Editor’s note: Global Atlanta caught up with Justin Daniels, a shareholder at Baker Donelson in Atlanta and an expert on data privacy and cybersecurity, to help understand how the coming onslaught of Russian cyber attacks and Ukrainian counterattacks could catch companies in the crossfire — and what the U.S. should do about it at the national level.
Global Atlanta: You have said that the situation in Ukraine shows the need for constant cyber diligence by companies. What do you mean by that?
Justin Daniels: The Ukraine conflict is the first in Europe where cyber risk is a paramount political, economic and social consideration in foreign and domestic policy. Given how reliant the Western world has become on data and technology, the risk of asymmetric retaliation in cyberspace complicates our response to Russian aggression. Cyber hacks can do significant damage at a fraction of the cost of building and deploying a nuclear weapon, and while the cyber community is united with “shields up” this week in the face of Russia’s Ukraine invasion, it’s unclear how firm our resolve will be six or 12 months from now. The big question is whether the Ukraine war will become an inflection point for how we approach this challenge globally.
Global Atlanta: Obviously there is a constant state of preparedness firms should have, but what acute threats might spill over from Russia’s onslaught against Ukraine?
Mr. Daniels: Russia has two capabilities that can greatly impact the U.S. and other countries. One is the capability to engage in cyber hacks to our critical infrastructure, with the electrical grid, health care facilities and our financial system being of primary concern. Another is weaponizing social media to sow disinformation and fear, a tack it has already taken in the Ukraine war.
If Russia feels significantly threatened by NATO or the U.S., it’s unlikely to launch bombers at New York City. Instead, it could deploy a cyber hack against our grid, harming a wide group of people while retaining plausible deniability that it was even responsible at the nation-state level – all without entering U.S. airspace. That was not the case 40 years ago. Times, however, have changed, and in this case we are more vulnerable than ever.
Given how important the private sector has become to both the defense establishment and the provision of services in this country — should there be a renewed push for cyber readiness at the national level? How should we invest in cybersecurity as a critical piece of our defense infrastructure?
What do drones, autonomous vehicles and non-fungible tokens share in common? They all have significant cyber risk that is not addressed in their design. At the same time, the risks of ransomware (just ask the Colonial Pipeline) and data breaches have become acutely more severe, and none of these fast-growing industries will be immune from the onslaught.
Governments must move more quickly on addressing 21st-century threats, and a good place to start is greater public investment in cybersecurity, both in disseminating the knowhow to protect digital assets as well as hardware and software. The American Rescue Plan Act is a $350 Billion allocation of money to the public sector, similar to the Paycheck Protection Program for businesses but aimed at city, county and state governments. Clearly, cyber investments fit the bill, but the question remains: Will leaders across the country make expedient choices with these funds, or make a meaningful down payment on cyber defense?
We know that the best time to do a cybersecurity assessment is yesterday, but if you’re a company that finds itself unprepared, what can you do now? Are small companies more or less likely to find themselves targeted?
Even in 2022, I still find companies that have not implemented multi-factor authentication for their entire workforce. That is the simplest, most cost-effective thing you can do to enhance cyber preparedness. But we need to think about this more broadly across industrial value chains.
Take the financial services industry, which already experiences significant losses due to fraud: Since 2017, I have asked banks why they do not require borrowers taking out large loans to implement basic cyber hygiene. They raise their eyebrows with amused interest, but nothing happens. The reality is that they’re unlikely to make moves they perceive as putting them as a competitive disadvantage in the marketplace until they react to a hack that causes one of their borrowers to default on its loan.
[pullquote]If we learn one thing from this Ukrainian conflict, it should be that cybersecurity is the 21st-century digital seat belt for both our country and its companies.[/pullquote]
Are we really so shortsighted at the firm level in 2022? You would think that this would be table stakes at this point.
Do you remember growing up and your parents did not wear seat belts in cars? Now buckling up is one of the first things you do when you get in your car. What happened? We became more educated on the safety benefits of seat belts, and laws required their use.
If we learn one thing from this Ukrainian conflict, it should be that cybersecurity is the 21st-century digital seat belt for both our country and its companies.
Atlanta International School is the presenting sponsor of Global Atlanta's Technology Channel. Subscribe here for monthly Tech newsletters.