Could Cyberattacks Bring Modern Economies to a Halt?

Show Notes

In this episode of At the Boundary, GNSI’s Strategy and Research Manager, Dr. Tad Schnaufer II, is joined by Dr. Louise Tumchewics, a professor at the Center for War Studies at the University of Southern Denmark. They discuss Tumchewics’ upcoming project with the Center that focuses on the nexus of cybersecurity, geopolitics, and supply chain resilience for average businesses in Denmark.

Tumchewics mentions the human aspect of cybersecurity, and how Denmark is working to educate its civil population on digital security. She mentions that a cyberattack to critical infrastructure, such as the 2017 Maersk shipping crisis, would be damaging to the Danish supply chain and the Danish people, who rely heavily on online services. She ends with a hopeful look to the future, where countries like Denmark could have effective plans in case of cyber or hybrid threats. 

Links from the Episode:
• International Security Experience (ISE)

• GNSI Tampa Summit 6 Registration 

• GNSI on Iran: Three Years of Research, Analysis, and Engagement

• Dr. Tad Schnaufer’s Substack Article 

GNSI on X
GNSI on Linkedin
GNSI on YouTube

At the Boundary  from the Global and National Security Institute at the University of South Florida,  features global and national security issues we’ve found to be insightful, intriguing, fascinating, maybe controversial, but overall just worth talking about.

A "boundary" is a place, either literal or figurative, where two forces exist in close proximity to each other. Sometimes that boundary is in a state of harmony. More often than not, that boundary has a bit of chaos baked in. The Global and National Security Institute will live on the boundary of security policy and technology and that's where this podcast will focus.

The mission of GNSI is to provide actionable solutions to 21st-century security challenges for decision-makers at the local, state, national and global levels. We hope you enjoy At the Boundary.

Look for our other publications and products on our website publications page.

Transcript

SPEAKERS

Glenn Beckmann, Tad Schnaufer, Louise Tumchewics

 

Glenn Beckmann  00:12

GNSI, welcome to this week's episode of at the boundary, the podcast from the global and national security Institute at the University of South Florida. I'm Glenn Beckman, your guest host today for at the boundary.

 

Glenn Beckmann  00:29

Joining us on today's episode will be Dr Louise tomchawix, an award winning author and researcher for her work and writing on maritime economic security. But first, a couple of things we want to pass along pertaining to a pair of signature events GNSI will be hosting this spring. We'll start with the second one. First, the international security experience, a four day event scheduled for April 14 through 17th. Now we're partnering with King's Center for the Study of intelligence at King's College London, along with the Intelligence and National Security journal and USF Intelligence and National Security Studies, we're excited to announce a new speaker to our lineup, David Marlowe, former deputy director for operations for the CIA, will be the keynote speaker on day one. Registration is now open, so reserve your seat today. That's about a month away in just a couple of weeks, however, GNSI will be hosting Tampa Summit. Six cracks in the lamp, freeing the nuclear Genie will examine long dormant but now resurrected, fears and questions. The Doomsday Clock is closer to midnight than it has ever been. Are we on the verge of another nuclear age, you'll need to register to find out. We have an extraordinary lineup of speakers and experts, including retired generals Frank McKenzie and John Highton, former Special Assistant to the President, Frank Miller and former assistant secretary of state and five time ambassador, Christopher Hill. That's March 24 and 25th at the Marshall Student Center here at USF. There's no cost to attend either of these signature GNSI events, but registration is required. You know, since GNSI was created nearly four years ago, we've devoted a lot of time and resources to the Middle East, and more specifically, Iran, US and Israeli airstrikes began on February 28 in Iran, and they continue today. Iran has struck back vigorously as well, with retaliatory strikes around the region. Now there are reports about potential uprisings by different groups inside and outside the country. We thought it might be useful for us to create a library of our work on Iran that's easy to find all in one place, and that's exactly what we've done, research, articles, conference, videos, media appearances at the boundary, episodes and other publications. You can find all of that in the library on our website. We'll have a link in the show notes. Finally, today, we're excited to announce a new addition to the GNSI board of advisors joining us on our mission to inform, prepare and enable is Bob Donahue. He's a USF alum and the founder and CEO of by light. They're headquartered in DC and have offices across the country as a former bull Bob's pretty excited to be sharing his expertise and skill set with his alma mater. Okay, it's time now for our special guest today, Dr Louise tumchuix, a renowned author and researcher specializing in maritime economic security, joining her today for the interview is Dr Tad schnorfer, the strategy and research manager here at GNSI. Tumchuix recently was awarded the Admiral casteks prize from the French Navy for her writing and work. She's also a research fellow at the Center of war Studies at the University of Southern Denmark. Let's drop in on their conversation today on at the boundary.

