“We are at cyberwar!” Really?

Cyber warfare: two words that are particularly striking in a volatile geopolitical environment. But is it the reality? This is what the « Armis State of Cyber Warfare and Trends Report: 2022-2023 » tries to highlight.

The document written by Armis, a cybersecurity service provider specializing in attack surface management, offers a richly instructive overview of threats. To be clear from the start, cyber warfare is referred to here by the very broad definition assigned to the term at the beginning of the document: « the use of cyberattacks that cause damage comparable to those of a real war and/or that disrupt vital systems and services. The desired objectives can be spying, sabotage, propaganda, manipulating public opinion, intimidation or the interruption of essential services« . Therefore, it is interesting to note that, while the authors talk about cyber warfare, they speak of cybersecurity, rather than cyber defense, during cyberattacks.

They frequently mention the Russia-Ukraine war, but the document does not go into detail about the purely military operations on this conflict’s cyber front, unlike inCyber News which did so on numerous occasions (for example, here, here and here). It does, however, discuss several cyberattacks attributed to Russian and pro-Russian groups, some of which predate the Russia-Ukraine conflict, like the hacker group Darkside’s attack on Colonial Pipeline.

45% of companies reported a cyberattack

The report also mentions the only true large-scale cyber warfare operation by private actors against a state, that of Conti against Costa Rica, which prompted the Central American country to declare a state of emergency. This unprecedented situation was analyzed in detail by inCyber News.

Beyond these edge cases, the Armis report shifts the focus away from geopolitics and international balances of power to a traditional analysis of how the cyberthreats that weigh on public and private organizations are perceived. The company surveyed some 6,000 IT and security managers between mid-September and early October 2022. Respondents were members of organizations with over 100 employees in the USA, UK, Spain, Portugal, France, Italy, Germany, Austria, Switzerland, Netherlands, Denmark, Australia, Singapore and Japan.

And the findings were hardly encouraging, since 40% of these executives, across all sectors, felt that their organization had faced more threats in the six months prior to the survey than in the previous six months. Worse, 45% of them reported a cyberattack. These figures were backed up by the service provider’s own data, leading it to consider that « the threats to Armis’s international clientele increased by 15% between September and November compared to the previous quarter« . However, « a third (33%) of global organizations do not take the threat of cyber warfare seriously« , say the report’s authors.

« Less than 10% of the IT budget goes to cybersecurity »

An expansive attack surface, insufficient defenses, potentially significant damages: worldwide, healthcare is a prime target, especially in the United States, according to the examples given in the report. However, not all countries are in the same position. The French version of this report highlights that the French healthcare sector seems to be little affected. « 22% of people surveyed are not very worried, and 9% are not worried at all, » the report says.

Thus, while hospitals remain under pressure, « the overall number of cybersecurity incidents is on the decline, with 522 reports in 2022 , » says Marc Loutrel, Director of Expertise, Innovation and International Affairs at ANS at the APSSIS convention in June 2023. The fall is continuing in 2023, he added at an event organized by the Association for Healthcare IT Systems Security. « The trend is positive; we can see that our collective efforts are starting to pay off. »

Armis seems less optimistic. « Should we put this lack of interest down to the repetitive nature of the attacks, making them habitual to the point of no longer being worthy of our attention?«  In any case, the study’s authors observe that this sector allocates too little of a budget to cybersecurity, with 45% of organizations concerned who « dedicate less than 10% of their IT budget to cybersecurity« .

Virtual attacks, real consequences

Even more worrisome than the healthcare sector is manufacturing. The sometimes poorly controlled convergence of IT, operational technologies (OT) and industrial control (ICS) make it especially vulnerable, according to the report’s authors. They also highlight that some of the technologies still used in manufacturing on a daily basis are largely obsolete, at least from a cybersecurity point of view.

Just as in the healthcare sector, the repercussions of a cyberattack are not limited to the database but can be seen in the physical world. The provider is pleased to have « publicly revealed three zero-day flaws that could have affected more than 20 million APC Smart-UPS devices« . These flaws could have allowed hackers to cause power surges in the equipment protecting strategic equipment in hospitals, data centers or factories, to the point of setting them on fire.

The third focus of the « Armis State of Cyber Warfare and Trends Report: 2022-2023 » is on government agencies. These organizations are those that we think of more readily when we talk about cyber warfare. And these are undoubtedly the best prepared for such attacks, the authors say, given their considerable resources, especially in intelligence and the active fight against cybercriminals.

Being more difficult to attack does not shield them from attacks, however, even in the most developed countries. « 79 ransomware attacks were carried out against government agencies. We estimate that these agencies have lost around 18.8 billion dollars due to recovery costs and stoppage time, » the document says.

Don’t pay up in the face of ransomware

The authors also highlight that organizations of all kinds remain insufficiently prepared, despite increased budgets. 41% of respondents consider it « likely » that their company will increase its investments in cybersecurity, and 37% « very likely« . They also detail the types of spending under consideration by IT managers, with data protection, intrusion detection and identity management making up the unsurprising top three.

More surprising, however, are the answers to how companies would respond in the event of a ransomware attack. The main theme of the report is that this type of attack remains one of the most dangerous that a public or private organization can face. As is the case for terrorism or kidnapping, the official line is, « we don’t negotiate, we don’t pay« . There are many good reasons for this: paying a ransom just encourages hackers to strike again, and can lead to legal risks, such as accusations of funding terrorism, for example, without any guarantees of recovering their files or gaining control over their tools of production.

However, only 31% of managers in companies with more than 500 employees confirm sticking with this line, and 34% in the healthcare sector. However, 24% of respondents replied that they always paid hackers’ ransom demands (19% in healthcare). These averages disguise wide regional disparities. 47% of Americans fall within this case, compared to only 7% of Japanese. Colonial Pipeline gave in to Darkside’s demands, but the FBI stated that they had seized most of the bitcoins paid to the hackers.

Although difficult, like in the physical world where underhanded negotiations with criminals are frequent, such as decision would be the best possible cyberdefense. What better way to discourage the wolves prowling around your virtual henhouse than to kill the goose that lays the golden eggs?