructure and processes integrity, and increase the effort to detect the presence of adversaries, since the cost of missing it during times of conflict is way higher.
• Updating infrastructure, assets, processes, playbooks status. Assess which systems should be fully isolated and identify where changes or updates should be temporarily disabled.
• Creating backups at alternative, distributed, or offline locations.
• Increasing power and internet redundancy; consider autonomous power sources capable of sustaining operations for a duration appropriate to operational requirements.

Adjustments that can be made right before conflict begins

When conflict appears unavoidable, the following immediate steps must be taken:

• Safeguard critical assets.
• Activate crisis management teams.
• Implement communication protocols to ensure timely and accurate information dissemination internally and externally.

Immediate actions that can be taken when conflict begins

During the first week of conflict, rapid response is crucial. Organizations can take these actions when conflict begins:

• Monitor the situation closely and execute emergency plans.
• Ensure the health and safety of all employees, particularly those in affected areas.
• Maintain constant communication with key stakeholders.
• Assess which assets are still trusted and which are compromised or untrusted, and which ones need to be disabled or erased to mitigate the significant risks of adversarial use.

Mid-term and long-term plans that can be developed for conflict

In the medium term, as the initial phase of the conflict stabilizes, organizations need to assess the effectiveness of the actions taken and make necessary adjustments. This period involves continuously monitoring the situation, reevaluating risk assessments, and adapting business strategies to the evolving landscape, and adjusting to any new government/international policies if necessary.

Long-term planning involves learning from the ongoing conflict and previous incidents to better prepare for future crises. This includes investing in stronger, more resilient infrastructure, fostering a culture of continuous improvement in security practices, and enhancing strategic alliances both locally and globally.

Conclusion

Adjusting the risk and attack surface model in response to geopolitical conflicts is a multifaceted endeavor that requires a proactive, informed, and adaptive approach. The landscape of global security is perpetually evolving, with conflicts presenting significant risks and challenges to businesses worldwide. Chief Information Security Officers must navigate these challenges with foresight and strategic planning, ensuring their organizations can not only withstand the pressures of conflict but also emerge resilient and secure. This guide underscores the importance of preparation, adaptability, and strategic alliances, offering CISOs a comprehensive ASRM framework to protect their interests and maintain continuity in an unpredictable world.

By understanding the expanded attack surface, addressing sector-specific and supply chain risks, preparing for APTs, enhancing employee training, and engaging in collaboration and intelligence sharing, CISOs can more effectively mitigate the heightened risks associated with political unrest and ensure the resilience and security of their organizations.