COVID-19 has caused profound geopolitical and economic change and is affecting state actors’ behaviour in cyberspace. This short blog discusses the importance of reviewing a strategic threat model now as organisations work to understand the pandemic’s impact on their state adversary cyber threat landscape.
The number of states who conduct cyber espionage against commercial organisations to support political, military or economic priorities is growing. At the same time, some states are consistently developing and demonstrating their ability to conduct higher-impact disruptive activity, often against the private sector. Impacts can be wide-ranging and severe. Theft of sensitive commercial information and intellectual property can lead to loss of market share or consequences for national security and regulatory sanction. Operational disruption can cause massive direct financial loss and reputational damage.
Understanding your strategic environment is an important goal for organisations seeking to mitigate these risks. However, COVID-19 has caused major political and economic disruption and influenced state priorities. As a result, a re-evaluation of traditional, pre-COVID-19 threat models is required. A first step in understanding your new state-aligned adversary threat landscape involves identification of priority adversaries and assessment of their intent towards your organisation. In other words, who is a threat and why? Getting answers to these questions has normally involved an exploration of internal and external factors, including:
- The product or services provided, and the partners or customers for these;
- How much intellectual property or technology is unique;
- Whether the product or service is of dual-use for military or national security applications;
- How closely coupled an organisation is to key sectors, such as government, defence, telecommunications, or energy;
- Geography and regional or geo-political exposure.
These issues will likely continue to be of paramount importance for an organisation seeking to understand the identity and motivation of state adversaries. However, COVID-19 has already prompted significant changes in nation-state targeting. Several governments have repeatedly issued credible statements and indictments documenting state-sponsored cyber espionage campaigns to support new COVID-19-related intelligence requirements. These are likely just the most obvious public signals of the new threat liability born out of the pandemic. Over time, more evidence of states pursuing new espionage goals, or traditional goals but with increased determination, is likely to emerge. So, in order to understand the impact of these changes on your strategic threat model, organisations should ask a new series of questions, including:
- Do you provide products and services to organisations in the healthcare or pharmaceutical industry or are you otherwise intertwined with government responses to COVID-19?
- Do you provide products or services with specific applications that are newly important in a COVID-19 world?
- Have you developed intellectual property or technology specifically related to COVID-19 that has helped you advance or protect business operations?
- What actions have you taken in your IT stack and in your cyber defences, over the course of your COVID-19 response, that might make you more or less susceptible to nation state espionage?
Discovery questions can help identify your organisation’s exposure to the state-aligned cyber espionage that is intended to help states with their immediate COVID-19 response. However, defenders also need to consider COVID-19’s second-order effects on the threat environment. These relate to the rapid shifts in the geopolitical and economic environments in the last months and should address:
- Geopolitical risk and national resilience: Does the organisation provide critical goods and services that are wholly or in part dependent on operations in other countries? What actions have the relevant governments taken or may take regarding on-shore manufacturing, or could they issue sanctions or export controls related to goods you may handle?
- Involvement with or exposure to sectors of newfound importance: For example, food security is likely to become more important, especially for authoritarian states seeking to maintain affordability and availability for a restive, COVID-19 recession-impacted population. At the same time, as geopolitical tensions rise, increased competition in other areas, such as raw materials required for defence manufacturing or telecommunications, is also likely to prompt increased cyber espionage.
- Is the organisation or sector a traditional target for human intelligence operations? COVID-19 travel restrictions and a crackdown, in some countries, on foreign intelligence services-linked researchers will probably increase cyber espionage to compensate for lost access.
- Has your sector been targeted previously by state-aligned adversaries seeking to threaten or execute disruptive attacks? As COVID-19’s impact exacerbates pre-existing geopolitical tensions, certain authoritarian states are more likely to prepare or launch disruptive compromises to project power, shape regional environments and retaliate against their adversaries. Defenders should consider the possibility of increased intent of this type, especially in telecoms and energy sectors and their supply chains.
These are just some of the top line issues associated with COVID-19’s strategic impact on an organisation’s threat landscape. There will be others. Each organisation will have different priorities or exposures — and a tailored approach is vital. Exploration of the significance of the major developments in cyber-criminal activity should also occur, with significant emphasis on the new generation of extortionists and their increasingly high-impact activities. Exploring these issues will enable an organisation to better model its threat environment at a strategic level and, from that position, identify and mitigate its new threat liability in a COVID-19 world. Intelligence-led threat hunting teams need to know they are oriented to detect and counter adversaries in this new reality. Boards need to know how COVID has changed the answers to the key questions: "Who is coming after us and why?”
We recommend an external evaluation to challenge internal assumptions about the type and level of threat state-aligned adversaries pose, and to provide independent assessment of the relationship between an organisation’s assets and the identity, motivations and capabilities of its priority adversaries.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved.