We often speak to clients who want to understand how their geographic presence affects their cyber threat profile. We frequently get asked questions like: “What is the ‘cyber threat level’ in Country A or B?” or “We have an operating presence in Country C – does that make us a higher profile target for malicious cyber activity?”
Often, these questions may be driven by the fact that cyber security is seen through the same lens as other operational risks that businesses have traditionally faced. These might include physical threats such as terrorism or political violence; political risks such as expropriation of assets; or government credit risks.
These types of threats are in many ways easy to align by geographical exposure as they are frequently driven by specific local or national issues, such as socioeconomic tensions or political events. Indeed, our clients’ business functions may themselves often operate on a national model, with country-level management in place. With that in mind, asking the question of country-specific cyber threats becomes understandable from an operational perspective.
Undoubtedly geography can have an effect on an organisation’s cyber threat profile. For example, operating in the critical national infrastructure of a foreign country with a high level of state involvement could make an organisation a strategically attractive target for espionage activity. Another contributing factor could be joint business relations with a state-owned entity, leading to increased scrutiny in the form of cyber espionage campaigns. Alternatively, having operations in a specific country could make an organisation a target for hacktivist activity if that country were exposed to negative news or accused of autocratic or anti-democratic actions, for example. Political tensions between two countries could result in ‘proxy’ targeting of associated entities or ‘tit for tat’ activities.
Cyber security considerations, however, don’t necessarily fall into the same country-specific silos as other types of operational or business risk.
Many of the sophisticated threat actors we track – particularly those motivated by espionage and therefore seeking access to sensitive or confidential information - often look for the easiest way into an organisation’s network, rather than targeting a specific country per se. This means that whilst the initial vector may target a specific access point initially, the actual target is a wider network or system further along the chain.
Cyber threats should therefore certainly be treated as being more ‘geographically agnostic’ than other risks that a business is also likely to be tracking. One example of this in action was the 2017 NotPetya destructive wiperware campaign: initially, the major impact was on one specific country – Ukraine. However, the malware was soon seriously affecting global networks well beyond this initial infection zone. NotPetya clearly illustrates that cyber threats are in no way geographically bound in the way that other operational considerations may well be.
It is also important to bear in mind that just because a campaign is targeting a particular country, doesn’t mean this will be the case in the next two months – or indeed, the next two days. Targeting may be constantly evolving, depending on tasking priorities.
Having an operational presence in some countries will undoubtedly affect your organisation’s cyber threat profile. However, it is important to recognise that frequently, cyber threats do not manifest in the same way as other operational risks that are much more specific to a single geography. Viewing cyber security purely through the same geographic lens as that used for monitoring other operational risks does not allow for a nuance in tracking threat actors that are not motivated by geography but by myriad other - often complex – factors.