 

Tad Schnaufer  03:58

Well, welcome to the podcast. Elise.

 

Louise Tumchewics  04:00

Thank you so much for having me. It's great to be here. We

 

Tad Schnaufer  04:03

appreciate you calling in all the way from Denmark. So you know, we were talking before. What? So what's one of your major projects you're working on at the Center for war studies?

 

Louise Tumchewics  04:16

So Well, the Center for war studies is alive with all kinds of activities. The project that I've been working on for the past almost two years has been an interdisciplinary project on cybersecurity, geopolitics and supply chain resilience. So we've it's been a project between our Department of Business and Management Studies, the Department of Computer Science and the Center for war studies, which has you know, actually worked really well. And we've been looking at cyber security, cyber security threats emerging from geopolitical tensions, geopolitical shifts. And how that affects businesses in the Danish defense and technology sectors. So just for your you to paint a picture for your listeners, the Danish defense and technology sectors has a lot of small to medium enterprises, which typically those businesses will be aware of cyber security threats, but don't necessarily have the resources or practices in place to be defending themselves against various cyber hazards. Yeah.

 

Tad Schnaufer  05:33

I mean, I think that's probably relatively universal. A lot of companies and industry members don't understand the complex variety of threats. So when you're talking about cyber threats, are you talking about state sponsored threats, maybe a Russian threat, for example, or you're talking non state maybe criminal activities, yeah.

 

Louise Tumchewics  05:52

So we've, we've been talking about both, because there is, you know, obviously criminal, criminally motivated cyber attacks, you know, whether it's phishing or malware, ransomware that has, you know, I guess, a rather nefarious profit motive behind it. And then we're also seeing state sponsored threats, which, of course, can draw upon the resources of a of a state to be to have sort of persistent cyber aggression.

 

Tad Schnaufer  06:27

And what are companies? Let me rephrase, how are companies reacting to that, particularly obviously, since Russia's invasion of Ukraine in 2022 and the heightened security environment that Europe's currently operating in,

 

Louise Tumchewics  06:39

well, I think

 

Louise Tumchewics  06:40

certainly the Danish national security cyber security strategy, which was came out in 2024 is really our reflection of the fact that that many businesses in Denmark, government organizations and individuals are aware of cyber risks. So Denmark is a highly digitized country. When I first moved here, that was a bit of a shock to the system. I can do virtually anything from an app on my phone, and all my interaction with public agencies is digital. So if I want to make a doctor's appointment. I do that on on a website, if I'm getting information about my income tax returns that all comes to me digitally.

 

Louise Tumchewics  07:32

So as you can imagine, for any individuals in Denmark, there's a lot of you know of very important confidential information out there, out there in cyberspace, and the same for businesses. So there is that awareness,

 

Louise Tumchewics  07:50

but there aren't necessarily the practices in place that are keeping

 

Louise Tumchewics  07:56

up with cyber threats,

 

Tad Schnaufer  07:58

and what type of practices we talking about, just dual authentication for accounts and, you know, updating, you know, patchworks for software, or what specifically are we looking at?

 

Louise Tumchewics  08:08

So, yeah, things like that,

 

Louise Tumchewics  08:09

like, like, dual factor identification, using passwords that are stronger than password one, even, you know, making sure that that everyone in an organization knows what what a phishing email might look like, and testing that kind of awareness. You, yeah, doing things like, like patches in software. We we, when we were doing our consultative workshops. We went out to visit a number of businesses, and some of them had, you know, had stories of, you know, an IT consultant, moving between businesses and using the same USB stick.

 

Tad Schnaufer  08:58

It's easy, not, not a good idea.

 

Louise Tumchewics  09:01

You know, an easy not. You know, an easy not to do, yeah. So, so practices like that, you know, practices that are often driven by by convenience, by complacency, perception like, Oh, we're small business. We're not that important. And then also we're Denmark, and again, as a North American, this was quite, quite surprising. Denmark is a very high trust society, so cyber security in a high trust environment is is different when people sort of assume the best, or assume that you they can, they will, you know, that the things

 

Louise Tumchewics  09:49

will be secure and safe,

 

Tad Schnaufer  09:52

yeah, and unfortunately, we see that there's, there's a hostile actors out there, so you can't always take that jovial approach.

