Real-world events such as politics, war and sanctions are arguably the single biggest influencer of the tactics used by cyber actors globally. To gain an edge, cyber professionals need geopolitical intelligence, argue Strategic Intelligence Manager Thomas Murphy and lead analyst on cyber risks, Manish Gohil, in remarks originally delivered at the CISO 360 conference in Singapore in September.
How many cyber security professionals were left on the back foot by Russia’s invasion of Ukraine in February? Or suddenly had to spend time looking at, and answering questions about, what an escalation in Taiwan would mean?
There is often a narrative that events such as the Ukraine conflict or the recent Taiwan crisis were unforeseeable. But I contest that idea. Russia’s invasion of Ukraine was entirely foreseeable, as are the recent tensions in the Taiwan Strait.
Dragonfly warned our clients in mid-December of the high likelihood of war in Ukraine, nearly two months before the war started. And we have been providing our clients with scenarios for an escalation in Taiwan for months – consistently flagging a high-profile visit by a US official as a trigger for a crisis between Beijing and Washington.
This understanding of geopolitics matters because it allows our clients to plan. In the case of Ukraine, it allowed our physical security clients to carry out threat assessments, plan evacuations and prepare safe shelter.
But such geopolitical intelligence also brought huge benefits to cyber teams.
It prompted them to reconsider their threat exposure and to take a closer look at Russian threat actors and their intent; to boost threat-hunting and to prepare lists of indicators, triggers and warnings. It allowed them to liaise with business continuity colleagues to ensure a holistic and preemptive approach was being taken. It allowed them to isolate their systems in Russia and Ukraine from those elsewhere, and to take a look at their IT supply chains.
None of these actions were prompted by us forecasting an uptick in Russian cybercriminal activity, or an uptick in malware and ransomware. Instead, this preparedness fell out of geopolitical intelligence.
Real-word events drive cyber risks
So why does geopolitics matter for cyber professionals? The answer is that real-world events – politics, war, sanctions – are arguably the single biggest influencer of the tactics, techniques and procedures of cyber actors globally.
The fast-moving and dynamic way in which specific cyber threats evolve makes it extremely difficult to forecast changes in TTP in the coming months, let alone the coming years. This is where geopolitical intelligence can bring cyber professionals an edge. The methodologies that we use mean that the forecasting range of geopolitical intelligence is longer. By assessing the capabilities and intent of political and security actors, we are able to make medium- and long-range forecasts on the likelihood of real-world risks such as revolution, insurrection and war. And as we know, these real-world events and risks transcend and drive cyber risks.
Ukraine is a particularly pertinent recent example. Russia’s invasion has triggered a chain of geopolitical consequences which have all, to varying degrees, had cyber ramifications. Take Ukraine’s rapid creation of a volunteer ‘cyber army’ and the changes it has triggered in ransomware targeting patterns. Take the series of cyber attacks around Eurovision in Italy in May by pro-Russia hacker groups, or more recent DDoS attack campaigns against countries like Estonia, Lithuania and Norway in response to escalating disputes over the trade or transit of sanctioned goods.
Russia’s invasion of Ukraine has also probably influenced the targeting patterns of prolific ransomware and criminal groups. This has seemingly been the case with ransomware attacks against energy facilities in Europe earlier this year, given the financial incentives amid the ongoing energy challenges stemming from the war.
The ‘New Normal’ in the Taiwan Strait
Now let’s look ahead to the key drivers of geopolitical risk in the coming years. At a headline level, we assess that Russia’s invasion of Ukraine in February and the recent Taiwan crisis are indicative of fairly tectonic shifts in the global political order. Geopolitics now matters for any organisation with a global presence: we are entering more volatile, unstable and uncertain times.
The cyber consequences of the Ukraine war – and the recent crisis in the Taiwan Strait – pose obvious questions about what a conflict between China and Taiwan would mean. But to answer those questions, we must actually consider what the prospect of such a conflict is.
We currently think it is more likely that we will enter a ‘new normal’ in the Taiwan Strait than it is that things will settle to as they were pre-crisis. Indeed, what we saw during the recent crisis looks like a sign of things to come.
China seems to have kept a lot of its powder dry in the most recent crisis: Beijing, Taipei and Washington all seem to have been very keen to avoid the situation escalating into a confrontation. But China did launch an unprecedented number of missiles over the Taiwan Strait and initiated large-scale military exercises.
