Cyber Warfare and Government Attitudes To Cybersecurity
The cybersecurity landscape has changed almost beyond recognition. Cyber attacks, have grown into an inescapable facet of our daily lives. Everyone, from the world’s most powerful people to general consumers, live under the spectre of cyberattacks. Cyberattacks also creep into the military sphere, with the threat of all-out cyber warfare looming large over conflicts across the globe.
Naturally, government attitudes towards cybersecurity are also changing. 2022 saw governments around the world creating—or at least more heavily debating—cybersecurity regulations to help secure enterprises and organisations from evolving cyber threats. The UK, for example, passed the Telecommunications Security Act, which implemented tougher security standards on Internet service providers (ISPs) to minimise breaches that could expose the private data of millions of consumers. And for the first time, the US-based Cybersecurity and Infrastructure Security Agency (CISA) urged enterprises to choose a more proactive approach to defend themselves against cyberattacks, recommending automated continuous validation of security controls to protect against the constantly evolving threat landscape.
With that in mind, let’s take a look at cyber warfare and its impacts on government attitudes towards cybersecurity.
What is cyber warfare?
The term “cyber warfare” is itself contentious. There has been much debate surrounding its definition, with some experts even questioning whether we can truly distinguish between cyber warfare and traditional warfare.
However, the RAND Corporation, an American global policy think tank, does give us a reasonable working definition.
“Cyber warfare involves the actions by a nation-state or international organisation to attack and attempt to damage another nation's computers or information networks through, for example, computer viruses or denial-of-service attacks.”
Considering contemporary society’s near total reliance on computers and information networks, it’s easy to see why governments would want to shore up their defences against potential cyberattacks, particularly at a time of geopolitical unrest. We have already seen glimpses of the havoc cyberattacks can wreak on a nation’s infrastructure. The most memorable of these perhaps being the Colonial Pipeline incident in 2021, which caused gasoline prices in the US to skyrocket, sparked a wave of panic buying, and resulted in President Joe Biden declaring a state of emergency.
How are government attitudes changing?
As previously noted, the prospect of cyber warfare has brought about a drastic change in the way governments approach cybersecurity. This is best exemplified in the progression of the UK government’s Cyber Security Strategy, the three installments of which represent the change in government attitudes towards cybersecurity across the past decade or so.
The inaugural Cyber Security Strategy, published in 2011, expressed the UK government’s desire for the UK to:
- Tackle cyber crime and be one of the most secure places in the world to do business in cyberspace
- Be more resilient to cyber attacks and better able to protect our interests in cyberspace
- Help shape an open, stable, and vibrant cyberspace that the UK public can use safely and supports open societies
- Have the cross-cutting knowledge, skills, and capability it needs to underpin all our cybersecurity objectives
In addition to this, £650 million has also been allocated toward improving the country’s security posture, a sum that had grown to £860 million by 2016. I believe the most important facet of this report is its focus on education and incentives—regulation, sadly, remains conspicuously absent. 2016’s report did bring with it a greater focus on regulation, but always with the caveats of “if necessary” or “the right mix of incentives and regulation.” Clearly, the UK government was still wary of imposing regulation on industry.
This brings us to the 2022 edition of the Government Cyber Security Strategy. By this time, the world had borne witness to cyberattacks of an unprecedented scale and scope, namely the NotPetya and Colonial Pipeline incidents. The devastating potential of cyber warfare had become impossible to ignore, and the UK government responded with a fresh approach to cybersecurity.
However, while significant, an increased focus on regulation is not the most notable facet of the 2022 report. Much more important is the use of the term “cyber power,” which is reflective of the UK government’s current attitude towards cybersecurity. The report defines cyber power as “the ability to protect and promote national interests in and through cyberspace,” but this is not the only context in which the term is used. The UK has expressed a desire to not only increase its cyber power, but to become a cyber power. This is hugely significant, considering the increased global focus on cyber warfare—a nation considered a “cyber power” could well be comparable to a nation that is considered a military power.
What role does the private sector have to play?
The prospect of cyber warfare, and the UK’s desire to be a “cyber power,” has dragged the private sector into conflicts to an extent that hasn’t been seen, in the UK at least, since the Second World War. Private organisations are now a legitimate target for military campaigns. For nations such as the US and UK, who have become unaccustomed to fighting battles—kinetic or otherwise—on their own soil, this is a particularly worrying prospect.
With this in mind, the private sector now has a significant role to play in national security, and this doesn’t only apply to organizations that could be considered critical national infrastructure (CNI). Any organization could be targeted by state-backed hackers, for a number of reasons. The nature of modern business supply chains means that any organization could be seen as an attractive target, as they could be the first step on the way to breaching a larger, more critical organization.
In light of this, it’s more important than ever for the private sector to take responsibility for their cybersecurity. Their responsibility now goes beyond the protection of their reputation, finances, and customer data, and into the realm of keeping their nation safe. This is absolutely key to understanding why global superpowers such as the UK and the US are bringing in more stringent regulation and recommendations, and why automated continuous security validation is so important. Organizations must be able to tell whether or not they are at risk, and tools such as breach and attack simulation (BAS)—which provide a way for organizations to continuously validate the efficacy of their security ecosystem, identify gaps, and take meaningful remedial action—are essential to providing that level of assurance.
Could cybersecurity be considered Critical National Infrastructure (CNI)?
We’ve already touched upon the importance of cybersecurity for CNI, but this begs the question whether cybersecurity could actually be CNI. The Center for the Protection of Critical National Infrastructure (CPNI) defines CNI as:
“National Infrastructure are those facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends. It also includes some functions, sites and organizations which are not critical to the maintenance of essential services, but which need protection due to the potential danger to the public (civil nuclear and chemical sites for example).”
Considering that all of the industries that would fall inside those parameters rely on cybersecurity to continue operating, then surely cybersecurity, by definition, should also be considered CNI.
CNI sectors are considered critical because if any failed, a country could cease to function. Moreover, CNI suffers more frequent, diverse, and sophisticated cyberattacks than any other sector; this means that should the cybersecurity sector fail, an entire nation’s CNI could fail with it.
All in all, it’s clear that the mere prospect of cyber warfare has had a major impact on government attitudes towards cybercrime. While, from a security perspective at least, this change is welcome, it does mean that private organizations will be increasingly pressured to take responsibility for their cybersecurity. Employing security tools, like BAS for example, that provide deep insight into an organization’s environment is more important than ever. Whether we like it or not, more stringent cybersecurity regulations and requirements are on the horizon, and businesses must be prepared.