 

Louise Tumchewics  10:00

I guess, yes, yes. So even though, you know, in my own experience, for example, I once left a bag on a train and it was very nicely returned to me, but in cyberspace, that that sort of thing is not necessarily going to happen.

 

Tad Schnaufer  10:18

And you know, with highly digitized societies. Obviously, in the United States, it's a little, maybe a little less so than some of the smaller European nations I'm thinking as well as with like Estonia, where almost even your identifications are online, like your driver's license, everything is just online. But what risk does that pose to particularly a state sponsored cyber attack? If all your systems are attacked either with some form of denial service. It doesn't even necessarily need to be pulling information. It just shuts down a government site for a time. How would that impact day to day life, and what are some of the repercussions?

 

Louise Tumchewics  10:51

Well, I think you so if, if that happened here in Denmark, it would quite dramatically bring society to a standstill. So if I want to buy a train ticket, for example, 99% of the time I'm going to do that from an app. And even if I'm buying it in the station and getting a paper ticket, it's a card payment. My logging into websites that's all online doing any kind of banking. We very rarely use cash here. So just if

 

Louise Tumchewics  11:31

there was anything like a denial of service attack, you could imagine that that life would slow down

 

Louise Tumchewics  11:41

very quickly, and it would be very difficult for people to do even the most basic, even conduct, even the most basic business, or you do the most elementary things of normal day to day life, right?

 

Tad Schnaufer  11:57

And likely that would cause some civil unrest and kind of start spiraling, especially as if the attack was a prolonged disruption of online services.

 

Louise Tumchewics  12:08

Well, I would say that you know, even as you know, polite and cooperative, as Danish society is, yes, you could see that, you know, within a few, within a few days, when people start having difficulties, say, accessing funds or getting from place to place, or even being able to have food in their homes, that that people very,

 

Louise Tumchewics  12:37

very quickly, relationships start to break down.

 

Tad Schnaufer  12:41

Yeah, well, and you know, this is one of the big concerns about some countries looking to go to even a cashless society, because everything's online, then if you don't even have cash as cash as an option, if something should happen, even if it's not nefarious, it's just, you know, there's a big storm or a power outage or something,

 

Louise Tumchewics  13:00

absolutely, even if there was something that happened, not necessarily from a hostile actor, but simply by, you know, as a major storm or some sort of environmental event, you suddenly a cashless society is very, very vulnerable. So in early 2024 I believe the Danish government encouraged Danes to have 72 hours worth of supplies in their homes to prepare for that kind of eventuality. Now we'd say that Danes are probably a bit more relaxed about that than our friends over in Finland or Sweden, who are encouraged to have a week's worth of provisions, and

 

Louise Tumchewics  13:49

in countries like Finland, which has been see much more robust in its civil defense preparations For a very long time now has,

 

Tad Schnaufer  14:01

I know, Finland, Sweden, Poland, recently as well, have produced pamphlets for their citizens of, you know, just just that type of guidance, like, you should store this much food, you should have this much, you know, cash on hand. You should watch out for these type of cyber attacks. As Denmark also published, I think, in, for example, in Swedish, called the total defense, you know, aspects or comprehensive security in Finland. Does Denmark have anything like that for its citizens, like a pamphlet that describes how to prepare

 

Louise Tumchewics  14:31

so I can say that I have not actually received a pamphlet, but we do have it. We do have it on a website.

 

Tad Schnaufer  14:44

Well, yeah, hopefully, hopefully you got to print that out. You have to have the analog hard copy, just in case, exactly.

 

Louise Tumchewics  14:50

And I think getting that analog hard copy, you know, that's that's quite a shift again, a shift in behaviors and a shift in culture. Yeah.

 

Tad Schnaufer  15:00

So what are some of the other vulnerabilities we might not think of? I mean, obviously we've talked about kind of the big stuff, banking and day to day life, but what are some of the other vulnerabilities within companies or maybe within the defense industry that kind of get overlooked when we talk about cyber security or also just general hybrid threats from state actors?