But even since tensions have died down, Beijing continues to carry out military exercises in the Taiwan Strait at a higher pace than before the crisis. And it continues to infringe on Taiwan’s ADIZ and its median line as well as carry out information operations targeting Taiwan. This is the new normal.
This new normal will have cyber implications for organisations moving forward. We anticipate that it will see an ongoing intensification of the type of hostile operations by China-state-sponsored groups against the island over the past decade or so. These include widespread disinformation and cyber-influence campaigns to undermine the Taiwanese authorities and promote pro-mainland narratives. These are likely to be particularly intense ahead of and around the 2024 presidential election on the island.
A conflict between China and Taiwan has cyber consequences
It is no secret that Chinese state groups have the capability to conduct both pervasive cyber espionage and disruptive operations on critical industries and infrastructure in Taiwan, particularly its semiconductor industry. Under a new normal scenario, we also foresee an intensification of attempted IP theft and reconnaissance of the semiconductor, financial and energy sectors in Taiwan, as well as occasional acts of disruption to energy or telecoms. These would demonstrate China’s capabilities and undermine Taiwanese sovereignty in the same way that Beijing’s military operations in the Taiwan Strait aim to do.
We assess that an invasion at this stage remains highly unlikely at about 15%. This assessment is largely driven by the level of ambiguity around whether China could successfully take the island, particularly if the US were to intervene in support of Taiwan – something it has been deliberately vague on.
A failure to successfully invade the island would be disastrous for Xi Jinping’s leadership: he has made reunification with Taiwan a key pillar of his agenda. Still, for now, we think he is unlikely to follow through on invading the island.
But a 15% likelihood – particularly of such a high-impact scenario – is not insignificant. And it’s worth considering what this would mean. If Beijing were to invade Taiwan it would almost certainly have cascading effects on both physical and cyber security in Taiwan, with catastrophic implications to trade and services.
Some of the main implications we foresee include disruptive cyber activity aimed at paralysing civilian and military infrastructure ahead of an invasion, increased cyber espionage and data-compromising activities on foreign governments and businesses, particularly of ones that Beijing sees as supporting Taiwan through logistical and financial aid. The physical destruction of communication infrastructure would also be likely, resulting in prolonged disruption to the internet or telecoms.
Blockading Taiwan through cyber means
Such an invasion would also be detrimental to the semiconductor sector.
One thing that is often overlooked – at least in mainstream discussions around Taiwan – is that China has escalatory options that don’t involve a military invasion of the island. The most significant of these would be a blockade of Taiwan, often also called a coercive quarantine. This would probably see Beijing deploy its naval and air forces to the Taiwan Strait and the seas off the island and restrict air and sea access, either in part or completely.
China’s goals for such a quarantine would not be to completely cut off food and supplies to Taiwan, but rather to demonstrate de facto sovereignty by controlling the air and maritime space around the island, as well as which cargo deliveries, ships, aircraft, and people have access to Taiwan. Crucially, this would also, in theory, keep things below the threshold of a military response from the US or others.
Such a scenario would – as the name suggests – prompt significant and potentially sustained disruption to trade and shipping in the Taiwan Strait. Widespread military and naval drills, with amphibious landing craft and the deployment of anti-access area denial weapons, would be a way for China to test the US’s resolve and to prove its capability to ‘choke’ Taiwan. But China is also able to do this through cyber, such as by conducting disruptive cyber attacks on Taiwanese energy or telecoms and using GPS jammers around Taiwan to disrupt military countermeasures.
How a conflict in Taiwan would disrupt the semiconductor industry
There is also the issue of what a conflict in the Taiwan Strait would mean for the availability of semiconductors and so, in essence, computing generally. This leads us to our next – interrelated – point: global strategic competition.
The semiconductor industry is an almost perfect exemplification of strategic competition between the US and China. It is an industry in which US companies dominate the design of chip technology. But also one which is almost entirely dependent on rare-earth minerals mined and processed by Chinese firms.
Even without a conflict in Taiwan – indeed currently amid ongoing tensions – semiconductor shortages are likely to be an increasingly common phenomenon. Both US-China competition generally, and the Taiwan situation specifically, are accelerating a trend of localisation and the rerouting of highly interconnected value chains away from China. Besides a loss in efficiency and longer production times, this will probably also lead to a significant rise in semiconductor production costs.
