How cybersecurity teams should prepare for geopolitical crisis spillover

Where the dynamics of spillover during strategic cyber operations differs is that utility can only be found in narrow windows during crisis. As research illustrates, cyber operations are imperfect tools for controlling escalation via signaling. Scholars have argued that cyber operations are used to signal all the time, perhaps because there is little chance of them leading to escalation. Retaliatory cyber offensive capabilities are rarely “ready to go” or even existent at the time they are needed to react to crisis. Even where they do exist, signaling requires such specificity in target and effects that their impact would be uncertain or limited without further development (which can take too long). Moreover, leaders tend to be concerned that the characteristics of cyber actions directly against foreign governments (i.e., they often seem arbitrary and blunt force) might invite a cross-domain response if targeted too assertively. General unwillingness to use a non-cyber action where digital possibilities exist in some form makes cyber for cyber’s sake an unappealing prospect during crisis.

The result is appeal in hacking to control escalation, but only against low-value, symbolic targets in society and private industry and only in limited windows of time. This second point is critical for cybersecurity teams, who would do well to be mindful of the temporality of geopolitical crises. Attacks on enterprise firms or civil society organizations by sophisticated cyber actors tend to only come around critical junctures. In particular, they occur during the opening days of a crisis where strategic competitors attempt to define the scope of a situation and the point where conflict clearly evolves into a new phase, such as the weeks following the Battle of Kyiv in 2022 when pro-Russian cyberattacks absent since the invasion picked back up. Otherwise, spillover from signaling activities reduces in likelihood in inverse proportion to the rising difficulty of meaningful crisis communication.

Finally, though a feature of recent geopolitical crises, the threat from potential swarming attacks on society and industry presents a unique challenge for security teams. In particular, attacks like those by pro-Ukrainian hackers on Russian society targets since 2022 or pro-Hamas hacktivists on Western firms this year are united by a shared cause but otherwise seem to be poorly coordinated or not at all. Beyond assuming a performative attack logic, this makes preparation hard.

Where there does appear to be a thread of risk management utility is in the commonality in recent incidents of a pre-existing relationship between companies and attackers. Groups like Molerats, Dark Storm, and Anonymous Sudan have each hit entities since the start of the Hamas-Israel conflict in 2022 for which they have established reputations for targeting. Few hackers change lanes even during crisis. There is much to be gained from using sociological representations of enterprise risk as a foundation for mapping the inclinations and mission profiles of potential crisis hackers.

Finding opportunities and applying the network mindset to geopolitical context

This decade’s threat of geopolitical spillover of cybersecurity threats is clear. What’s also clear is that effective risk management and threat assessment means an active defense posture that links sociological profiling of threat variables to intelligence about possible threat actors. Unfortunately, similar planning also drives Western adversaries likely to feature in future spillover events. It is easy to envision a future conflict that involves, say, Iran in which the Tehran regime directly leverages their network of proxy actors to hack based on pre-planned eventualities. In all cases, cybersecurity teams must persistently simulate and collaborate with information sharing geared toward an adaptive defense posture that consistently tailors and re-tailors internal practices toward shifting geopolitical conditions.

That said, security teams and the firms they protect would do well to remember that cyber spillover from geopolitical crisis is typically the stuff of disruption, not catastrophe. Being pulled into conflict defined by broad societal forces can allow companies to strengthen their image, so long as the association is not due to some scandalous statement. Following Russia’s invasion of Ukraine and subsequent targeting of Western technology firms, for instance, companies like Meta dramatically improved their authority as neutral advocates for shared security principles by taking common-sense steps to respond to service disruption, leading conversation about the situation’s technical aspects, and establishing ways to impartially shape the developing crisis (e.g., by supporting refugee funds). In short, geopolitical cybersecurity spillover need not be the random emergency that many envision; it is simply a set of risks that can be modeled, prepared for, and even turned into opportunity.