 

Louise Tumchewics  15:17

So one thing, so just to give your your listeners some background, as

 

Louise Tumchewics  15:23

part of this project, we held workshops with

 

Louise Tumchewics  15:28

Danish small to medium enterprises involved in the in defense and in the technology sector. We held them around the country, and that was an opportunity for them to share about some of the threats they have. We used some scenarios to get them thinking about different threats and about what their response would be.

 

Louise Tumchewics  15:49

And you there were, there were things that we wouldn't necessarily think of, especially, you know, for those of us coming from a political science background like me, you don't think about, necessarily, some of the supply chain management problems that that would cause. So even if something, if there's a cyber security breach, not even necessarily within your within a business, but with their supplier two to three to four steps removed, that could really negatively

 

Louise Tumchewics  16:26

impact business, how you could get, you know, how you could get some of the materials that you need, or even just the flow of money amongst businesses for various services, And just the cascading effects that that could have.

 

Tad Schnaufer  16:44

What is, you know, from all those workshops, what are one or two really interesting or kind of facts that you found out, that you really found that was shocking, either that maybe companies didn't know, or things they were doing, you know, what was something that really took you back from those workshops?

 

Louise Tumchewics  17:01

So I think, well, we had a really in some ways, we had a really great experience with these with these workshops, because businesses were so forthcoming about the challenges that they have faced in the past, their current practices and challenges that they envisage in the future. I think one, one of the things that that we surprised me the most is what you and I, and really many of our listeners who were interested in this kind of you know, interested in geopolitics, were following geopolitical developments. But many people are not, and they are not necessarily seeing the connection between a geopolitical event that's happening somewhere else in the world and the implications that it could have for their business. And I think we tend to think of we tend to think of cyberspace as something that's removed from us, and that our activities within cyberspace are sort of discrete and confined to our circle of activity, when really there's so much international connectivity that it doesn't matter if that geopolitical actor is on the other side of the world, right, the impact that they can have on a business through a cyber attack, for example, would be what could be immediate,

 

Tad Schnaufer  18:39

yeah, and again, that it could be a threat from across the ocean. It's a lot easier to travel through cyberspace than physical space. Where are Oh, go ahead,

 

Louise Tumchewics  18:47

yeah, I say that. You know that threat perception? You know that it's because something is a threat and it feels geographically far away that that isn't necessarily the case with cyber threats.

 

Tad Schnaufer  19:01

Well, as you mentioned, the threat perception in Denmark has been increasing since 2022 you said you noted the strategy, the cyber strategy, published in 2024 but also just last year, Denmark had a number of drones that were over its airports that shut down, I think Copenhagen airport, things like that. So I imagine the Danes are feeling a little bit more pressure, just generally, which maybe, does that translate over to the cyber domain?

 

Louise Tumchewics  19:26

I think yes, absolutely. Denmark had unexpectedly found itself in, you know, feeling those hybrid threats a lot, a lot closer with the drone incidents last autumn. And that was certainly something that was very, I would say, unnerving, particularly for you know, Danish Danish politicians, Danish leadership, and definitely brought home the realities of high. At threats, and that's a realization that I would say has been growing, particularly since 2022 but when it was on the doorstep and when it was at Copenhagen airport, then that really brought it into people's day to day life.

 

Tad Schnaufer  20:15

Well, where are you seeing the lack of readiness? Whether we're looking at the government or industry, where are they lacking readiness? Is it just a simple, you know, not necessarily complacency, but just this lack of threat perception? Or what are the other areas that we're seeing the readiness not up to par?

 

Louise Tumchewics  20:33

Well, I think one, you know, there is a growing awareness of, you know of the dangers of hybrid threats. What I think is challenging is that readiness requires

 

Louise Tumchewics  20:49

preparation, and typically preparation requires time, and so it's you and and changing habits, changing the way that we do things, and one of the challenges, I think, is to encourage preparation and encourage readiness without encouraging panic or a mis a disproportionate sense of danger. And getting that, you know, get you getting that readiness in a calm and orderly fashion, takes a lot of time.

 

Tad Schnaufer  21:26

Yeah, because you want to amp up the threat to motivate people to be ready,

 

Louise Tumchewics  21:31

exactly you want to amp up the threat to motivate people to be ready, but not amp up the threat so much that people are engaging in panic motivated behaviors. You know, whether it's hoarding, whether it's stashing loads of cash under the mattress, or you whether it is actually, you know, use over

 

Louise Tumchewics  21:56

securitizing normal functions in life, so that, for example, it's it's almost impossible to use an app because you're so busy authenticating yourself, right?

