Geopolitical cyber activity is heating up, increasing the costs for businesses and nations. Resilience could set your organization apart at a time like this.
Here’s what you need to know and do now.
There is a powerful and mysterious threat keeping business leaders awake at night: geopolitical cyber activity. Almost 75% of CEOs who participated in PwC’s 22nd Annual Global CEO Survey say their company may be affected by geopolitical cyber activity. Yet, only 15% strongly assert their company is cyber resilient.
State and non-state actors are honing cyber weapons into cheap but effective—and unpredictable—geopolitical instruments. Criminal threats like ransomware, for example, are being refashioned into agents of chaos. A sure way to hurt a country is to attack its economy and business. The power of these threats may not be obvious when headlines first report their awkward names, like WannaCry and NotPetya, but it is clear from the aftermath. According to the White House, NotPetya amounted to the most costly and destructive cyberattack in history. There is no telling how long that record will stand, but it is surely temporary. A recent study pegs the cost of a global ransomware cyberattack in a severe hypothetical scenario at $193 billion (compared to NotPetya’s estimated cost of $10 billion).
Rising tensions among the world’s major powers could embolden geopolitical actors in the shadows of cyberspace. Large majorities of respondents to the World Economic Forum’s latest annual survey on global risks anticipate “political confrontations between major powers” (85%), cyber-enabled data theft (82%) and cyberattacks that disrupt operations and infrastructure (80%) in 2019.
Don’t expect any declarations of “cyberwar”—this isn’t about large-scale conflict. Think instead of digital cloak and dagger. Without warning, lurking adversaries can unsheath concealed, silent weapons to undermine economies, critical infrastructure and public trust in vital systems. These insidious attempts at “punishment, subversion, or coercion” pose the greatest risk to cyber stability. Your company could be targeted if it owns or operates critical infrastructure, or it could be affected if those on which it relies are attacked. If your operations are disrupted, you may not only incur financial losses but also encounter challenges with insurance claims. The cloak-and-dagger nature of cyberattacks may spur some insurers to deny coverage based on an act-of-war exclusion.
Policymakers are experimenting with stronger measures to fend off cyberattacks. The European Union is considering plans for cyber sanctions, a tool previously used by the US government. The Trump administration’s new cyber strategy, meanwhile, puts greater emphasis on US government offensive cyber operations, including threats to punish actors who dare target US critical infrastructure. To set clear red lines for cyber deterrence, US officials may cite a new list of the most strategic risks to US critical infrastructure this year.
Although US cyber deterrence policy has moved from theory to practice, it is still in its infancy and being evaluated by Congress. Some industry leaders support the strategy’s more proactive use of US government cyber capabilities to defend critical infrastructure. Critics of the strategy worry that increased offensive hacking could spur adversaries to respond in kind. Researchers in this camp are developing a framework to help industry assess whether the new strategy deters or incites adversaries.
Companies face rising expectations from governments to boost their resilience in the interest of national security. In the United States, homeland security officials are creating new risk-management mechanisms to work with facilities deemed to be the “crown jewels” of critical infrastructure. Meanwhile, in the European Union, a directive that went into effect in 2018 requires providers of essential services to be resilient to cyberattacks. This is the first time the EU has legislated on cybersecurity. Related UK guidance puts a new onus on companies to use lessons learned from incidents to update and re-test response plans as needed. Other government agencies, including the Monetary Authority of Singapore, are also developing new requirements for cyber resilience.
A PwC study of hundreds of incidents involving cyber and operational failures has identified the common root cause in most cases: the dependence on a highly siloed and reactive approach to digital resilience.
Businesses cannot count on an inconsistent web of solutions, policies and procedures in a crisis, certainly not when attacks are becoming more sophisticated and the window for the right response is getting shorter. An organization cannot protect what matters most based on an ad-hoc inventory of digital assets. And if it doesn’t understand the interdependencies that underpin its business operations—for example, across its supply chain—it cannot mitigate the risks.
The current state of unpreparedness is captured in the sentiments of CEOs and cybersecurity and privacy executives. Only 41% of business leaders are very comfortable their organization is building resilience to cyberattacks to a large extent, according to PwC’s Fall 2018 Digital Trust Survey.
Before a crisis threatens to halt your business operations, your organization should have in place the right capabilities to swiftly defend against cyberattacks and recover from any disruption. With the right approach, you can avoid quickly mounting financial losses, build trust in the marketplace and position your company to gain a competitive advantage by bouncing back faster and stronger than your competitors.
Conduct a review of your business architecture to understand how critical processes could be vulnerable to failure—and how they might recover in the event of disruption. Have you minimized single points of failure due to reliance on a single technology or provider? That is just one of many questions you should be asking. Assessing the adequacy of your digital resilience approach against external benchmarks and frameworks can help identify deficiencies and prioritize your triage approach. Your review should also scrutinize crisis-response capabilities.
First, replace your patchwork of solutions, policies and procedures with an integrated approach to designing, assessing and maintaining a digital resilience program. Next, become proactive instead of reactive. Take a dynamic, data-driven approach to developing defensive and recovery capabilities, testing key safeguards and identifying potential malicious actors. Identify particular elements—including applications, information and networks—that need to be resilient and implement needed improvements. Use leading tools such as the constant monitoring of technology infrastructure to help enable high availability, disaster recovery and data integrity. And verify with your insurance providers that your policies have high thresholds for triggering the act-of-war exception.
Businesses have a role to play in public-private efforts to build stability in cyberspace. There are concrete things you can do. Your company may be able, for example, to help build a global consensus on key concepts, terms and definitions describing how actors operate in cyberspace. Your organization may possess technical knowhow that could help improve the sharing of cyber threat information through standards and confidence-building measures. You can participate in discussions convened by entities such as the World Economic Forum's Centre for Cybersecurity to turn principles for resilience, security and stability into practice.
Cyberattacks are often mounted from places where the line between state and non-state actors is blurry. Growing expertise in both the private and public sectors means no organization, including yours, needs to face these challenges alone. Businesses and governments must start to collaborate in new ways to strengthen national—and global—resiliency.
EMEA Cybersecurity and Privacy Leader, PwC United Kingdom
Asia Pacific Cybersecurity and Privacy Leader, PwC US