From Russia’s invasion of Ukraine to Hamas’s recent assault on Israel, it’s difficult to deny that geopolitical crises come with diversifying cybersecurity footprints. In Ukraine, early digital Russian actions in support of the invasion struck not just government targets, but also satellite operators, media firms, and manufacturing companies. Over nearly two years, the cyber dimensions of the war have involved dozens of civilian and state-backed hacking entities and an attack surface constituted of all areas of civil society on both sides. With the Israel-Hamas conflict, dozens of pro-Hamas and pro-Iranian threat actors have attacked targets as diverse as news agencies, commercial retailers, and social media companies.
This trend of pulling private-sector entities and civil society organizations into crises is likely to continue. In any conflict over Taiwan, in the Korean Peninsula, or linked to Iranian interests elsewhere in the Middle East, for instance, the scope of engagement would undoubtedly include private-sector aggression as a means of exerting pressure beyond direct diplomacy or military dispute.
Awareness of the rising risks of being drawn into geopolitical quagmires is not enough for cybersecurity teams that want to manage their risk and exposure effectively. In recent crises surrounding Ukraine, Israel, or Nagorno-Kabarakh, the targeting of private and civil society entities has often seemed counter-intuitive, disjointed, or downright arbitrary. What determines the likelihood of a water utilities provider being targeted versus a media organization or a university? When should security teams do more during crisis than simply raise their alert posture in the aggregate?
A framework that links the utility of crisis hacking to an organization’s risk profile can allow for better assessment of situational risk. Some entities are vulnerable because of who their products serve; others carry greater symbolic liabilities. Seemingly arbitrary targeting of commercial enterprises is usually far from random but is driven by convenience where threat actors swarm those victims of which some awareness already exists. Cybersecurity preparedness now requires geopolitical sensibilities to match the infrastructural and market perspectives that often drive digital security planning.
Geopolitical crisis: When do enterprise and civil society actors get hit?
Key to understanding risk for enterprises and civil organizations during a geopolitical crisis is understanding the belligerents’ operational and strategic benefits. Geopolitical attacks fall into one of four categories: degradation, performative, signaling, and swarming.
Degradation attacks
Some private firms are hacked during conflict because they are tied to the actions of a combatant. Strategically, such attacks are purely about degradation, by far the simplest situation for risk managers to model. It most often involves entities that might be called semi-state actors that are directly supporting the capabilities of a belligerent. The Russian attempt to degrade Ukrainian national security capabilities in February 2022 by hacking Viasat, the satellite telecommunications Kyiv’s armed forces relied on, is a clear example.
Performative attacks
The type of spillover attack that most security teams will be familiar with is the performative attack where firms, products, and individuals linked to private enterprise are targeted because of their symbolic tie to a conflict. Performative attacks are also the form of cyber engagement most feared by cybersecurity teams, despite them often being simple exercises in disruption (i.e., DDoS or site vandalism). The targeting can appear arbitrary, the demands irrational or deceptive, and the off-ramps less about cybersecurity and more about sensitive political or public relations optics.
Though not tied to a crisis, the now-famous 2014 attack on Sony Pictures by the hacking group Guardians of Peace – deemed by the US government to be an alias for North Korea’s Lazarus Group – is a prime example of performative engagement of a non-state entity. For weeks, compromised data regarding company activities, personnel, and creative projects was used to coerce the firm into a series of embarrassing admissions, culminating in the forced withdrawal – temporarily – of a movie about the assassination of North Korea’s Dear Leader. Only when federal involvement and media attention surged in support of Sony did the cybersecurity threat diminish.
Signal attacks
Things now only get more complex. Ask an international relations professional why civilian and enterprise actors might be drawn into geopolitical crises and they would likely point out that both degradative and performative attacks often aren’t as tactical as they might appear (i.e., “X company is hacked because they make statements in support of Y party” or “A firm was targeted because they provide intelligence infrastructure support to B government”). Instead, they would likely note that national governments have for some years been using cyberspace as a strategic resource to signal their intentions.
Cyberspace is a domain with distinct logics of engagement. Because interaction is not physical, opportunities for escalation are limited. This same dynamic also makes signaling difficult, though not impossible. One must be nuanced and quick enough in the execution. The result is an appealing resource for states seeking to control escalation during crisis and perhaps even create off-ramps toward de-escalation. As strategic planners in the West see it, using cyber means to hack opposition targets during crisis – including and, because avoiding escalation is key, perhaps especially non-government/military targets – works under three conditions:
- Cyber operations are often useful alternatives to kinetic ones. If an attack of sufficient digital scale and impact can be mustered, it can provide a means for proportionate tit-for-tat response without risking physical death or damage.
- Cyberattacks can accomplish the same effect if they are used to amplify the effects of another technique, such as taking down a sensor facility briefly to enable precision air strikes that avoid collateral damage (a la 2007’s Operation Orchard).
- Cyberattacks often give democratic leaders a dual-use benefit insofar as foreign adversaries likely don’t see digital attacks as overly threatening but – as research tells us – domestic publics consider them to be strong statements of resolve. It’s easy to see the value in appearing strong at home but not overly assertive abroad.
The result is a capacity for massaging crisis so long as sufficient precision, visibility, and credibility in the signals being sent to one’s adversaries can be crafted. That often means picking non-state targets that are highly visible, where disruption will be impactful but irreversible, and where an attack is not expected. Enterprise entities and civil organizations fit the bill.
