Matthew J. Spaniol: Cyberwar checklists for executives and policymakers

State-of-Play

The Baltic Sea Region is the frontline in cyberwarfare, but the outlook is not favorable: Ubiquitous connectivity and the Internet of Things are compounding surface area exposure; Inadequate cybersecurity measures are leaving an increasing number of companies open to considerable risk; Small and medium sized organizations especially struggle to keep their defenses up, and insurance companies are less willing to provide coverage against cyberattacks. The region remains slow to adopt global policies, illustrated by delays in implementing amendments to International Safety Management (ISM) and International Ship and Port Facility Safety (ISPS) codes.

The SECMAR consortium, tasked with advancing secure digitalization for sustainable blue economies, issued a foresight report on cybersecurity for executives and policymakers.  The remainder of this column summarizes the emerging attacker enablers, defender trends, and recommendations for companies, policymakers, and industry. The column can be used by executives and policymakers as a starting point for a discussion with cybersecurity professionals to determine the status of protections.

Attacker Enablers

Cyberattackers have easy access to a wide variety of weaponized softwares and new techniques such as prompt injections, developer mode exploits, neural network translators, evasions, deepfakes, adversarial AI, and LLM-supported malicious code generation and attack vector discovery. Improving anonymity and un-traceability are lowering the risks for attackers who are organizing across increasingly fluid networks. Skill specialization, such as vulnerability brokers, are improving criminal productivity and knowledge sharing. Major culprits still include the unsanitized USB flash drive and the transmitter inside a gifted ballpoint pen, but new modes of delivery are expected.

Defender Trends

Cyberdefense improvements include enhanced system design, business continuity planning and cyberwargame simulations (digital and tabletop), AI-enabled bug-hunting and threat detection, and improved incident reporting protocols. Cyberdefense firms are increasingly specializing, and more SMEs are completely outsourcing their IT departments while larger organizations are investing more time, energy, and resources into information campaigns to change user attitudes.

Recommendations for Companies

1. Prioritize cybersecurity from the onset—first protect, then connect.
2. Implement effective controls like banning personal electronics.
3. Shift to a ”whitelist” approach of approved cybersecurity practices.
4. Ensure cybersecurity training and certifications are up to date for personnel.
5. Large corporations should extend cybersecurity assistance to smaller suppliers.
6. Regularly audit systems for compliance with international standards.

Recommendations for Policymakers:

1. Mandate real-time sharing of cyber threat intelligence across industries.
2. Support standardization of cybersecurity measures.
3. Promote cross-border forums to accelerate policy implementation and enforcement.
4. Invest in cybersecurity education and international competitions to boost talent pools.
5. Geofence critical infrastructure, including ships, to prevent unauthorized access.
6. If necessary, create legislation that penalizes non-compliance.

Recommendations for Industry:

1. Improve tokenization and authentication across connected systems.
2. Enhance encryption protocols and phase out legacy communication systems.
3. Segment critical infrastructure to reduce the impact of potential breaches.
4. Cultivate a culture of cybersecurity awareness among the ecosystem partners.

Conclusion

When an attack does occur, the prognosis is clear: Disruption leads to crisis which leads to panic. The key to avoiding the fallout lies in proactive measures, including adopting a unified approach to cybersecurity, enhancing communication and collaboration between stakeholders, and fostering continuous improvement across all fronts. The lists provided above are never exhaustive, as each point has numerous sub-points that will not fit this column. And these recommendations are already out-of-date by the time you read this because threats are forever evolving. But let them serve as a reminder, and use them to check in on your cybersecurity. As Robert Müller (former Director of the FBI) reminds us, “[t]here are only two types of companies: Those that have been hacked and those that will be hacked.”

I would like to thank SECMAR’s Lawrence Henesey, Giovanni Di Noto, Shaun Reardon, and Stefan Ivarsson for their valuable feedback and insightful comments on earlier versions of this column.

Matthew J. Spaniol
Assistant Professor of Strategic Foresight
Department of People and Technology
Roskilde University
Denmark