A conflict around Taiwan – or even a significant escalation in military tensions – would drastically and immediately worsen the outlook for the semiconductor industry globally. This is because a fully-fledged conflict would disrupt trade to and from Taiwan, which the recent tensions didn’t in any significant way. A conflict would also carry a very high risk of the destruction of manufacturing plants or related infrastructure.
This would not be an accident. There are real questions about whether Taiwan would employ a scorched-earth policy of the semiconductor sector in the event of a Chinese invasion or conflict. A total destruction of Taiwan’s semiconductor industry would at this point carry an incalculable cost to the global economy.
Russian efforts to steal intellectual property will intensify
Strategic competition is also driving shifts – with cyber consequences – in terms of Russia.
So how does this play out in the cyber domain? Russia’s increasing isolation from the West is leaving its economy increasingly vulnerable, notwithstanding the obvious flaws in the West’s continuing purchase of Russian resources. And we forecast that this will make Russian state-sponsored cyber groups increasingly likely to intensify their efforts to steal intellectual property and sensitive information from foreign firms.
The extensive sanction regime, and the departure of foreign firms and local tech workers from the country, have left Russia in a position where, to achieve continued growth and to maintain expertise in its core industries, it will probably need to steal intellectual property.
We have already seen indications that Russia has been laying the groundwork for a focus on such campaigns this year, such as removing patent and trademark protections for firms linked to certain ‘unfriendly’ countries. Sectors that we assess that will be particularly at risk of such hostile cyber activity include defence, energy, extractives, high-end manufacturing, pharmaceuticals and tech.
There are dozens of other flashpoints we’re watching in the coming months in terms of cyber and information risks, including the upcoming US midterms, elections in Brazil, the FIFA World Cup and ongoing tensions between Iran and the US. The impending energy crisis in Europe this winter also carries cyber risks for organisations globally.
European governments are under immense pressure to ensure stable energy supplies and keep consumer prices down. These issues have been exacerbated by the Ukraine war and Russia’s modulation of gas flows to the continent. The energy sector is at its most vulnerable in a long time, and Russia is willing to exert additional pressure on European governments this winter in response to sanctions.
Energy facilities in Europe have fallen victim to high-profile cyber incidents this year, for example in Belgium, Germany, Luxembourg, the Netherlands and Italy. Officials have attributed these incidents, which mostly appear to have been ransomware attacks on IT-side systems, to criminal cyber groups. But ahead of a particularly critical time for the European energy sector this winter, ransomware groups probably view the sector as particularly vulnerable amid such a crisis, and so lucrative for ransomware demands.
In the graphic above, we’ve plotted some potential cyber scenarios impacting the energy industry in Europe over the coming months, highlighting their likelihood and impact. These scenarios are deliberately intended to be descriptive and the likelihood and impact of these incidents would vary depending on several factors. These include the level of cybersecurity of an individual energy facility or countries, a country’s dependency on energy imports (particularly from Russia), their energy price volatility and diversification, and consumer confidence in respective governments.
Incidents such as data breaches and criminal ransomware attacks on IT-side systems of energy facilities would be the most likely scenarios impacting the energy sector in Europe this winter. But two outlier scenarios consist of nation-state hackers, most likely linked to or employed by Russia, employing sophisticated ransom- or malware on OT and/or IT systems of energy facilities.
While such actions by Russia are only a remote chance or very unlikely over the winter, it is one that would be high-impact and would have cascading implications on energy security and prices. By disrupting power stations, distribution networks or energy firms in European countries, Russia would be able to exert even more pressure on the continent, as it has been doing by modulating gas flows, as with Nord Stream I in September. Russia’s state cyber groups would almost certainly be able to cause significant disruption to energy facilities through cyber.
These are just some examples of geopolitical issues that are and will continue to drive cyber risks in the coming months and years.
The world is getting more fragile. More uncertain. And more unstable. This will make it all the more important for risk managers to understand and anticipate geopolitical events and developments. Doing so will provide you with an edge to plan and get ahead.
Thomas Murphy is Dragonfly’s Strategic Intelligence Manager. Manish Gohil is the lead analyst on cyber risks. This essay is based on remarks delivered at the CISO 360 conference in Singapore in September 2022.