The devastating conflict between Russia and Ukraine has seen an escalation in cyber warfare operations alongside the physical war. Designed to disrupt and disable critical systems, these efforts demonstrate how such online activities have become an integrated part of modern conflicts.
This development has led governments worldwide to reconsider their role in protecting citizens from the effects of cyber attacks. Some have issued strategies containing broad principles, while others emphasise practical steps that should be taken.
For example, the UK government released its Cyber Security Strategy. This document outlines how the country should meet the growing number of cyber threats experienced by its departments and agencies from now until 2030.
Meanwhile, the US government is taking a more focused approach. It recently released a presidential order that mandates all government agencies implement a zero-trust architecture.
These two different approaches prompt discussion about precisely what the role of government should be in cyber security, but it remains unclear where the line of demarcation sits between what should be done by governments and what should remain the private sector’s responsibility.
An ongoing battle
While events such as the war in Ukraine serve to focus attention on cyber warfare and its effects, it needs to be remembered that the threat is constant and growing. Moreover, cyber criminals have a broad range of motivations, ranging from criminal gangs seeking financial rewards to states bent on using cyber warfare to cripple enemy infrastructure.
Cyber warfare is ongoing, borderless, invisible and causes damage in ways kinetic weapons cannot. For this reason, questions are being raised about whether reference points for traditional warfare map well onto cyber weaponry.
Another factor to consider is that the battlefield for cyberwarfare can extend to anywhere the internet touches. It involves civilian and state actors, and civilian computers may unwittingly contribute to an attack recently highlighted by the US Cybersecurity and Infrastructure Security Agency.
The nature of this distributed threat means democratic governments do not control traffic, and therefore the onus for cyber security falls on many different groups. Therefore, it makes sense that governments play a role in defining minimum standards and policy frameworks and should also lead with best practices to protect public assets.
National security and intelligence agencies also have a role in thwarting domestic cyber threats. Ultimately, while government agencies are already doing this, efforts need to be stepped up as the global nature of the threat requires intelligence sharing and the development of best practices among allies.
With incidents growing in type and scale from distributed denial of service to voter interference, attacks on critical infrastructure to data exfiltration, their ongoing adoption by state-backed actors is virtually guaranteed. Moreover, as attacks increase in sophistication and size, machine learning and AI will play an increasing role in both offensive and defensive operations.
Many companies try to insure themselves against these threats, but realistically this is fallible, reactive and short-sighted. The arms race between adversaries has reached a point where it is prudent to consider a different architecture to meet the threat collectively. That architecture is known as zero trust.
The role of zero trust
From the outset, it needs to be recognised that zero trust is not a silver bullet when battling cyber warfare. Even if it could offer complete protection, it would still take many years for all governments and private-sector organisations to overhaul their systems.
Also, while adopting a zero-trust architecture is a big step forward, it must be combined with the removal of legacy technology. Otherwise, it’s merely adding complexity rather than improving security.
The bottom line is that zero trust and its granular, identity-based brokered access is a realistic aspiration, and the tools needed to achieve it already exist. It can be adopted for users, devices and workloads in whatever environment they reside.
A zero-trust strategy is a journey, but it improves security posture and reduces the scope of attacks as it is being implemented. Rather than succumb to inertia, organisations should take the first step.
This is precisely where governments can help. They can legislate baseline requirements for themselves, companies and service providers in their sphere of control. What is not required is more government incursion or backdoors, as these are inevitably used for perceived or actual nefarious means.
Zero trust can be a significant weapon in cyber warfare. By mapping out a strategy and following the required steps, both governments and companies can be best prepared for any future attacks.