Although the chances of getting caught up in a state sponsored cyber-attack are relatively low, the consequences can be damaging. The coordinated disclosures around Russian cyber spying attempts highlight that the sports industry is now among the targets of these attackers, emphasising the need for businesses to consider multiple aspects of cyber security. Cyber security is an ongoing process and only a concerted and multi-layered approach will effectively mitigate the risks.
Many will be unsurprised that the Russian government has been spying on countries it views as geopolitical competitors. Espionage is, after all, the second oldest profession and something that is not unique to that part of the world – the British have a fictional national hero based on the concept. The same can be said for influence campaigns, or propaganda, which has been embraced by most developed militaries around the world. The use of computers and the internet to conduct espionage and influence campaigns is more recent but is now widespread and broadly acknowledged. Reports of alleged Chinese state hacking put the activity from one group as far back as 2006 and, in recent years, cyberespionage campaigns have become a commonplace form of attack that businesses need to consider when preparing their defences.
The recent disclosures from the US, Dutch and UK authorities describe in detail the tactics of alleged attackers who used targeted email and hacking Wi-Fi networks to steal information to support their aims. Although the tactics described in the disclosures are not new, they do show us that cyber-attacks are not all achieved by anonymous hackers sitting behind screens. According to the US indictment, if remote attacks did not work, attackers would then resort to a "plan B" and would physically travel to various locations around the world. On location, they would use specialised equipment to intercept and steal information from their targets' Wi-Fi communications. In the case of the US indictments, information from the World Anti-Doping Agency (WADA) about prominent international athletes was then publicly disclosed through alleged fake online personas in attempts to sway public sympathies in favour of Russian sports teams.
A key aspect of the disclosures is the impact they have had on the seemingly innocent victims caught in the middle of this geopolitical activity – celebrity sportspeople, a business in the US energy industry and international football and sports organisations were all targeted in such attacks. In the case of the attacks against WADA, athletes had their reputations called into question. Being targeted by cyber-attacks, nation state or otherwise, can cause very real reputational damage alone. In addition there are typically the financial costs of fraud, mitigation and recovery, as well as the possible loss of consumer confidence, resulting drops in share price, consequent changes to leadership and damage to the overall morale of an organisation.
What is surprising about the recent disclosures is the level of detail that the western authorities have been willing to share on the alleged attackers and their techniques, shedding light on some of the formerly clandestine practices and laying them bare for the world to see. Espionage was once a secret activity played out in the shadows. Yet yesterday, the Dutch, UK and US authorities publicly blew the lid on alleged Russian attempts, releasing private photos of the supposed intelligence officers, even details of their taxi receipts, suggesting their connections to the Russian state and calling into question their competence and operational security. What is also surprising, and is possibly indicative of a new strategy, is the coordinated effort to discredit the activities of the alleged Russian spies, unmask their operatives and seek to publicly embarrass or shame them - presumably in an attempt to stop or reduce the activity. Only time will tell if this strategy will achieve the desired effect.
The targets identified in these alleged attacks have highlighted that people and organisations do not need to be directly involved in international relations or government activities to get caught between nations. When the international perception of a nation is extended to areas such as sports and entertainment, all parties involved can become targets, regardless of how apolitical they might see themselves as being. Organisations and individuals need to consider their cyber security requirements - not just in terms of an organisation's internal valuation of its data, but also in the value others might place on that same information. In some situations, this change in perspective can make a significant difference in the value of the information assets being protected. Who you do business with, including third party suppliers and partners, can inadvertently make you a target.
These new disclosures have underlined the multiple ways in which cyber attackers can seek to target a range of victims. In particular, it has drawn to attention the physical aspects to certain attacks. This should serve as a reminder to businesses and individuals alike that a holistic approach should be taken to cybersecurity, rather than simply focusing on one technology. Cyber security approaches should take into account the many ways in which attackers can seek to undermine security. Although the likelihood of getting caught up in a targeted campaign is low, the tactics that the spies are alleged to have used are commonplace for financially-motivated cybercriminals seeking to steal information for monetary gain.