 

Tad Schnaufer  22:07

So a little bit of measured security now just overwhelming.

 

Louise Tumchewics  22:11

It exactly. And I think because day to day, life in Denmark has not changed very much, even with there being a war on the European continent, even with there being concerns over hybrid threats coming from the Baltic Sea and and around the North Sea area, day to day, life in Denmark proceeds at its normal Pleasant pace. So that makes it, I think, often, difficult for people to understand the reality or the proximity of the threat, and it makes it difficult for people to think about preparation, right?

 

Tad Schnaufer  22:56

One makes an event like a zero day type of event even more likely because people just aren't even looking for a possible, you know, attack

 

Louise Tumchewics  23:06

vector well. And while there well, there has been definitely encouragement of, you know, getting people to prepare, getting people to think about it. That is a cultural shift that needs time and that needs consistent messaging and measured changes in behavior.

 

Tad Schnaufer  23:24

Unfortunately, a lot of times we see with this, whether if it's this type of, you know, cyber security or other forms of military preparedness or resiliency, it normally takes a, unfortunately, a devastating event to kind of shock people into, you know, preparation, being motivated to prepare is, is that kind of what we might see here?

 

Louise Tumchewics  23:46

I think so. I think, you know, it's that's in no way limited to Denmark. I think that is, that's very typical human behavior, and that was, think, sort of encapsulated by one of our business that shared their experience with cyber attack in in one of our workshops. So they hadn't really thought about cyber security, and then they were victims of a ransomware attack for a week, which reduced them to pen and paper operations and, you know, manual, spreadsheets and things, things like that. And after that experience, then they have been far more conscious of cyber security. But it took, it took a total shutdown in order to to change their practices and change their threat perception.

 

Tad Schnaufer  24:40

Well, that sounds like a pretty devastating attack. And I recall back in 2017 time frame, the Danish shipping giant Maersk was attacked and by a software virus that cost him a couple, a couple 100 million dollars.

 

Louise Tumchewics  24:58

That's That's right, um. In 2017 Maersk was a victim of the not Petya ransomware attack that looked like ransomware, but was later, believe, attributed by US intelligence to to a Russian state source, and that was, you know, a crippling incident for Maersk. So Maersk is a is a Danish shipping company, but it is. It does have operations all around the world. So a cyber attack actually paralyzed 76 port terminals. Yeah, and it affected over 45,000 PCs and 4000 servers. So this was, you know, a huge incident, yeah, and probably cost the company in the neighborhood of two, 250 to $300 million to recover from.

 

Tad Schnaufer  26:02

Well, I mean, it just drives home that impact. And actually, going back to your earlier comments about other companies that you work with, whether they're vendors or consultants or software companies that you might purchase items from, that attack was, if I remember correctly, was related to the tax accounting software that they had purchased through an outside vendor. So it's not even your systems that are being attacked. You're introduced, it's being introduced into your systems from a third party source, absolutely.

 

Louise Tumchewics  26:30

And I think that was one thing that came out through this project, was just awareness of how cyber security practices in a business can be strong and can be robust, but the problem can actually come, you know, two or three steps removed from your own business. So that whole supply chain has to be cyber secure.

 

Tad Schnaufer  26:53

And, you know, going back to the education piece, you want to make sure the human factor is up the par as well, that you don't accidentally, you don't have a random employee somewhere in your company click on a link and that that compromises your system?

 

Louise Tumchewics  27:08

Absolutely something you everyone in the business, even if they're not directly involved in it, needs to know what you what phishing might look like. Might have you know what to look for, and also the practices to implement in their daily interactions with cyberspace and digital tools, to be on guard for suspicious suspicious activity or something that looks not quite right, or something That looks too good to be true,

 

Tad Schnaufer  27:41

right, right? And you know, as you continue with this project, over the next, you know several months, what are the big things you're going to be looking at? So you have this input from the workshops you have, what you're writing on, what are we looking forward to as the project continues? What exactly are you going to focus on with these cyber threats?

