Government e-services, remote work, digital currency and e-learning – the momentum of digitization, only accelerated by a global public health crisis, has accelerated the extent to which we live life online. While digital technology allows people to connect at unprecedented scale and speed without regard to proximity, it has also enabled malicious actors to do the same. Sharing innovations, skills and tools, cyber threat actors are increasingly of concern to governments and businesses as attacks become more frequent and complex. At S&P Global, we recognize that cyber risks are part of the broader perspective of country risk. In the same way that we examine terrorism, interstate warfare and other security risks, cyber risks have become part of our approach to understanding the broader national risk environment.
Why is a country risk approach to cyber risk important?
Cyberattacks should be understood as a means – a means by which actors can effect change designed to further their desired ends, whether political or financial. As a medium, cyberattacks can provide a great deal of denial to the actors involved – but so do, for example, hybrid warfare and espionage mediums.
In a world where hybrid warfare is likely to become the norm and where cyber threats to governments and businesses are growing, we must consider the political and social factors that shape how this means is used: motivations, capabilities and the exposure of threat actors and their targets – hence the contribution of the country risk approach.
When we take a country risk approach to cyber, we ask ourselves four fundamental questions:
To what extent are business operations and infrastructure in a given country a specific target for cyberattacks by particular and capable actors?
The political context is a critical factor when determining whether a country is a likely target for significant cyberattacks. The most skilled and well-resourced cyber threat actors are nation-state actors who commit targeted intrusions to inflict damage, disrupt, or steal valuable information at the behest of a government. Cybercriminals, threat actors who carry out malicious attacks for financial gain – rather than at the direction of a nation state – also operate in this on-demand context. For example, many Russian-language online crime forums have adopted a “No CIS” policy whereby affiliates cannot attack targets located in the Commonwealth of Independent States.
Cyber threats can also spread beyond the initial target, increasing cyber risk in a region or even globally. The 2017 NotPetya attack is considered the most destructive cyberattack in history, causing $10 billion in damage and affecting 65 countries. the Russian Armed Forces (often still referred to as the “GRU”) or Russian intelligence services and aimed to disrupt the Ukrainian business environment and scare companies from doing business in Ukraine. The malware masqueraded as ransomware in an attempt to hide its true purpose and make it harder to attribute, suggesting that the threat actor behind the attack was financially motivated. NotPetya spread to almost every network in Ukraine before spreading outside. The cyber risk faced by companies operating in Ukraine and across the region can therefore only be fully understood by looking at the state of relations between Ukraine and Russia.
Does the state have the capacity to effectively prevent and respond to cyberattacks on critical national infrastructure (CNI)?
Cyberattacks targeting the shipping industry or nuclear power plants are an effective way to maximize disruption and/or damage, making CNI particularly attractive to cyber threat actors. These systems are essential to maintaining state services and ensuring the proper functioning of the business environment, and require a substantial and coordinated effort to protect them. Some states have invested significant resources in detecting and repelling cyberattacks against the CNI, while others lag behind. It should be noted that no country can repel all cyber threats, and no technology is “inviolable”.
Estonia is an example of a country that has invested significant resources in the state’s ability to protect its CNI against cyberattacks after a hard lesson learned in 2007. After making the decision to move a Soviet-era statue (an action that offended many Russian speakers), Estonia experienced a 22-day series of cyberattacks that crippled the financial sector, media and government. The impact on the daily lives of Estonians has led to protests – sometimes violent – and encouraged the government to invest heavily in its ability to prevent critical sectors from falling victim to such an attack again. Tallin, the capital of Estonia, is now home to NATO’s Cooperative Cyber Defense Center of Excellence. The government established the Estonian Cyber Defense League, the e-Estonia information center, and made significant investments in incident response. Today, Estonia is a world leader in cyber defense and is often consulted by world leaders for advice on how to deal with cyber threats in their own country.
How dependent is a country’s CNI on IT systems exposed to cyberattack threats?
The exposure of a country’s CNI to computer systems largely determines the suitability (from the threat actor’s perspective) of using the medium of cyberattacks as a means of offensive action against them. The digital development of key services and infrastructure creates at least potential vulnerability to cyberattacks, and this applies critically to all users thereof, even those whose own operations might not be entirely (directly) dependent on the Informatic Systems. The increasing integration of operational technology (OT) from major utility providers with IT control systems is creating opportunities to reduce costs (for providers and users) and reduce carbon emissions, and thus exposes each entity dependent on these utilities to disruption through cyberattacks, even by simply being connected to the national power grid.
South Korea not only stands out as one of the most digitally connected countries in the world – with over 95% internet penetration among the population and a long history of the state promoting the digitalization of society, economy and public services – but therefore also one of the most exposed to disruption via its IT-dependent CNI. This has made cyberattacks a critical means by which South Korea can be targeted by threat actors: in 2014, the country’s nuclear power plant operator reported that unspecified actors had breached its computer systems, resulting in a leak of non-critical data – although he said there was no indication. that the control systems had been compromised. Certainly, this exposure of South Korea has encouraged its main geopolitical adversary – North Korea – to broadly develop its cyber threat capabilities as an additional means by which to conduct offensive operations against it.
What is the state of awareness of the risks of cyberattacks and good digital hygiene practices among a country’s IT population?
Good digital hygiene relies on a long list of choices made at the individual level, including – but of course not limited to – the installation and use of effective anti-virus and anti-malware software, firewalls to prevent unauthorized access, regularly applying updated software, using (not reusing) strong passwords, and preventing older computing devices from being unsupported by updates. manufacturer’s safety day. The 2021 ransomware attack on the Colonial Pipeline system – the largest cyberattack on oil infrastructure in US history – led to vehicle fuel shortages in five states, triggering emergency federal legislation . It may have started with a compromised VPN connection by an employee reusing a password from another website that had itself been previously compromised.
However, these choices – and therefore their overall impact on an economy – can be influenced by state policies: does the country have a well-funded national cybersecurity agency that engages in regular awareness and training in the public sector, the private sector, and civil society? Are there sufficient user privacy laws regarding online activities and are they strictly enforced? Are cybersecurity skills taught in schools?
Our point of view
The answers to these four questions provide essential information on where, how and why the effects of cyberattacks will be felt – however, they do not cover all aspects of cybersecurity. By understanding that cyber risks are highly dynamic, layered and complex, yet still rooted in security risk fundamentals, the country risk lens can make a unique and valuable contribution to our understanding of the cyber threat environment. constantly growing in which we live and operate.
Written by Cassandra Pagan and Jordan Anderson
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.