“Geopolitics and Cyber Risk,” a discussion moderated by Joshua Larocca, managing director of the firm Stroz Feinberg, on the second day of the 2022 International Conference on Cyber Security (ICCS), brought together perspectives from England, Germany, and the United States.
Paddy McGuinness, a senior adviser at the Brunswick Group, noted that North Korea, China, Iran, and Russia are now “very capable threat actors” with the ability to harm the United States, the United Kingdom, and the European Union.
The challenge is that although the European Union works as a single entity to regulate a great deal of technology, national security is still the responsibility of each of the 27 individual nations. As such, there is a great deal of unevenness, he said.
“Europe is on a journey, and it’s conflicted. The majority of what it has done from a regulatory sense has been about competition and major American technology. It has not been about the Chinese state, and it hasn’t been around an active Russia at its back,” he said.
“It’s in movement, but if you look at the bulk of the legislative, regulatory, and practical agenda, it’s as much as about the United States as it is about China or Russia.”
Carsten Meywirth, director of the cybercrime division at Germany’s Federal Criminal Police Office, the Bundeskriminalamt, agreed with McGuinness’ assessment of the threat that the four big state actors pose. The added twist is that there are also threats from non-state actors who act on their own, he said. The underground economy that was created by them really took off in 2015, and last year, Meywith said, ransomware unleashed by hackers unaffiliated with specific countries cost German companies 24.3 billion euros.
“The criminal groups act globally, and with high performance. They’ve adapted the franchise model with the affiliate system,” he said.
“We call it ‘crime as a service.’ You can buy the infrastructure; you can rent the server and VPN services; you can buy credential services, codes, and malware. The criminals work together, and don’t have to know each other. The only thing they know about each other is a nickname.”
The panelists had some good news to report too. Asked by Larocca how European countries might strengthen each other’s defenses, McGuinness cited the public-private partnerships on the continent.
“When I go into really transnational businesses, they’ve got cyber defenses better than most European states. So that’s where you start, with firms like Deutsche Telekom. That’s quite a cyber-capable organization.”
Prashanth Mekela, deputy enterprise chief information security officer at American Family Insurance, said that at the end of the day, macro issues need to be addressed through day-to-day operations. The first hard truth that business leaders need to accept is that if a very capable state actor or committed criminal actor decides they want to break into their network, they will likely find a way.
“Most people have gravitated toward that viewpoint, because even if you put these obstacles out in front of their way and have defensive depth, there could still be an insider within your organization who can either be co-opted or recruited to steal sensitive information,” he said.
He suggested that the solution is to identify what parts of a business network absolutely needs to stay up and running. That includes things like intellectual property and business processes. The bulk of the company’s cyber defenses should then be directed in those areas.
“It’s a never-ending situation in which you’ve got to protect the enterprise, and you’re not going to get it right all the time. You’ve got to be able to live with it. That’s why you’ve got to be prepared for things like ransomware.”