by Andrea Little Limbago
In the month since our first post on NATO, the Sandworm virus’ extent and reach has become increasingly publicized. Sandworm is believed to be a Russian cyber-espionage campaign focused on extracting content and emails that reference Ukraine. NATO was among its many targets. To some, this may just appear to be power politics playing out in cyberspace, with only the government sector truly affected. That would be an extraordinarily myopic perspective. Private companies are increasingly entangled in the world of cyber geopolitics and must be wary of how geopolitical developments can impact their own cyber security. When it comes to the cyber realm, the line is increasingly blurred between state and non-state actors. For the private sector, the geopolitical situation may become just as relevant to assessing cyber risk as international markets are to assessing economic risk.
As we’ve noted, there are significant hurdles to implementing NATO’s collective cyber defense, and the challenges in enforcing it will only grow. But the expansion of Article 5 to include cyber is just one tool the West can use to push back against Russian influence. NATO’s adoption of cyber complements the sanctions employed by the US and EU against select (mainly state-owned) Russian companies. US sanctions against Russia largely target the financial, energy, defense, and transportation sectors. Similarly, the Sandworm virus targeted, in addition to NATO and other Western government entities, several energy, telecommunications and defense companies. It also targeted an academic institution due to Ukrainian research by one of the professors. The JP Morgan data breach (and that of a dozen other banks) similarly is largely hypothesized to trace back to Russia, with some viewing it as retaliation for US sanctions.
The permeation of geopolitics into the private cyber domain is not limited to the Russian example. Last year, the Syrian Electronic Army (SEA) attacked several Western media outlets, the most prominent of which was the New York Times website. The timing of the attacks coincided with the Obama administration’s claims that Bashar al-Assad used chemical weapons against his population. The SEA is believed to have targeted anti-government/pro-rebel media outlets. The success of the SEA has led some to wonder whether the Islamic State of Iraq and the Levant (ISIL) is similarly capable of mounting a similar attack.
Geopolitics in cyberspace is certainly not limited to attacks against the West. The recent wave of cyber attacks on mobile phones in Hong Kong is likely an attempt by the Chinese government to quell the pro-democracy demonstrations. In response, Anonymous has vowed to retaliate against the Chinese government. Anonymous is not the only non-state actor fighting back against state-sponsored cyber attacks.
The line between state and non-state actors in cyberspace is becoming increasingly blurred. Members of the private sector, whether companies or individuals, are increasingly likely to be targets of cyber attacks–not because of their own behavior, but because of the growing impact of geopolitics on the private sector. Unlike the seemingly non-politically motivated breaches of companies such as Target or Neiman Marcus, private sector companies may become the targets of retaliatory behavior of foreign governments (or their non-state extensions). Rather than being the result of actions by specific companies, these targeted attacks will more likely be spillover effects of the greater geopolitical tensions between states. Saudi Aramco knows full well just how quickly the business (or state-owned enterprise in their case) sector can become a victim of grander power politics. This is likely to become the norm, not the exception, as states continue to play out disputes in the anonymizing domain of cyberspace. Private sector companies, especially those in energy, finance or defense, are especially likely to be prone to targeting by foreign government affiliated entities.