Swarming attacks
Recent geopolitical crises have seen a relatively novel addition to operational and strategic characteristics of conflict spillover: swarming attacks. In the recent case of Hamas’s attack on Israel, civilian hacking entities and proxies for countries like Iran, Israel, Syria, and Russia have hit private firms, media entities, and state digital infrastructure alike. It is the volume of sudden activity that is most distinct, as many of the attacks since October 7 have been highly unsophisticated (and, by recent reports, highly uncoordinated).
How can security teams gauge geopolitical crisis risk?
It is one thing to understand why geopolitical spillover impacts private enterprise but another to be able to assign any kind of probability of risk to them. Fortunately, research on global cyber conflict and enterprise cybersecurity provide a reasonable starting point for dealing with this uncertainty. Scholars and policy commentators are interested in linking the realities of cyber operations to situational risk profiles, particularly for non-degradation threats for which traditional security assessment processes tend to be sufficient.
Performative attacks come with perhaps the most obvious set of threat indicators. Companies that are “named and shamed” during geopolitical crisis moments tend to have one of two characteristics. First, their symbolic profile is constitutionally indivisible in the context of the current conflict. This means that a firm from its statements, actions, or productions clearly underwrites one side in conflict. Media organizations that consistently toe a national line such as Russia’s Pravda are an example of this, but so are firms with leaders or major stakeholders belonging to ethnic, religious, or linguistic backgrounds pertinent to a crisis (e.g., Sheldon Adelson, whose casino was famously hacked by Iran in 2014).
Second, companies often self-associate with conflict by means of company or personal statements. The solution is one that more firms have been embracing in recent years: the incorporation of sociological risk metrics into cybersecurity planning.
Cybersecurity spillover borne of state-based efforts to strategically signal begins with similar dynamics to one-shot performative activities. Simply put, using cyberspace to signal to a competitor is about identifying and impacting entities perceived to be centers of gravity for geopolitical crisis. While this is occasionally a national government element, avoiding escalation dictates avoiding military or similar targets. Then, the need to signal intention via the characteristics of an attack alone dictates maximizing the situational relevance of a target.
Where the dynamics of spillover during strategic cyber operations differs is that utility can only be found in narrow windows during crisis. As research illustrates, cyber operations are imperfect tools for controlling escalation via signaling. Scholars have argued that cyber operations are used to signal all the time, perhaps because there is little chance of them leading to escalation. Retaliatory cyber offensive capabilities are rarely “ready to go” or even existent at the time they are needed to react to crisis. Even where they do exist, signaling requires such specificity in target and effects that their impact would be uncertain or limited without further development (which can take too long). Moreover, leaders tend to be concerned that the characteristics of cyber actions directly against foreign governments (i.e., they often seem arbitrary and blunt force) might invite a cross-domain response if targeted too assertively. General unwillingness to use a non-cyber action where digital possibilities exist in some form makes cyber for cyber’s sake an unappealing prospect during crisis.
The result is appeal in hacking to control escalation, but only against low-value, symbolic targets in society and private industry and only in limited windows of time. This second point is critical for cybersecurity teams, who would do well to be mindful of the temporality of geopolitical crises. Attacks on enterprise firms or civil society organizations by sophisticated cyber actors tend to only come around critical junctures. In particular, they occur during the opening days of a crisis where strategic competitors attempt to define the scope of a situation and the point where conflict clearly evolves into a new phase, such as the weeks following the Battle of Kyiv in 2022 when pro-Russian cyberattacks absent since the invasion picked back up. Otherwise, spillover from signaling activities reduces in likelihood in inverse proportion to the rising difficulty of meaningful crisis communication.
Finally, though a feature of recent geopolitical crises, the threat from potential swarming attacks on society and industry presents a unique challenge for security teams. In particular, attacks like those by pro-Ukrainian hackers on Russian society targets since 2022 or pro-Hamas hacktivists on Western firms this year are united by a shared cause but otherwise seem to be poorly coordinated or not at all. Beyond assuming a performative attack logic, this makes preparation hard.
Where there does appear to be a thread of risk management utility is in the commonality in recent incidents of a pre-existing relationship between companies and attackers. Groups like Molerats, Dark Storm, and Anonymous Sudan have each hit entities since the start of the Hamas-Israel conflict in 2022 for which they have established reputations for targeting. Few hackers change lanes even during crisis. There is much to be gained from using sociological representations of enterprise risk as a foundation for mapping the inclinations and mission profiles of potential crisis hackers.
Finding opportunities and applying the network mindset to geopolitical context
This decade’s threat of geopolitical spillover of cybersecurity threats is clear. What’s also clear is that effective risk management and threat assessment means an active defense posture that links sociological profiling of threat variables to intelligence about possible threat actors. Unfortunately, similar planning also drives Western adversaries likely to feature in future spillover events. It is easy to envision a future conflict that involves, say, Iran in which the Tehran regime directly leverages their network of proxy actors to hack based on pre-planned eventualities. In all cases, cybersecurity teams must persistently simulate and collaborate with information sharing geared toward an adaptive defense posture that consistently tailors and re-tailors internal practices toward shifting geopolitical conditions.
That said, security teams and the firms they protect would do well to remember that cyber spillover from geopolitical crisis is typically the stuff of disruption, not catastrophe. Being pulled into conflict defined by broad societal forces can allow companies to strengthen their image, so long as the association is not due to some scandalous statement. Following Russia’s invasion of Ukraine and subsequent targeting of Western technology firms, for instance, companies like Meta dramatically improved their authority as neutral advocates for shared security principles by taking common-sense steps to respond to service disruption, leading conversation about the situation’s technical aspects, and establishing ways to impartially shape the developing crisis (e.g., by supporting refugee funds). In short, geopolitical cybersecurity spillover need not be the random emergency that many envision; it is simply a set of risks that can be modeled, prepared for, and even turned into opportunity.