Last month’s two-year anniversary of the NotPetya cyber attack provides a unique opportunity to assess some of the key strategic lessons learned from the attack and what might be done on a national level to address the threat of similar attacks going forward. Perhaps the most distinctive outcome of the NotPetya attack was the sheer scale of the economic damage it caused worldwide – estimated to be over $10 billion – and the fact that the damage was borne not by intended targets of the attack, but rather by a series of private-sector companies largely unconnected to Ukraine.
This matters a great deal for how we think of national-level cyber defense, as NotPetya represents a critical new trend: massive-scale collateral damage arising from nation-state cyber weapons. Given recent reports about the expanded use of cyber weapons by various nation-states, including ostensibly the United States, understanding how to mitigate the potential impact of such collateral damage is something that should be top of mind for every corporate board director and policymaker alike.
Today we loosely use the term “cyber attack” to describe almost any effort by threat actors that go after computer systems or data in cyberspace. This umbrella term is used whether the effort is designed to steal information, destroy data, brick systems, or extract resources. Indeed, the term is so widely used in reference to a broad range of activities that it has largely lost its ability to convey a real sense of threat or danger. Nonetheless, in the case of NotPetya, cyber attack is precisely the right term to use.
NotPetya was a cyber-enabled use of military power directed by one nation-state against another with the intent of achieving specific, measurable damage. Specifically, Russia aimed its cyber arsenal against its former satellite state, Ukraine, to cause significant political and economic damage. And from that perspective, NotPetya was wildly successful. Nearly every major national government agency in Ukraine was hit hard, as were major power companies, hospitals, banks, and airports across the country. National credit card payment systems were taken down, bank account access hampered, and a substantial amount of national commerce – at least non-cash transactions – was limited for some period of time. One estimate suggested that as many as 10 percent of all computers in Ukraine were wiped in the NotPetya attack. By any definition, this was a paradigmatic cyber attack.
While the attack achieved much of its intended goals – causing losses to the National Bank of Ukraine and other national entities – the lion’s share of the damage from this attack was not felt by Ukraine, its government, or even the country’s private sector. The vast majority of the damage was felt by private sector companies incorporated in other Western nations, whose operations in Ukraine pale in comparison to their global footprints.
Companies like Maersk – the world’s largest shipping line that runs 76 global ports and makes up a sizeable portion of worldwide oceangoing trade – Mondolez, the holding company for brands like Nabisco and Cadbury, and FedEx’s European subsidiary, TNT Express, were among those hit hardest, each suffering hundreds of millions of dollars in damages. While many of these companies showed remarkable resilience and recovered significant portions of their affected operations quickly, the economic impact on their business was substantial.
The key lesson to take away from this attack – particularly in an era where nation-states are more likely to utilize cyber capabilities as a core element of national power – is that no company is immune. To the contrary, one need not even be on the target list for an attack for it to have potentially crippling short- and long-term effects.
This ought then be a wake-up call for company executives and directors. Whereas once upon a time not so long ago it was sufficient to measure cyber risk based in part on the likelihood of being a target of cyber attacks, this measurement is much weaker today in a world where cyber weapons are being utilized more freely and can have lasting collateral effects.
For private-sector leaders, there are a few steps that might be taken to mitigate the potential effects of such threats. First and perhaps most obvious, NotPetya utilized a well-known vulnerability for which a patch had long been released, as well as a widely available tool for which some defenses were available. In such cases, there are few excuses for major companies not having the relevant hardening measures in place ahead of time. Second, corporate boards must accept the fact that going up against nation-state level attackers – or those with their capabilities – is a fundamentally unwinnable battle for individual companies. As such, holding their own executives accountable for stopping nation-state attacks standing alone is setting them up for failure. Rather, corporate boards must solidify efforts of their companies to work across industry barriers and with others in their industry – and when appropriate, with governments – to create a collective defense matrix that operates in real-time. Only through banding together will companies be able to truly scale their defensive capabilities to effectively defend against these types of attacks.
Likewise, national policymakers must recognize the position they have placed their companies in by expecting them to not just be the front-line of defense against nation-state attacks, but oftentimes leaving them as the only line of defense. National governments cannot then seek to regulate sufficient cyber defense into place, because to do so would be to expect individual companies to spend large, inefficient amounts of resources at the corporate level in an effort to solve a national problem. And even then, companies are not likely to fully be able to defend themselves against nation-state attacks. Instead, national lawmakers in various countries ought to provide industry with access to national-level defensive capabilities and classified information the government collects on cyber threats, and they ought to do so at scale and in real time.
As companies must band together to create collective defense capabilities across industry, governments should also join forces along traditional and potentially new alliance lines to defend against aggressive nation-state threat actors. Such a collaboration for the United States might include bringing advanced cyber defense capabilities to key regions where crucial threat actors test-fire their cyber capabilities, such as Eastern Europe in the case of Russia, East Asia in the case of North Korea and China, and the Arab Middle East and Israel in the case of Iran.
While none of these efforts – individually or collectively – is a certain panacea to addressing the new trend toward increased collateral damage that NotPetya highlights, they do represent a core shift in the way we should think about responding to the modern cyber threats we face. As such, implementing these ideas could represent a critical first step in addressing what is rapidly becoming one of the most serious threats to global economic growth and productivity in the modern era.