VS: There have been some notable attacks over the years, such as NotPetya, in which attacks perpetrated by state-sponsored actors spill over and affect corporates as collateral damage. What is your view on this development, and what can you say about different state actors around the world?
PJ: NotPetya was a somewhat arbitrary attack. It was the Russian military intelligence agency GRU that was behind the NotPetya attack, aiming to disrupt Ukraine. The GRU as an organisation is a kind of cowboy operation where they shoot first and ask later. Operational security is not high on the agenda. Everyone is probably familiar with the poisonings behind which they have been. On several occasions, these have been traceable back to the GRU, simply because they are not very careful about covering their tracks, and do not really care about collateral damage. The rest of the world was collateral damage from the NotPetya attack. It was not Russia's specific intention for this to be the case, but the country simply did not care. NotPetya is particularly fascinating, because the vulnerability exploited was stolen from the US National Security Agency by some other Russians, so it was an unusually potent attack code that they found that made the attack spread so widely across the world.
But, we have not seen many other attacks of this type, as it is typically not the goal of state actors to aimlessly wreak global havoc. Instead, we have seen much more from cybercriminals, lately. Previously, there was a lot of focus on cryptocurrency mining, but it turned out to be much more lucrative to extort companies, which rapidly gained momentum in criminal organisations. The inherent characteristic of a ransomware attack is that the attackers have to make themselves known to the victim. They cannot sneak around – victims must know that they have to pay. It is a failed ransomware attack if the victim is not aware of it. When it comes to espionage, on the other hand, it is precisely the opposite. You want to stay unnoticed. A very large attack that occurred was the SolarWinds attack, which was carried out by the Russian civilian foreign intelligence agency SVR. It was a very advanced attack. China carried out a similar attack, CloudHopper, which was incredibly advanced. Both of these attacks provided access to a massive number of organisations, where they could dig around collecting information. But, we do not know what they got hold of, since they tried to hide their tracks, in this case.
Then, there are the state actors that actually try to create chaos. China does not generally have that ambition. It has other geopolitical goals. The country is most interested in spying, not least industrial espionage. North Korea, on the other hand, wants to steal money, targeting crypto exchanges and the like. North Korea is a very unpredictable actor, and what it does is not easy to figure out. The country used to be more interested in destabilisation, but nowadays is more concerned with making money. It is the only state we know of that is primarily a criminal actor. Iran is mostly interested in spying, especially in Sweden, where it is keenly interested in its own expatriates.
Then, there is Russia. Russia carried out one of the most eye-opening attacks ever when it targeted the US presidential elections in 2016. The country tried to hide it, but was ultimately discovered. Many believe that Russia, as an offensive cyber organisation, tries to gain access to various systems but not necessarily exploit that access in times when there is no war – instead saving it for when the need arises. We know, for example, that Russia has been rooting around inside US power systems and that it has had the opportunity to shut down parts of the power grid, but has chosen not to do so at this specific time.
China is far more powerful than Russia in many ways. So, if China decided to destabilise the Western world, it would have a greater chance to do so. This could mean destabilising the financial system or going after companies, similar to NotPetya. I think China will continue to spy and avoid destabilisation until the security situation deteriorates further, which we hope it does not. Taiwan could be one such trigger.
But, as to Russia, many wonder why it has performed so poorly in the war against Ukraine – across all domains – on land, in the air, at sea and even in cyber. There are many reasons for this. Ukraine has proven to be more resilient than anticipated and has received a lot of help from the Western world. The US has a policy called "Defend Forward," which involves sending out its Cyber Command to other countries and helping those countries disrupt their opponents. It is a rather offensive form of defence. Exactly what it means in practice is not entirely clear, but it may be the type of support that makes it difficult for Russia to achieve what we fear it could achieve.
