In the Rising Tide of State-Sponsored Cyber-Attacks we Need More Than ‘Cyber Security’ Strategies

As we move deeper into the 21st century, the digital battlefield is becoming more complex and perilous, particularly for Western nations. The recent surge in state-sponsored cyber-attacks, particularly from nations like Russia and North Korea, necessitates a re-evaluation of our cybersecurity strategies. These threats extend beyond data breaches, striking at the heart of national security and public safety. The September 2022 cyber-attack on Telco Optus, compromising the data of over 10 million customers, serves as a stark reminder of this prevailing danger.

Understanding the Geopolitical Landscape

The geopolitical climate is increasingly volatile, and foreign actors are leveraging cyber operations to exert influence and destabilise adversaries. A case in point is the recent cyber-attack on multiple U.S. critical infrastructure sites by PRC state-sponsored hackers known as ‘Volt Typhoon’. These acts are not merely aggressive, calculated to exploit vulnerabilities in critical infrastructure (CI) but are intended to have deep, destabilising psychological consequences on the population.

State-sponsored entities often collaborate with criminal actors, using ransomware or other attacks to achieve financial and ideological goals simultaneously. As noted by ASIO in its recent announcement, the rise of domestic and socio-political extremism adds another layer of complexity. Australia's terrorism threat level, assessed as probable, underscores the urgent need for proactive risk management by organisations at risk of being targeted. This volatile environment has significant implications, including the potential for politically motivated violence and insider threats to critical systems and to critical infrastructure (CIO) in particular.

Critical Infrastructure and Insider Threat

The Security of Critical Infrastructure (SOCI) Act reinforces the importance of safeguarding CI assets. A critical part of this legislation is the obligation for entities to identify and secure "critical workers"— those whose absence or compromise could jeopardise critical systems. We must strengthen our processes and systems to minimise risks from malicious or negligent personnel, including during offboarding processes.

The human factor remains a significant vulnerability in cybersecurity. State-aligned actors may exploit insiders with access to vital systems, posing a severe risk. As organisations grapple with these challenges, a robust Insider Threat Program (ITP) becomes essential, encompassing:

1. Personnel Security Ongoing suitability assessments for critical workers to ensure access is only granted to those deemed fit.
2. ICT Security Controls Cyber threat monitoring and rapid response capabilities must complement traditional ICT security measures.
3. Physical Security Physical access controls, area auditing, and robust incident response protocols to secure facilities.
4. Security Governance Tailored processes, procedures, and security awareness programs to mitigate human vulnerabilities effectively.

A Refocused Strategy

Traditional cybersecurity approaches alone cannot address the complexities of modern threats. The convergence of state actors and criminal entities necessitates a shift to more adaptive, agile strategies. Public-private partnerships are vital in this effort. Collaboration between government entities and private organisations enables intelligence sharing, better defensive measures, and the development of resilient infrastructure.

Behavioural Change in Cybersecurity: Applying the FBI’s Model To tackle the growing complexity of state-sponsored cyber-attacks, organisations must focus not only on technical defences but also on building trust and understanding among their personnel. Just as FBI hostage negotiators use the Behavioural Change Stairway Model (BCSM) to gain rapport and influence the behaviour of a hostage-taker, organisations need to adopt a similar approach to managing cybersecurity and insider threats. The model’s five key stages—active listening, empathy, rapport building, influence, and behavioural change—parallel the process of cultivating a resilient cybersecurity culture within an organisation.

In the context of managing insider threats, the progression through these stages can be mirrored in an organisation’s efforts to build stronger relationships with employees, ensuring they are trusted, heard, and fully engaged in cybersecurity efforts. Just as a hostage negotiator starts with listening and empathy, cybersecurity experts must listen actively to employees' concerns and create an environment where mutual understanding fosters cooperation. As rapport is built, influence becomes a tool for guiding employees to adopt safer practices, ultimately leading to a shift in behaviour that minimises vulnerabilities.

A Look Ahead

The Disaster Recovery Institute International’s Predictions Report: Resilience Predictions for the Profession by the Profession foresees 2025 as a year with challenges in political change, societal polarisation, global conflicts, technological advances, immigration, and economic turbulence. This uncertainty highlights the urgency of fostering a culture of resilience.

State-sponsored cyber-attacks will only intensify as geopolitical tensions rise and technological advancements accelerate. The SOCI Act's critical worker provisions and ASIO's warnings about the rise of extremist ideologies are crucial reminders that cybersecurity is not merely a technical challenge—it’s a social and personal one.

Could Your Team Handle This?

It’s 2:37 AM at a major city’s water treatment plant. All seems normal—automated systems run smoothly, and the night shift staff are conducting checks.

But a senior technician, passed over for a promotion, has become frustrated and withdrawn. Unbeknownst to his team, he’s been communicating with a foreign actor offering money for "harmless" system access.

Tonight, the technician installs a USB drive into the SCADA system, allowing the foreign actor a backdoor into the network. At 2:40 AM, an alert is triggered—water pressure fluctuates, and chemical levels drift dangerously. The crew scrambles but is locked out. Security cameras go offline. Meanwhile, the technician watches as chaos unfolds.

A ransomware message appears: "Your system is ours. Follow our instructions, or the city’s water supply will be compromised."

What Happens Next?

• Would your team recognise early behavioural warning signs of insider risk?
• Do you have monitoring in place to detect unusual access patterns?
• Does your organisation integrate cybersecurity, personnel security, and physical controls to manage insider threats?

Cybersecurity isn’t just a tech issue—it’s a human one. Would your organisation be prepared?

Cybersecurity is about resilience, trust, and enabling organisations to focus on their core activities without disruption. At Providence Consulting, our mission is to safeguard the integrity of our clients’ operations. This means fostering resilience through proactive measures such as yearly testing of systems, implementing third-party training programs, and adapting to evolving threats.

The time to act is now. By embracing innovation, fostering collaboration, and applying a holistic approach to cybersecurity, we can better prepare for the challenges of an evolving digital landscape. Together, we can ensure that our organisations not only survive but thrive in an era of heightened uncertainty.