“Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” US Securities and Exchange Commission Chair, Gary Gensler, March 9, 2022
As 2021 ended, Russia had already amassed troops near the border of Ukraine. Amidst the uncertainty of what 2022 held, there was early anticipation the year may commence with war in Eastern Europe. The consequences of an escalation beyond Ukraine are unthinkable. In a cyber risk context, the conflict epitomises modern warfare, with pre-invasion cyber-attacks on Ukrainian public infrastructure and broader, indeed global, misinformation campaigns. Russian cyberattacks against Ukraine are not new, but with memory of the Petya malware in 2017, warnings to raise cybersecurity posture were sent around the world. For now, direct cyberattacks have been relatively isolated to be between Russia and Ukraine.
The US Cyber Command created ‘Shields Up’, a dedicated webpage to disseminate the latest information to help organisations prepare for potential cyber threats. The war in Europe is understandably worth monitoring in the context of digital risk. Changes in the combat theatre, as well as, the envelope of geo-politics most often leads to corresponding changes in the global cyber threat landscape. As highlighted in our interview with Professor Matt Warren, Director of the Australian-Lithuanian Cybersecurity Research Network, modern cyber war tactics are executed by state-actors, third party proxies and further overlayed with scaled misinformation campaigns and opportunistic cybercriminals. The relationship between cybersecurity and information warfare is intertwined and conducted in the grey zone.
We spoke with Professor Alexey Muraviev of Curtin University, who highlighted the Russian-Chinese strategic partnership is deeper than ever before, having jointly announced at the Beijing Winter Olympics that their partnership had “no limits”. Further analysis confirms Chinese state media and government officials have largely adopted Kremlin-mandated sanitized language used by Russian media to describe the war in Ukraine.
“On March 6, the Russian Ministry of Defense claimed to have evidence that the United States is running 30 bioweapons labs in Ukraine. Beijing’s amplification of Russia’s bioweapons disinformation has been substantial, and, by some metrics, has outpaced efforts by the Kremlin to promote its own claim… China’s intensive amplification effort has been driven by both diplomats and state media figures, who have used the opportunity to relaunch their efforts to cast blame on the outbreak of the coronavirus on the U.S.-based Fort Detrick lab.” (Source)
Ely Ratner, assistant defense secretary for Indo-Pacific security affairs, told the U.S. House Armed Services Committee on March 9 that the danger of China conducting a major military attack on Taiwan has increased in the wake of the Russian invasion of Ukraine. “I think there is a mounting threat of aggression from the PRC… His (Xi) capabilities are growing and his patience seems to be decreasing,” Mr. Ratner said. Zack Cooper of the American Enterprise Institute agrees, saying, “ Where will U.S.-China relations go from here? I think they will worsen, unfortunately. My guess is that we will look back at this period as the point at which the relationship changed permanently. And not for the better. Buckle up.”
In this environment, the potential for wider cyber warfare will clearly remain a systemic threat. The S-CERT Alert (AA22-047A) reports “From at least January 2020, through February 2022, the FBI, NSA and CISA have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources.
Then there is still the threat of ransomware as a cybercrime. As Danielle Jablanski, Security Strategist at Nozomi Networks writes in this issue, the U.S. and U.K. recorded rises in ransomware in 2021 of 98% and 227%, respectively. In Asia, ransomware attacks also leapt with a 121.682% increase YoY, with India and Japan reporting rises of 981% and 63.55% respectively, in IoT malware volume. We also highlight the suspected cyber-attack on Toyota to emphasise the risk cyber-attacks pose to just-in-time production. The difficulty in securing entire supply chains from multiple vendors is a wide and daunting task. If the supplier supplies more than one customer, the impact of the cyber-attack and the incentive to pay any ransom is magnified.
As part of the western nation’s response, the Financial Crimes Enforcement Network (FinCEN) has issued a FinCEN Alert, advising all financial institutions to be vigilant against potential efforts to evade the expansive sanctions and other U.S.-imposed restrictions on the Russian Federation. The alert provides examples of red flags to assist in identifying suspected sanctions evasion activity and highlights reporting obligations under the Bank Secrecy Act. In addition, as provided in the opening quote, the Securities and Exchange Commission has proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.
Our cover feature on Deepfake crime proposes this is a real and present danger for businesses, as well as to governments with heightened political tensions. Last year, it cost one bank alone $35 million in a single scam. With Deepfake technology becoming more sophisticated – and readily available to criminals – we need to see the technology as a current threat and not a future concern. Also in this edition, Jack Lindsay proposes the open source community is a great risk following the Log4j project vulnerability found in a critical Java ecosystem package and Vinoth Venkatesan writes a series of articles, including concerns around the delays in notifications of the Log4j vulnerability.
We also include some of the more notable ‘Movers and Shakers’ and continue to take a deep dive into the cybersecurity domain, network security, cloud security and throughout we have links through to our Tech & Sec Weekly Series and the latest Cyber Security Weekly podcasts. Another edition with a lot to unpack.
On that note, as always, there is so much more to touch on and we trust you will enjoy this edition of Cyber Risk Leaders Magazine. Enjoy the reading, listening and viewing!
Chris Cubbage CPP, CISA, GAICD, Executive Editor
To Read the full issue – click here