Ripped from the Headlines: Business Implications from the “Quiet” Cyberwar

The fourth installment of “Ripped from the Headlines with Andrea Bonime-Blanc” focuses on the business implications from what appears to be a quieter (but certainly no less active and potentially more ominous) global cyberwar.

May 26, 2025

This is the third issue of “Ripped from the Headlines with Andrea Bonime-Blanc” a collaboration between Athena Alliance and GEC Risk Advisory in which we summarize without attribution some of the learnings and take-aways from a a headline news story of great significance to our members discussed at our monthly “Ripped from the Headlines” Salons and which we share here for all to benefit from.

Let us know what you think on the LinkedIn version of this newsletter!

Overview

I began the conversation by presenting recent headlines from several reliable sources (including the Wall Street Journal, the New York Times, Axios, Reuters) about Chinese state-backed hacking of US Treasury computers and China’s acknowledgment of its role in US infrastructure hacks. I also touched on the ongoing Salt Typhoon, Volt Typhoon cases and a recent case in which surreptitious communications devices were found on installed solar batteries. I also covered the controversy surrounding the Trump Administration national security team’s use of Signal for secret group communications, their switch to Telemessage—a commercial communications app generally considered to be even less secure than Signal.  We also touched on recent cyber incidents involving cryptocurrency exchanges (Coinbase) and retail chains (UK’s Marks & Spencer), emphasizing the importance of cyber resilience for any type of organization.

The meeting covered a range of topics related to cybersecurity, with a focus on current threats, government policies, and business preparedness. Participants discussed the increasing frequency and sophistication of cyber-attacks, particularly those targeting critical infrastructure and government systems, the convergence of the physical, virtual risk and social engineering spaces in heightening cyber-insecurity, as well as the challenges faced by businesses in responding to this continuously morphing threat landscape. The conversation touched on the importance of cyber resilience, data protection strategies, and the potential impact of emerging technologies like quantum computing and AI on cybersecurity with important practical take-aways for us to implement.

Key Themes Discussed

Is Cyber-Responsibility Moving from U.S. Federal to State Levels?

The group discussed the role of state and local authorities in addressing cyber threats, particularly in light of emerging policy trends that suggest a potential shift of some cybersecurity responsibilities from federal to local jurisdictions. Participants raised concerns about the growing capabilities of state-sponsored hacking groups—such as the Iranian-based Cyber Av3ngers—which have been linked to disruptive attacks on industrial infrastructure globally. While decentralization of cyber responsibility may encourage localized responsiveness, it also introduces significant challenges, particularly given the limited resources and cybersecurity expertise often found at the state and municipal levels.

Global Cyber Threats, Impacts and Scams

Also discussed were some of the recent developments, including a power outage in Spain and Portugal (not ascribed to being caused by a cyber-attack but nevertheless under investigation), deepfake scams, and the potentially existential impact of quantum technology on de-encrypting all encryption that exists today. I highlighted the convergence of cyber, social engineering, and social media in creating sophisticated online scams. On that note, I recommended a podcast series by The Economist called Scam Inc. that explores these multifaceted, converging threats and scams.

Cybersecurity Challenges and Policy Shifts

We examined recent data highlighting the growing threat of cybercrime to critical infrastructure, citing sources such as CrowdStrike. Notably, global cyber actors—including China, Russia, Iran, and North Korea—were identified as key players, while the U.S. accounted for only 2.3% of attacks.

Also noted was a significant increase in cybercrime costs, from $3 trillion in 2015 to a projected $10 trillion in 2024. Participants reflected on the broader implications of the Trump Administration’s cybersecurity policy changes, including shifts toward deregulation and reduced enforcement. There was concern about how these trends might weaken the US technology protection posture and have serious potential implications for the business community.

US Federal Cyber Attack Reporting Challenges

The participants discussed the increasing frequency of cyber-attacks and the challenges companies face in reporting them to authorities under new SEC regulations. A participant expressed concern about the lack of clarity regarding which government agencies companies should contact in the event of a cyber-attack, highlighting the need for better guidance from federal and state governments. I suggested that board members should consult with their management team, including the CEO, general counsel, chief risk officer, and chief information security officer, to better understand and address these issues.

Cybersecurity Risks to Infrastructure

A participant expressed concerns about cybersecurity threats to national infrastructure, particularly in the context of recent deregulations and potential vulnerabilities in sectors like energy and transportation. We discussed the impact of reduced funding and resources on critical infrastructure, including air traffic control, and warned about the potential for cyber warfare from adversaries already embedded in U.S. infrastructure systems. Participants acknowledged the growing risks and discussed the challenges of responding to cyber threats in real-world scenarios, with one participant noting the longer recovery times needed for companies to come back from a serious cyber event.

