Steve Hill
Deputy Group CISO, Credit Suisse
The cyber dimension to the war in Ukraine has been a revelation. The presumption of offensive advantage and the old tropes (“when, not if…”) no longer convince.
The cybersecurity orthodoxy of the last decade has been of worsening threat trends. We have notes the growing capabilities, agility and ambition of cyber adversaries, whether governmental, criminal or activist. Scaremongering, always a viable sales tactic in the security industry, has been the norm.
Ukraine has highlighted another, equally important, trend. Cybersecurity professionals may not have discovered a magic bullet, a transformative new technology that will eliminate cyber risk, but they have incrementally learnt the right cocktail of measures. In aggregate, these have shifted the balance of advantage away from the bad guys. We have listened and learnt to recognise what good cybersecurity looks like. We understand how to invest sensibly in governance, awareness, and technologies to build a risk-based, data-driven multi-layered defensive approach.
Most importantly, a focus on cybersecurity has been supplanted by an emphasis on operational resilience. Prevention measures, which will never be unimportant, are increasingly complemented by investment in response and recovery.
The success of Ukrainian cybersecurity measures in preventing Russian offensive measures from playing a decisive role in the war paints some clear lessons beyond the importance of pervasive basic cyber hygiene, among the most compelling which might be:
1. Strategic and tactical intelligence in guiding cybersecurity investment: the Ukrainian government understood their enemy, and clearly learnt from the lessons of the 2016 cyber attacks on their power infrastructure and the wider 2017 NotPetya wiper attacks; and then in 2022 companies such as Recorded Future quickly fed them actionable tactical intelligence.
2. Agility and to innovation—the rapid switch to secure cloud data storage or the adoption of the Starlink network bolstered data and digital resilience.
3. Public-private partnerships: across commercial cloud providers and threat intelli-gence providers to Western government military and intelligence Agencies.
4. Culture: the unification of all players behind a single well-understood purpose (perhaps the most important of all the above).
Our collective challenge is no longer one of grappling with various nuanced interpretations or frameworks around cybersecurity best practice. Nor of onboarding the latest and glitziest AI-powered technology. It is the challenge of execution.
The commitment to enhancing cybersecurity and resilience demonstrated by Ukraine (perhaps one might also point here to the banking industry, albeit this has been driven in no small part by regulatory pressure) needs to be extended across all our critical national infrastructures. We can no longer tolerate the happy fragility of the last few decades.
There will be more major incidents. The outcome will not be perfect. But the optimum direction of travel is now clear.
Read more insights from today's top cyber leaders in The Cyber Initiatives Magazine.
Steve Hill is the Deputy Group Chief Information Security Officer (Head of Strategy) at Credit Suisse. He was previously CISO for the Investment Bank and Americas; global head of Operational Resilience; and head of Technology, Cyber and Third Party Risk. Before joining Credit Suisse in 2017, Hill spent over thirty years in the UK Government, including a variety of national security roles at the Foreign and Commonwealth Office and as deputy director, with responsibility for aspects of UK Government cyber security policy, at the National Security Secretariat of the Cabinet Office. Steve is a visiting senior research fellow at the War Studies Department of Kings College, London.