Any soldier who has read the influential work of military strategy Sun Tzu knows that warfare is much more than an exercise in brute strength. The successful commander embraces a range of tactics including deception and misdirection to achieve his ends, but perhaps the most important trait is the willingness to be flexible and fight on terms that most favor your strengths while playing to the weaknesses of your enemy. The growing prevalence of cyber warfare in geopolitics and international affairs is a direct result of this line of thinking: With its ability to cause disruption on an unprecedented scale, it is little wonder that the cyber domain is shaping up to become the most critical battlefield of the coming century. Nation-states are taking steps to prepare for increased conflicts in cyberspace, but private sector companies must also invest in adequate defenses.
In contrast to conventional methods for waging war – cyber warfare is cheaper, avoids putting people in harm’s way, and most importantly easier to deny. It can also sometimes be quite subtle. For example – the degree to which foreign governments interfered in the 2016 United States Election is still unclear, however we know enough to say with certainty that the return on investment was profound. The original goal was likely to simply cause discord and erode faith in public institutions and unfortunately, they were quite successful. The relative ease of cyber warfare combined with the ability to strike opponents with anonymity and impunity combine to make it attractive to policy makers.
Moreover, cyber warfare can provide significant, long-term pay-outs without risking the immediate threat of retaliation. The SolarWinds breach is an excellent example of this: in December 2020, a nation-state (presumably Russia) breached this IT company, leading to nine US agencies being compromised. Approximately 100 private companies were also compromised. Many were technology companies – and these products may generate additional intrusions, creating the potential for future follow-up attacks.
One major detriment to a cyber arms race is that cyber warfare is inherently unpredictable. There are known and generally accepted laws of war and the price of breaking them on countries and individuals– but cyber warfare has almost no established or accepted definitions or rules for engagement. Opponents have a hard time understanding what their counterparts are capable of or what their “red lines” for escalation are.
Ongoing conflicts help to illustrate just how important this emerging field is, and governments worldwide are increasing their investments in cybersecurity because analysts project that cyber conflicts will become increasingly overt in future conflicts.
But even prior to the Russia-Ukraine conflict, cybersecurity spending was increasing dramatically. The Record research mapped 2021 cyber spending: US ($2B), Japan ($665M), UK ($350M), Germany ($240M), and France ($165M).
This will have a direct impact on cyber wars. As a result of growing investments, cyber arms can be expected to become more dominant in future conflicts – and this, in turn, will impact cyber risk across public and private sectors.
Rising geopolitical tensions escalate the risks associated with cyber warfare and nation-state threat actors will have no qualms about attacking private companies to achieve their political goals or to gain access to priority government targets. Furthermore, as cyber activity intensifies, the threat to enterprises grows – creating new challenges. These trends have obvious financial implications for enterprises, increasing cyber risk and thus the necessary resources that are allocated for cyber detection and response.
In addition to the threat from nation-states, non-state actors are increasingly flexing their muscles. When a grass roots collection of Ukraine-aligned volunteers banded together to create widespread disruption in Russia, it represented the first time that cyber-attacks occurring as part of a geopolitical conflict were not under the strict control of any single government. Never have we seen this level of involvement by outside actors in an armed conflict.
In response to the growing challenges – the public sector and private sector must both look to strengthen their cybersecurity resilience. As threats become more sophisticated – cyber-attacks are no longer a question of if but when. In response to this, steps must be taken that ensure the increased investment in cybersecurity is being efficiently and intelligently leveraged. Preparedness will not come down simply to the amount of money spent but rather how those resources are applied.
Yuval Wollman is the President of Cyberproof, a UST company and Managing Director for UST Innovation Israel.