Cyber Resilience and Crisis Planning

A knowledgeable participant emphasized the importance of having alternative sources and backup plans to enhance resilience against cyber threats and natural disasters. She highlighted the need for the business community to step up and urge the government to support core functions like defense, while also advocating for cyber insurance as a proactive measure for small businesses and nonprofits. A participant shared her experience managing a crisis during a power outage, stressing the value of having a well-prepared crisis management plan, which she implemented after 9/11. Both participants agreed on the necessity of tabletop exercises to prepare for potential cyber threats and emphasized that companies often wait until a major incident occurs to take action.

DOGE Potential Data Breach Cybersecurity Implications

The group discussed the implications of the recent DOGE take-over of several federal agencies and departments which has significantly increased vulnerabilities for not only the government, but for both businesses and individuals. Several participants were concerned that the DOGE work within the federal government could have the potential of being the largest cyber-attack on the US Government, with unprotected or easily accessible data being potentially exploitable by various nefarious domestic and foreign actors.  A participant emphasized the importance of focusing on controllable measures such as building resilience, conducting tabletop exercises, and ensuring backups, rather than challenging the administration directly. The discussion concluded with a recognition of the need for businesses to prepare for potential future cyber incidents, though collaboration among businesses seems unlikely for now.

Cyber Security Challenges and Solutions for SME’s

The group discussed cyber security challenges, with a participant sharing details about an upcoming cyber tabletop exercise in Northern California featuring FBI representatives and cyber insurance experts. A participant highlighted the importance of cyber security services for small and medium-sized businesses, mentioning a cyber expert named Tara Wheeler who specializes in helping smaller organizations. Another participant shared insights from a conversation with a cyber expert at one of the Magnificent Seven technology companies who expressed concerns about the intersection of quantum computing and AI in cyber security, comparing current protection methods to lions protecting zebras.

Quantum Computing’s Cybersecurity Impact

Two participants discussed the potential impact of quantum computing on cybersecurity, expressing concern about the lack of preparation and resources for many companies. Another participant shared insights from a tour of New Jersey’s Cyber Command Center, highlighting the complexity of law enforcement coordination at various levels and the need for better understanding of overlapping responsibilities. The participants emphasized the importance of local law enforcement’s reliance on federal agencies like the FBI, while acknowledging potential challenges in less affluent areas.

Cyber Resilience and Data Protection

The group discussed cyber resilience and data protection strategies, with one participant emphasizing the importance of identifying and protecting “crown jewels” within an organization. Additionally, a participant suggested that companies leverage free resources from prime contractors for cybersecurity training. I shared insights from a 2015 Conference Board report I wrote on “Emerging Practices in Cyber-Risk Governance”, noting that basic cybersecurity practices remain pretty similar to a decade ago and are crucial despite advancements in quantum computing and AI.

Key Takeaways

The participants contributed a variety of useful tips and practices which can be summarized as follows:

  • Board members should ask management about their company’s crown jewels (including privacy data, financial information, intellectual property, strategy, etc.) and how they are being protected.
  • Board members should inquire about the company’s crisis management and business continuity plans for cyber incidents.
  • Small and medium-sized businesses should explore cyber security resources and training offered by prime contractors or larger partner companies.
  • Organizations should form internal cross-functional teams to develop comprehensive cyber resilience strategies and tactics.
  • Organizations should review and implement basic cyber security practices as outlined in resources like the Conference Board report on cyber risk governance.
  • Universities and educational institutions should assess their cyber security needs and implement appropriate protection measures for research data and student information in ways similar to the way for-profits do.
  • Businesses should understand the cost-benefit of investing in cyber resilience versus potential fines and reputational damage from cyber incidents.
  • Companies should stay informed about SEC guidance on disclosing material cyber events.

I ended the presentation by including a link to my Conference Board Research White Paper titled “Emerging Best Practices in Cyber Risk Governance”” which though 10 years old still holds in its 10 recommendations for good cyber governance. Link to read here.

Share this article

Latest insights

So you made it to the (board)room where it happens. Now what?

READ MORE

The Greenhouse Effect: How Your Environment Shapes Your Potential for Impact

READ MORE

Ripped from the Headlines: Business Implications from the “Quiet” Cyberwar

READ MORE

Cracking the Code: How North Americans Can Join UK and European Boards

READ MORE

Unleashing Your Potential: Why a Growth Mindset Matters

READ MORE