 

Louise Tumchewics  28:00

So we're at that that exciting stage of the project where we're writing up all our our findings and writing up our recommendations. Do you will be sharing that at conferences. We'll be sharing that in a few publications, hopefully, that stuff that we can also share with the GNSI community as well. Obviously, I think there's lots of overlaps between the projects that have been ongoing on critical, critical infrastructure. So we we're going to be sharing those. We have a big sort of wrap up conference towards the end of of April to share all our our learning. And what we're hoping is that from our findings in the project, businesses will find some actionable guidance that they can implement, and that we can hopefully see within Denmark some resources dedicated to helping small to medium enterprises tackle the challenge of improving cybersecurity.

 

Tad Schnaufer  29:03

So could you give us a sneak peek of one of the findings that you're thinking would have a big impact, just just briefly?

 

Louise Tumchewics  29:10

So I think

 

Louise Tumchewics  29:14

one of the findings was that a lot of businesses do not have a response plan for a cyber attack. Now most businesses, of course, will have a plan in place for you know, what happens if there's a fire or a flood or

 

Louise Tumchewics  29:32

physical theft on their premises? But very few have a plan in place for you know what? What happens in minute minute one after, after a cyber after a cyber

 

Tad Schnaufer  29:47

attack, right? Who do you call? And then what happens if your phones are offline and you can't call anyone,

 

Louise Tumchewics  29:51

and you and you can't call, do you just shut everything down? Do you just pull the plug? What do you do? Who do you call? What. The steps to take to to contain that attack, if you can

 

Tad Schnaufer  30:03

well, and that's that's a great point. That's something even, you know, obviously companies, militaries and governments have to look at, because even if your response is to we better shut everything down so they don't see all the information. Well, maybe the overall goal of the attack was to shut your systems down so your response is actually achieving the goal of the attack, if you're looking at a denial service attack or something like that, for example. So it's that's a really complex thing that companies, governments and militaries will have to continue to

 

Louise Tumchewics  30:30

look at exactly. It's not going to be something as straightforward as, you know, the cyber equivalent of Stop, drop and roll. So, you know, it will be a multifaceted kind of response.

 

Tad Schnaufer  30:43

And then, you know, as you look at that, who do you call when a company? Does a company have a requirement to call the government, let them know, Hey, we've suffered a major cyber attack. You know, we need to coordinate our efforts, maybe with either government entities or law enforcement. Or could they, I guess, just try to handle it themselves.

 

Louise Tumchewics  31:03

So there, there is a cyber hotline for digital security in Denmark, and that aims to provide advice on digital security, digital fraud and cyber attacks. And it it will try to give you, it will give some preventative guidance, and it will try to provide some advice on how to handle an incident.

 

Louise Tumchewics  31:31

And for businesses, it helps to provide companies that believe they're experiencing a ransomware attack or maybe something like fraudulent invoicing and and then through that hotline, businesses or individuals can get advice on do they go to the police.

 

Tad Schnaufer  31:52

That's interesting, because that's just one of the things that we deal with through some of the projects we work with, in conjunction with one of our sister organizations here at the University of South Florida, the cyber Florida, as we look at cyber threats, how do you actually report it to ensure other companies learn, maybe the or other companies or entities, it could just be agencies learn the lessons and see, okay, this we need to recognize this type of thing as an attack, or as ransomware, or just, Hey, you Don't want to get exposed. You don't want to get exposed your system to this. These systems are compromised, those

 

Louise Tumchewics  32:26

type of things. Yeah, I think that sharing is really, is really important. Again, this isn't something that you could typically be undertaken by, say, a policing organization, because police forces aren't best resourced to do that. But I think that element of sharing, you know, this is this has been flagged up in a number of businesses that that is really important, and that is something that needs to be, not only provided by the state, and that that is done to an extent, but it has to be part of business activities, both actually, not just for businesses, also for individuals, that we're that we're checking those things and we're aware of them. Well, I

 

Tad Schnaufer  33:13

wonder if there needs to be a government agency, you know, at the state level, you know, the Danish level, or even here in the United States, for example, that really helps coordinate between companies, and then also other government agencies that suffer cyber attacks. Because you imagine, with a profit driven company, they probably wouldn't want to advertise very widely that they've been attacked, compromising huge systems, costing them hundreds of millions of dollars, obviously, for the sake of their stockholders or shareholders, so they might not have the incentive to share that, and I think that's where maybe, maybe we need some sort of legal framework, not just to get the lessons learned, but also to ensure they are actually observed.

