Cyber risks go beyond geopolitics

  • Cyber attacks happen very often, but the majority will fail
  • The success of a major attack on a specific target, whose probability will be low but whose impact will be very high, will be the biggest risk going forward
  • This risk will be compounded if the attack comes from a state actor on critical infrastructure

Following a meeting of the Counter Ransomware Initiative in Washington DC in November 2022, Australia has taken the lead in creating the International Counter Ransomware Task Force, which includes 37 countries. This shows that nation-states are understanding the risks of a cyber attack, and getting much more involved in trying to prevent these. However, cyber risks also go beyond geopolitics. The challenge is no longer about being attacked (which has a very high probability) and the chances of an attack being successful (low to moderate impact) but rather about the chances of a major attack (low to moderate probability) on a specific target that might have a high to very high impact.

Different types of attackers and targets

Inter-state cyberwar remains one of the major risks facing the global economy, but it only represents one part of the vulnerabilities of the digital world . Cyber attacks have become ubiquitous, happening as often as every 11 seconds (according to a Cybersecurity Ventures estimate), but the majority fail. Microsoft reports that the most basic cyber security protection can stop as many as 98% of these attacks.

It is important to think of the type of attackers, and the types of targets.

An attack from a lone hacker or a criminal enterprise is the most likely, and they seem to gain financially from the attack. But neither have the same capabilities as a state. In any case, one of the primary challenges in cyber security is the difficulty in prosecuting an attacker from a different country.

A state’s objective is to disrupt its adversary, and this feeds into the types of targets:

  • An attack on a commercial business, such as a media company, will have a narrow impact beyond the company itself. This has happened with the Guardian, which suffered a ransomware attack in December 2022.
  • An attack on a public service (even if privately owned), such as hospitals or the postal service, will have a bigger but limited impact, as it will not fully disrupt an entire country. For example, this has happened with hospitals in France, where the proliferation of ransomware actions has led the government to take action, or the Royal Mail in the UK, whose attack in January 2023 disrupted its international deliveries
  • Cyber attacks will have the largest impact if they target critical infrastructure (electricity, water, digital for instance), especially if the impact on businesses and populations is both immediate and long-lasting. A December 2015 attack on the Ukrainian power grid, attributed to Russia led to several hours of power outages and remains the best example of this risk so far.

Regulation enters the fray

As part of a hybrid strategy, states will continue to target their adversaries through cyber attacks. Ukraine has suffered 4,500 attacks from Russia in 2022, three times more than in 2021. States will also continue to increase their regulatory scrutiny on cyber risks, especially when it comes to critical infrastructure. The EU is at the forefront , having announced the Cyber Resilience Act, with rules to ensure greater security, especially for Internet of Things (IoT) devices; the NIS2 Directive, which harmonises rules and widens the definition of essential services operators; and the Digital Operational Resilience Act, which focuses on the financial sector. In the US, the Biden administration is also planning to introduce rules in 2023.

The analysis and forecasts featured in this piece can be found in EIU’s Country Analysis service. This integrated solution provides unmatched global insights covering the political and economic outlook for nearly 200 countries, helping organisations identify prospective opportunities and potential risks.