Borderless threats in the digital age: Assessing cyber-risks on a country level
Government e-services, remote work, digital currency, and e-learning - the momentum of digitalization, only hastened by a global public health crisis, has accelerated the extent to which we experience life online. While digital technology enables people to connect at unprecedented scale and speed without concern for proximity, it has also allowed malicious actors to do the same. Sharing innovations, skills, and tools, cyber-threat actors present a growing concern to governments and businesses as attacks become more frequent and complex. At S&P Global, we recognize that cyber-risks are part of the broader country risk outlook. Similarly to how we look at terrorism, interstate war, and other security risks, cyber-risks are now a part of our approach to understanding the broader country risk environment.
Why a country risk approach to cyber-risk matters
Cyberattacks should be understood as a medium - a means by which actors can effect change designed to promote their desired ends, be they political or financial. As a medium, cyberattacks can provide a great deal of deniability for the actors involved - but so can, for example, the mediums of hybrid warfare and espionage.
In a world where hybrid warfare is likely to become the norm and cyberthreats to governments and companies grow we must consider the political and social factors that drive how this medium is utilized: the motivations, capabilities, and exposure of both the threat-actors and their targets - thus the contribution of the country risk approach.
When taking a country risk approach to cyber, we ask ourselves four fundamental questions:
To what extent are commercial operations and infrastructure in a given country a specific target for cyberattacks by particular and capable actors?
The political context is a critical factor when considering whether a country is a likely target for significant cyberattacks. The most capable and best-resourced cyber-threat actors are nation state actors who commit targeted intrusions to inflict damage, disrupt, or steal valuable information at the behest of a government. Cybercriminals, threat actors who commit malicious attacks for the purposes of financial gain- rather than on the direction of a nation state- also operate within this context at the behest. For example, many Russian-language online criminal forums have adopted a "No CIS" policy whereby affiliates cannot attack targets located in the Commonwealth of Independent States.
Cyber-threats can also spread beyond the original target, raising cyber-risks across a region or even the globe. The 2017 NotPetya attack is considered the most destructive cyberattack in history causing USD10 billion in damage and impacting 65 countries.The attack has been attributed to Sandworm Team, a Russian state-aligned cyber-group allegedly affiliated with the Main Directorate of the General Staff of the Russian Armed Forces (often still referred to as the "GRU") or Russian intelligence and was meant to disrupt the Ukrainian business environment and scare companies away from doing business in Ukraine. The malware posed as ransomware in an effort to hide its true purpose and make it harder to attribute, planting the assumption the threat actor behind the attack was financially motivated. NotPetya spread to nearly every network in Ukraine before spreading outwards. The cyber-risk faced by companies operating in Ukraine and the wider region can therefore only be fully understood by considering the state of relations between Ukraine and Russia.
Does the state have the capability to prevent and respond effectively to cyberattacks on critical national infrastructure (CNI)?
Cyber-attacks targeting the shipping industry or nuclear powerplants is an effective way to maximize disruption and/or damage, which makes CNI especially attractive to cyber-threat actors. These systems are essential to maintain state services and ensure that the business environment operates smoothly, and require a substantial and coordinated effort to protect. Some states have invested significant resources to detecting and repelling cyberattacks against CNI, while others are lagging. It is worth noting that no country can repel all cyber threats and no technology is "unhackable".
Estonia is an example of a country that has invested significant resources into the state's capacity to protect its CNI from cyberattack after a hard lesson learned in 2007. After making the decision to move a Soviet-era statue (an action which offended many Russian-speakers ), Estonia experienced a series of cyberattacks lasting 22 days that crippled the financial sector, media, and government. The impact on the daily lives of Estonians led to protests - in some cases turning violent -and encouraged the government to invest heavily in its ability to protect critical sectors from falling victim to such an attack again. Estonia's capital Tallin is now the home of NATO's Cooperative Cyber Defense Centre of Excellence. The government established the Estonian Cyber Defense League, the e-Estonia Briefing Centre, and made significant investments in incident response. Today, Estonia is a global leader in cyber defense and is often consulted by world leaders for advice on how to address cyber threats in their own countries.
How dependent is a country's CNI on IT systems which are exposed to cyberattack threats?
The exposure of a country's CNI to IT systems largely determines the suitability (from the threat actor's perspective) for the use of the medium of cyberattacks as the medium of offensive action against it. Digital development of key services and infrastructure creates at least potential vulnerability to cyberattacks, and critically this applies to all users thereof, even those whose own operations might be entirely un-reliant (directly) on IT systems. The increasing integration of the operational technology (OT) of major utility providers with IT control systems creates opportunities for lower costs (for providers and users) and cutting carbon emissions, and it also thereby exposes every entity reliant on those utilities to disruption through cyberattacks, even by simply being connected to the national power grid.
South Korea stands out not just as one of the most digitally-connected countries in the world - with over 95% internet penetration among the population, and a long history of the state promoting the digitalization of society, the economy, and public services - but therefore also one of the most exposed to disruption through its IT-dependent CNI. This has made cyberattacks a critical medium through which South Korea can be targeted by threat actors: in 2014, the country's nuclear plant operator reported that unspecified actors had breached its computer systems, resulting in a noncritical data leak - although it stated there were no indications that control systems had been compromised. Certainly this exposure of South Korea's has encouraged its main geopolitical adversary - North Korea - to extensively develop its cyber-threat capabilities as an additional medium through which to carry out offensive operations against it.
What is the state of awareness of cyberattack risks and good digital hygiene practices among a country's IT-using population?
Good digital hygiene rests on a long list of choices made at the individual level, including - but of course not limited to - the installation and use of effective antivirus and anti-malware software, of firewalls to prevent unauthorized access, the regular application of software updates, the use (and not re-use) of strong passwords, and avoiding older IT devices no longer supported with security updates from their manufacturer. The 2021 ransomware attack on the Colonial Pipeline system - the largest cyberattack on oil infrastructure in US history - resulted in vehicle fuel shortages in five states, triggering federal emergency legislation. It may have commenced with a VPN login compromised by an employee re-using a password from another website which itself had already previously been compromised.
However, these choices - and therefore their aggregate impact on an economy - can be influenced by state policies: Does the country have a well-funded national cybersecurity agency in place that engages in regular awareness and training campaigns in the public sector, private sector, and civil society? Are there sufficient user privacy protection laws relating to online activity, and are they enforced rigorously? Are cyber-safety competencies taught in schools?
Our take
The answers to these four questions provide critical insight into where, how, and why the effects of cyberattacks will be felt - however, they do not cover all aspects of cybersecurity. Through understanding that cyber-risks are highly dynamic, layered and complex, and yet still grounded in the fundamentals of security risks, the prism of country risk can make a unique and valuable contribution to our understanding of the ever-growing cyber-threat environment in which we live and operate.
Written by Cassandra Pagan and Jordan Anderson
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.