 

Louise Tumchewics  33:55

Yeah, I would, I would agree. I think particularly for for businesses, there isn't much incentive to report a cyber attack because you don't want to damage consumer confidence. It's not a good sign to say, Hey, we've had a cyber attack, and interacting with

 

Tad Schnaufer  34:12

us, your information's gone. All of our customer information's

 

Louise Tumchewics  34:18

got and we can see the reputational damage that

 

Louise Tumchewics  34:22

businesses have suffered. So for instance, in the UK, last year, marks and Spencer's, which is a well known grocery store chain, suffered a an eight week long cyber attack that was believed to have stolen a lot of customer information. So you can imagine cus you that really depletes customer confidence, one when they can't place orders because of the cyber attack, and then when they learn that their personal information may have been compromised.

 

Tad Schnaufer  34:56

Yeah, no, it definitely gives you a moment of pause of how often. You throw your information in the, you know, into the internet,

 

Louise Tumchewics  35:04

yes, and but I do think having reporting mechanisms that, again, where there is a legal obligation, so it has to be done, and then where there is some, some lessons, a lessons extraction process, even if businesses are anonymized, but to to make sure that others are aware of a threat, yeah.

 

Tad Schnaufer  35:27

And one of the other things is we look at cyber threats and as you continue and with your project, and hopefully we'll look forward to reading that report soon. Is just the evolving nature of cyber attacks and threats that they're you know, you have a certain type of virus that does a certain action this time, and then something completely new, you know, this, the zero day idea, something you knew you couldn't even anticipate, has been developed and is unleashed in your system

 

Louise Tumchewics  35:51

absolutely and I think that is only going to the challenge of that is only going to increase With the development of artificial intelligence, and artificial intelligence driven cyber attacks.

 

Louise Tumchewics  36:07

And I think then it's very important, both for individuals and businesses, to start to think, Okay, if we can't prevent everything, statistically, it's just going to be impossible to prevent everything. What does our recovery plan look like?

 

Tad Schnaufer  36:24

Yeah, exactly, going back. Well, how do you respond?

 

Louise Tumchewics  36:27

How do we, how do we make sure that we can restore operations?

 

Tad Schnaufer  36:32

Well, with the report, when can we expect to see that out

 

Louise Tumchewics  36:38

so we have our the project has a sort of final, final conference on the 29th of April, just in case anybody's in Copenhagen wants, wants to join in, and then we hope to have things published and available looking towards the end of June. Excellent.

 

Tad Schnaufer  36:58

Well, we, we all look forward to giving that a read and looking forward to those findings, and hopefully we get to cooperate in the future.

 

Louise Tumchewics  37:06

Absolutely, I feel like this will be a continuing conversation on the challenges of cyber threats. Well, thank you so much for joining us. All right. Thanks so much for having me.

 

Glenn Beckmann  37:21

Special. Thanks to our guest today, Dr Louise tungsics, award winning author and researcher on maritime economic security, and thanks as well to Dr Tad schnaufer, the strategy and research manager at GNSI. By the way, Tad recently launched a new substack channel the pursuit of security. His most recent piece is peace in Ukraine. What will it look like? We'll have a link in the show notes. You should check it out next week on the podcast, our special guest will be Heather Williams, the director of the project on nuclear issues at the Center for Strategic and International Studies CSIS. She's a senior fellow at CSIS and the author of a recently published commentary titled three truths about the end of new start and what it means for strategic competition. New Start was the last remaining bilateral nuclear arms control agreement between the US and Russia. We're going to talk to her about her article and what the future may bring. If you don't want to miss that episode or any other episode, be sure to subscribe to the podcast on your favorite podcast platform. We know you have many different options when it comes to choosing a podcast. We just want to say thanks today for spending a few minutes with us. If you like the podcast, please subscribe and let your friends and colleagues know and tell them to subscribe as well. You can follow GNSI on our LinkedIn and X accounts at USF, underscore, GNSI, we're also on YouTube, plus. We publish a newsletter the first Wednesday of every month. We invite you to subscribe to that as well.

 

Glenn Beckmann  38:58

That's going to wrap up this episode of at the boundary. Each new episode will feature global and national security issues we found to be worthy of attention and discussion. I'm Glenn Beckman, thanks for listening today. We'll see you next week at the boundary.