The alert urged infrastructure and services providers to take urgent steps to increase their cyber security resilience. The alert achieved widespread publicity, including articles by The Independent; The Guardian; and The BBC.
A notable feature of the alert is that the Government has detected a serious change in the motivations of these threat actors. As DWF has been warning clients since the start of the invasion of Ukraine, the risk is that we will see a change in the criminal typologies of Russia-aligned threat actors, away from cyber-attacks for gain (i.e., to secure a ransom payment or other economic advantage) and towards cyber-attacks for damage and destruction. The alert makes it crystal clear that this change in motivation is now very real.
Therefore, the obvious risk is that without urgent steps being taken to increase resilience, critical infrastructure and service providers could suffer huge - potentially catastrophic - damage if, for example, the threat actors unleash wiper programs (to destroy data and systems), or malware to cause information assets (information technology, computer and communications systems and data) to be unavailable (i.e., “denial of service” attacks, or “DoS” and “DDoS”). In these cases, the victim would be unable to provide some or all of its services to its customers.
DWF advises its clients to take the alert very seriously.
DWF also wishes to remind clients of their legal and regulatory obligations for cyber security. Some of the targeted companies will fall under the ambit of the current NIS Regulations (electricity, oil, gas, air transport, water transport, rail transport, road transport, healthcare, drinking water, digital infrastructure, online market places, online search engines, cloud computing); others will fall under sectoral regulation with express or implied duties for security; (financial services, telecommunications etc.); and some will fall under the GDPR if personal data were to be impacted. Professional duties and contractual duties should also be kept in mind. Clearly, a serious cyber security incident can also involve significant legal risks for a victim organisation that does not act on the government’s alert. Of course, multi-nationals will also need to consider the legal impacts for other territories.
We also encourage our clients not to take a narrow view of the meaning of critical infrastructure and services. For example, the recent updates to the EU regulatory framework take a more expansive and holistic view than the UK framework of the kinds of industries and services that can be categorised as critical. Thus, industries such as food manufacturing and distribution, pharmaceuticals and post are captured by the EU definitions, in contrast to the position in the UK. Cyber threat actors will not be constrained by arbitrary legal definitions and so we consider that the EU approach is more aligned to the true meaning of criticality than the UK’s.
The attack surface
When considering exposure levels, clients should be mindful of the true extent of their attack surface. This covers not just technology, but also human factors (consider the problem of social engineering and phishing attacks) and the supply chain.
An area of the supply chain that is often less resilient than might be imagined is Cloud Computing. Due to the buying power and economies of scale of Cloud service providers, cognitive biases have developed at the customer side, which has sometimes led to unreliable assumptions being made about Cloud resilience: DWF regularly sees this problem manifest itself in the security breach cases that we handle.
Therefore, it is not surprising that Cloud instances are constantly targeted by threat actors. We strongly encourage our clients to consider their Cloud risk levels, especially where there is a large scale “single point of failure” risk potential, or where Cloud services have been procured without a full security risk assessment having been performed, or where usual procurement channels have been bypassed, or where the use, administration and management of Cloud instances has been outsourced to third parties, such as professional services providers.
Human factors
Regarding human factors, while over the past 15 years or so the technological sophistication levels for cyber security risk management have improved dramatically, which has enhanced the organisation’s security confidence levels, we have not yet reached a point of corresponding levels of improvement in human factor risk reduction. As well as considering human user risks for ICT, clients should consider the human factors involved in the development, configuration, deployment and administration of ICT. Similarly, clients should consider whether their incident management and incident response teams are properly prepared to deal with heightened and novel risks of the kind that NCSC has alerted us to.
How can DWF help?
DWF is recognised as one of the country’s leading law firms for cyber security services, but we also provide related management consultancy and risk management services in these areas.
We are able to help in many ways, including:
- We can brief you on the risks, the steps you can take to increase resilience and your legal obligations. Please ask our contacts listed below if you would like a copy of our white paper on the range of legal risks that can flow from a serious cyber security incident.
- We can help you to understand your current state of readiness to deal with a very serious incident. Please ask about our RAPID diagnostic tool for incident response readiness.
- We can provide you with structured readiness training, through mock incidents and role plays.
- We can help you to design or improve your playbooks for incident response. Please ask about out playbook for General Counsel.
- We have put in place a free-of-charge retainer letter, on a “just in case” basis, so that if you are attacked, we can provide you with immediate help without you having to go through the bother of procurement and contracting.
- We can review your insurance policies, to help you understand your scope of cover.
- If you do suffer an incident, we can guide you on your response and the development of your strategy; we can project-manage the response and provide it with legal privilege; we can procure and manage third party experts on your behalf; and we can deal with all of the legal consequences.