In my last blog, I wrote about the growing risk of a proportional cyber response to state sanctions imposed on Russia and its leadership. Today, I'll be talking about the risks for the private sector organizations that have taken individual action against Russia. Before I dive in, I want to reaffirm that the invasion of Ukraine is an abhorrent act that has taken the lives of hundreds of civilians and displaced millions of people internally or as refugees. The choice to support Ukraine by Western governments and private companies is a moral and ethical one that weighs heavily on me and my fellow business leaders. It's also one that comes with the very real risk of proportional retaliation by Russia and its allies, both government and independent. It's that retaliation for which I want to make sure every organization is prepared.
(2) Uncoordinated Private Sector Sanctions
Just as world governments have levied sanctions against Russia, many multinational companies are cutting ties with Russia, using their influence with consumers to send a clear message to the Russian government through its people that the attack on Ukraine will not be tolerated. These uncoordinated private company sanctions are not inconsequential in impact or precedent. Participants span a variety of major industries including automobile manufacturing, energy, finance, logistics, technology, consumer goods, airlines, and entertainment.
While many of these companies will not meaningfully impact Russian operations, some will. Microsoft, whose technology plays a critical role in most public and private sector operations, has suspended new product sales to Russia. Energy companies like Shell, Exxon Mobil, Siemens Energy, have also pulled out, dealing a major blow to the Russian economy in which energy makes up more than 50-60% of exports and represents 30-40% of gross domestic product (depending on the definition of energy sector).
While the sanctions imposed by these private companies have not been coordinated, the response to these sanctions certainly will be. Russia's first targets may be the governments that have levied broad-scale economic sanctions, but the many Russia-affiliated cyber groups and Russian sympathizers have the tools and resources to go after these private organizations and do real and lasting harm. These attacks won't be aimed at encrypting files or exfiltrating data. The goal will be to inflict the maximum amount of damage—up to and including cyber extinction.
This means companies around the world have to meaningfully improve their defensive posture in anticipation of state-sponsored or state-sanctioned action. Just like many participating companies can impact Russian operations, those same companies play a significant role on the world stage. The time to prepare for a proportional response is now.
The good news is that government cybersecurity experts and agencies around the world have been quick in providing clear guidance to private companies. I strongly encourage business leaders to carefully read the technical and operational recommendations made by agencies like the U.S. Cybersecurity and Infrastructure Security Agency, the UK National Cyber Security Centre, the Australian Cyber Security Centre, and ENISA. You can read more about that guidance, and get recommendations for implementation here.
In the next blog, I'll delve into the crowdsourced cyber response on both sides, its immediate implications for organizations, and its long-term implications for the future of cyberwarfare.