Does your enterprise actually perceive its dependencies, and find out how to mitigate the dangers posed by an assault on them?
12 Aug 2025
•
,
4 min. learn
A panel dialogue at DEF CON 33 final week, titled “Adversaries at warfare: Techniques, applied sciences, and classes from trendy battlefields”, supplied a number of thought-provoking factors, in addition to a transparent takeaway: whereas digital ways equivalent to misinformation and affect campaigns are helpful in trendy battle, they don’t seem to be going to win a warfare. That’s as a result of when bombs begin dropping and the bodily components of warfare are below means, the misinformation spreading by way of digital channels turns into much less necessary. Understandably, the victims of battle and people displaced have extra pressing priorities: meals, shelter and staying alive.
Turning the dialog as to if a warfare might be received utilizing cyberattacks and digital disruption, there was additionally settlement among the many panelists that cyberattacks create short-term injury, whereas a bomb touchdown on one thing is a simpler and lasting technique of destruction.
The assaults in opposition to vital infrastructure in Ukraine probably affirm this: Russia-aligned actors have launched quite a few cyberattacks in opposition to the nation’s energy grid, leading to short-term disruptions as techniques could be rebuilt and made operational once more in a comparatively quick time period. In the meantime, a bomb touchdown on an influence facility is prone to trigger long-term injury and limitation of service that would take months or years to revive. The large-picture conclusion on this a part of the panel dialogue is {that a} warfare can’t be received by cyber alone – it nonetheless must be received on the bodily battlefield.
Cyber and bodily safety
The dialogue then advanced to how cyber impacts the bodily. One panelist made the remark to the impact that “a military can’t combat in the event that they haven’t been fed”. Put otherwise, as a rising variety of civilian contractors are getting used to offer the logistics wanted to function a military, making the assault floor broader than it might seem.
The panel used Taco Bell as a fictional analogy. A hacker may declare they modified the water provide in Taco Bell, however on nearer inspection it may simply be that they’ve tampered with a restaurant’s water cooler, which might not be sufficient to have an effect on its operations.
Nonetheless, a cyberattack on Taco Bell’s provide chain may carry it to an operational cease. How? By stopping deliveries of produce to the restaurant. This dependency might be much more obscure: an assault on the businesses that provide the meat utilized in Tacos may probably trigger Taco Bell to stop operations on account of a scarcity of elements for meals. The analogy holds true for the navy: with out meals, the troops can’t combat or are, at greatest, restricted.
What this implies for your enterprise
Shifting past the panel dialogue, this raises a vital query for companies: do they actually perceive their dependencies to be operationally resilient? Do they perceive the dependency their prospects have on them to make sure the continued operation of their very own companies?
Sticking with the Taco Bell analogy, think about a cyberattack that takes away a key ingredient the enterprise must function; for instance, if the corporate depends on a provider for taco seasoning, then a cyberattack in opposition to the provider may have an effect on Taco Bell’s potential to maintain working. This isn’t mere hypothesis – there are real-world examples of cyberattacks which have precipitated such a disruption. For instance, the cyber-incident suffered by Change Healthcare, a well being information processing agency, stopped medical providers being offered throughout practices and hospitals.
As we speak, so far as I do know, cybercriminals solely extort cost from these they instantly assault. However what if a cybercriminal determined to assault the third celebration after which demand an extortion cost from all the companies that depend on that provider? In my instance, say the taco seasoning firm is disrupted by ransomware, and whereas the cybercriminal might ask the seasoning firm to pay a requirement instantly, they could really achieve extra in the event that they requested cost from all the businesses reliant on the provider’s product, as a scarcity of provide might price them greater than the provider itself.
Whereas this monetization technique could seem speculative, there is a vital level right here: does your enterprise actually perceive its dependencies and find out how to mitigate the danger of assault on these it’s depending on? An actual-world instance could be an assault on a catering firm that’s contracted to feed sufferers in a hospital. If the power to feed sufferers is disrupted on account of a cyberattack, then the hospital might need to declare a significant incident and shut admissions to new sufferers. On this situation, would the hospital pay an extortion demand that brings again catering provide?
The important thing takeaway from this panel session for me is that this: all of us must map and absolutely perceive the dependencies we depend on and guarantee now we have resilience the place wanted. If we are able to’t get to some extent of resilience, then we not less than want to grasp the danger posed by the dependencies.
