The war in Ukraine: Danish companies should intensify their efforts to fight unwanted IT-guests
Stationary tanks. Attacking airplanes. Soldiers shooting missiles across collapsed Ukrainian cities. This is how the media, to the best of their ability, have tried to depict the ongoing battles in Ukraine.
However, reporting from another area of the war is much more difficult. The one where troops armed with computers, keyboards and mice go after enemy. The so-called cyberwarriors.
We still do not know whether Russia has conducted particularly severe cyberattacks. Or whether Ukraine has merely had a really strong defence.
- Jan Lemnitzer, Department of Digitalization
“We still do not know whether Russia has conducted particularly severe cyberattacks. Or whether Ukraine has merely had a really strong defence. However, it seems that until now their infrastructure has not been exposed as severe as everyone expected. Instead, the Russians have bombed them with conventional weapons,” says Jan Lemnitzer, who both researches and teaches cyber security at the Department of Digitalization at Copenhagen Business School.
So, perhaps our fear of a cyberwar proper with state-financed cyber troops destroying another country’s software has been exaggerated. But that is not to say that they are lighting up the peace pipes in cyberspace. Or that Denmark and other Western countries should relax. Because they will still be in the digital fore sight, according to Jan Lemnitzer.
Pinprick operations are meant to create instability
Denmark should expect to be targeted by recurring pinprick operations. A type of partisan attack, where Russian hackers will regularly go after various targets to show their dissatisfaction with the sanctions that the West have imposed on them.
So the threat against Danish infrastructure is definitely present, Jan Lemnitzer warns.
For instance, if we embargo Russian gas and oil they might be tempted to hack Danish offshore wind power parks. And if we exclude Russian banks from the global financial system, they might try to disable ours.
“Their aim will be to stir up dissatisfaction among the citizens. To provoke instability and weaken the trust in our democracy and the political strategy towards Russia,” Jan Lemnitzer points out. Earlier in his career, he conducted research on international politics.
And according to him, Denmark is poorly prepared for a strategy like that. Because we are preparing like we were defending ourselves in a conventional war.
In other words, we are expecting the country’s armed forces to deal with it. Only, in a cyberwar, the enemy will not be driving tanks and trucks that we have to push back.
Instead, the enemy will be sitting at home, and regardless of whether they are Russian cyber troops supported by the government or criminal hackers in some basement, there is no certainty that they will choose a military target when they send off a virus infected worm.
New ways of organising our defence
They might just as easily pick an organisation or a private company. Just ask Mærsk, Demant, Vestas, the National Bank of Denmark or Nordea, who are just some of the many companies who have already had unwanted IT-guests.
In addition, there are the companies who might not even know that they have had visitors. Because in cyberspace it is much the same as in the physical world where intelligence services spy on specific targets.
Only in cyberspace, you do not have to dispatch an agent, who will then have to find their way into the good graces of some employee in a chosen organisation, and then train that individual to take photos of important documents and place them underneath a specific bench.
And so, the cyber threat challenges the politicians’ historical approach to security and defence policies; it dilutes the classic boundary between police and army assignments, between public and private security, Jan Lemnitzer points out.
Mandatory cyber security for private companies
This is also the reason why he encourages Denmark to stop thinking about cyberwar as something that the armed forces must deal with. Instead, we should demand a contingency plan for the private sector, because that might just as easily be the point of entry for an attack.
The question is whether we want to spend public resources on it, or whether we want to force companies to invest in their own cyber security by way of legislation.
- Jan Lemnitzer, Department of Digitalization
And because the supply chains and the collaborations between private and public companies are so close, it may very well have huge consequences for society in general if a bank, a private energy supplier or a private company is hacked.
“We have to realise that private companies must be able to defend themselves against cyberattacks. The question is whether we want to spend public resources on it, or whether we want to force companies to invest in their own cyber security by way of legislation,” says Jan Lemnitzer.
In an article published in “Journal of Cyber Policy”, he argues that we should demand a mandatory cyber security insurance for small and medium-sized enterprises, and that at the same time, we must draw up a number of minimum standards for their cyber security. Because according to him, it is not only politicians who have to think along new lines. Companies will have to follow suit.
More bother than business
“A lot of companies, especially the small and medium-sized enterprises, often consider cyber security as more bother than business. It can be very hard for an IT expert to explain how serious it is to a board of directors who understand neither the technical terminology nor the level of threat,” says Jan Lemnitzer, who also recommends that we educate more people with both business sense and knowledge about IT.
Furthermore, he points out that many boardrooms still have to understand the losses a breakdown can cause in terms of money, but also lack of clients and business partners’ confidence.
“It takes both focus and skill in the boardroom to ensure that cyber security becomes an integrated part of the overall strategy that is communicated to all areas of an organisation,” he explains.
Jan Lemnitzer is also involved in the work surrounding the cyber-risk simulator, which is placed at Copenhagen Business School, and which trains business people in tackling situations where they are exposed to cyberattacks. Behind the training programme are Industriens Fond, Bestyrelsesforeningen and a number of other partners.
“Companies will have to show an interest in cyber security, so they know how to react during an attack. Because the threat from outside is not going away,” Jan Lemnitzer states.