The same goes for intelligence support from the Western world. But, when it comes to conventional military force, a cyberattack is not necessarily the best way to destroy something. It led to some spectacularly terrible repercussions initially, knocking out satellite communication systems to disrupt Ukraine's defence forces. It did this in a well-planned and synchronised way with conventional forces. But, once it is in there, instead of knocking out the power grid through cyberattacks, it can rain missiles down on power stations, which is something it is doing now and could explain why we don't see as much on the cyber front from Russia as we might have expected. I believe that as the situation in Ukraine evolves, Russia's priorities may change. It may find that its cyber capabilities are not the most useful in Ukraine and may be redirected to areas where grey-zone warfare and asymmetric methods are best – typically towards the Western world. There is certainly a good chance that Russia is focusing more on the West with its cyber capabilities.
VS: In your experience, or if you were to guess, are companies, governments or other organisations focusing enough on cybersecurity issues? Have they realised the importance of it or is there still work to be done to raise awareness?
PJ: Unfortunately, there is still a lot to do in the field of cybersecurity. As previously mentioned, Sweden is not at the forefront, but even the countries that are have a significant technical debt. There is an argument that could be made that we have digitalised too quickly, which has created very vulnerable systems. In the long run, we will not solve this problem unless system administrators and developers, as mentioned earlier, have better tools that enable them to build secure systems. A company such as Microsoft will not be able to build more secure systems just by being smart or throwing more money at the problem. It needs better tools – tools that we do not have today. Tools that make it harder to make mistakes. Better programming languages, operating systems, analytical tools, development tools, administration tools. It takes decades to develop such things, and even if we do, this is shrouded in uncertainty, in terms of whether we will catch up with the threats, which are also evolving. But, there is no other way forward for us than to try to achieve a situation where we can build much more secure systems. For as long as we are vulnerable, cyberattacks will be a massive issue.
My prognosis is that we will have to live with this uncertainty for several decades – at best. In the worst case, it will be longer than that. Given that we have so many vulnerabilities in our systems, we need to manage them. There is a serious shortage of qualified people, at present, and we need to educate many more. This requires a lot of effort from the education sector, and we need new initiatives, such as Cybercampus Sweden, specifically to address that question.
In the short term, we need to focus on what is called cyber hygiene and incident management, which is about not having weak passwords, updating systems, making backups, and other actions that everyone knows that they should do but for various reasons do not put enough effort into doing. I do not think it is irrational to prioritise cybersecurity. Yet, it can be difficult to do so in practice. Take the regional councils in Sweden, for example. They have to choose between investing their money in better IT systems or in new medical equipment or in increased staff to reduce waiting times. They want to help the patients. As long as they do not see cybersecurity vulnerabilities as a direct threat, it can be difficult to prioritise them.
The degree of awareness towards cybersecurity varies widely across sectors. The banking sector is a great success story when it comes to cybersecurity. It has been digitalised for a very long time and has large value to protect. The sector has had to deal with these problems for a long period and is actually doing so quite well. Then, there are other sectors, such as our public-sector municipalities, that have not yet done the same legwork in addressing cybersecurity. Even so, awareness is on the rise everywhere, as is the importance of tackling cybersecurity-related issues.
VS: Being mindful of the fact that cybersecurity is a very broad field and that there are many aspects of which to be aware, do you have any concrete tips that you would emphasise for corporates or private individuals?
PJ: It's very easy. You Google the top three best things to do to secure your cybersecurity. Then you get the same list from a thousand different sources. Review passwords, make backups, update systems and do not assign unnecessary permissions to people. The Swedish National Cyber Security Centre released a report one or two years ago that has just such a list of the top ten pointers to which to refer. But, it is very well known within society what needs to be done in the short term. Even for private individuals, it is a matter of assessing "what is the risk that I will be hacked" – just me as a private person. The fact that private individuals need to care about cybersecurity is a testament to the failure of us as IT people, in that we have built these systems that are so insecure that even the end user must keep track of hundreds of different passwords or use the same password in lots of different places – which you should not do – but this is natural, of course, if we are not conditioned to care about cybersecurity as we should.