As enterprises become increasingly entangled in nation-state conflicts, they need to bolster defenses as well as navigate the growing number of international rules and regulations.
Tarah Wheeler, infosec expert and fellow at government think tank New America, discussed the future of cyberwar and how companies can defend themselves in the expansive threat landscape during her keynote at the Gartner Security and Risk Management Summit on Thursday. While examining the "global system of interactivity," Wheeler proposed several questions, such as: Where do the international rules for cyberconflicts come from, and how can enterprises contribute?
A problem has arisen with such rules where, for example, both The North Atlantic Treaty Organization (NATO) and the Organization for Economic Cooperation and Development (OECD) have contributed security frameworks for enterprises. Wheeler said the two perspectives are "perpetually clashing and cooperating," which has resulted in a confusing regulatory climate.
"The kinds of actions that are deemed appropriate by NATO are often considered to be the norms that we abide by in cyberwar, and then the kinds of organizations like the OECD that put out frameworks that are abided by a number of countries, are the kinds of frameworks that end up filtering over to you eventually," Wheeler said during the session.
One example she cited was the European Union's creation of GDPR in 2018, which she described as a shock to several U.S. companies who suddenly had to abide by new international regulations. In order to minimize future surprises, Wheeler cited her work with the OECD, which contributed to a coordinated vulnerability disclosure framework and best practices document.
However, she said she is also aware that many people are only paying attention to U.S. regulations, such as the California Consumer Privacy Act (CCPA) and how the U.S. House and Senate are framing cybersecurity policy.
Wheeler said that way of thinking is impractical because of the "increasing expectations around the world" regarding protection of user data, responses to third-party security reports, and important security protocols like patch management.
"It's often true of organizations around the world, not just in the United States, that the kinds of regulatory climate and framework expectations that happen outside our borders are ignored until you can't ignore them anymore," Wheeler said.
Between adhering to international regulations and the impact they may have, organizations are facing increasingly difficult decisions. Rapidly evolving international conflicts are posing problems in terms of cyber insurance as well.
Wheeler cited an example of an attack in 2017 against Mondelez International, which she said has "quietly driven interesting innovations in cyber insurance" as it pertains to international conflict. The attack by NotPetya ransomware caused a series of disruptions against the world's largest snack company. When Mondelez tried to claim its $100 million cyber insurance policy from Zurich Insurance in Switzerland, problems arose and have yet to be fully addressed.
"Zurich denied their claim, saying that because NotPetya was an act of war, it was not covered under the insurance rider that Mondelez had on their full business insurance policy. That is an ongoing case right now, and it's difficult to tell at this point whether they will receive the payout," Wheeler said. "They were involved in this act of cyberwar, yet they were hit by an attack and impacted by it in a way that was absolutely devastating to their business."
Steps to take
Wheeler recognized that as a technologist, it can be difficult to communicate to the leadership team how important the international regulatory climate is. Communication, specifically with those who are integral to risk management and international regulations, is especially important in the new threat landscape. When addressing international conflict, Wheeler said companies must look beyond protocols and compliance standards.
"That compliance bar, weirdly enough, is usually set just above the level at which due care would prevent the kind of international conflict and low-hanging fruit that international cybercriminals go far," Wheeler said during the session. "That's on purpose; it's very on purpose."
Those compliance checklists, she said, are the first line of defense for an organization against international threats. Another actionable step Wheeler advised was deciding where cybersecurity as an audit function ties into an organization. "The most successful way that I have seen information security as an internal function of a business operate is when it reports up to finance, and the reason why is infosec is an audit function."
Additionally, Wheeler recommended giving a thorough look at the data retention policy program because international criminals are attempting to ransom data and steal it. Data breaches are increasingly becoming a problem as threat actors, particularly ransomware operators, use double extortion methods. Having audit records is important when it comes to notifying customers and claiming cyber insurance.
However, the primary solution Wheeler suggested was that organizations keep asking questions.
"For those of us operating at the operational level [and] at the audit level, our job is to be able to challenge the parts of the organization that don't necessarily come up to snuff when it comes to cybersecurity standards," Wheeler said.