In early July 2021 the ransomware attack of the rEvil group against Kaseya forced over 500 Swedish Coop stores to remain closed. Coop was not a direct target of the attack but suffered collateral damage through one of its software service providers. As seen, cyberthreats, direct or indirect, are increasingly shaping the operational environment of commercial services.
This article will examine the cyber and hybrid threats faced by contemporary commercial activities when operating in shopping centers.
The operating environment of shopping centers is characterized by a multitude of hybrid and cyber threats.
As is the case in terms of physical threats, the main cyber threats remain crime and vandalism. Cybercrime are operations motivated by economic gain. These crimes come in different shapes and sizes; from credit card skimmers to ransomware attacks and from identity theft to copyright infringement. On the other hand, vandalism operations are conducted as a result of ideological motivations or individuals seeking entertainment. These threats are harder to handle as they are more difficult to predict. When considering the cybersecurity of shopping centers against these threats, a two-tier approach is relevant. The first level covers the security of each enterprise acting within the shopping center. These individual vendors must take appropriate precautions in order to ensure their cybersecurity against these threats. Notwithstanding, shopping centers where their companies are located have obligations to provide a base level of cybersecurity against these potential threats. In other words, somebody must look the shopping center holistically as one ecosystem.
Prior to the pandemic, the shopping centers enjoyed steady success as a location for many people to do their shopping as well as a place for gathering for events. Particularly in less urban areas and suburbs, malls played an integral role in society. At the heart of significance was the multitude of retail and services provided at these locations. Shopping centers provide companies with high levels of foot traffic and are an enticing location for them to conduct business. Notwithstanding, they have seen a decline in their popularity due to increased digitalization. The growing popularity of online shopping has driven consumers to remain home and order their shopping through the internet. This effect has been exacerbated by movement restrictions due to pandemic. Despite decreasing numbers of visitors lately, shopping centers remain highly dense population centers. As such they remain a prime target for hybrid and cyber threats.
There are three main cyberthreats that shopping centers need to focused: cybercrime, cyber vandalism, and hybrid operations. All three pose significant threats to different sectors of the shopping centers and society at large. Comprehensive hybrid and cyber risk assessment is urgently needed.
For criminals the cyberworld has become an invaluable tool for developing their operations.
Cybercrime has become the third largest industry in world economy as of 2020 and is seeing an even greater increase due to the pandemic. Cybercrime carries benefits over traditional crime: lower chances of getting caught, ease of conducting the operations, as well as larger payoffs. Like traditional crime, there is a plethora of possibilities when considering cybercrime operations. Criminals are able to put into use many different cyber capabilities such as identity theft, ransomware, and hacking. The operations that criminals put into force can act as passive income such as credit card phishing. On the other hand, some criminals may not be actively conducting crime against retail outlets but rather facilitating others by obtaining large amounts of information through data leaks. Moreover, as a result of the growth of cryptocurrencies, it is easier for criminals to remain undetected and receive financial compensation. For this kind of cybercrime, the likeliest target is the stores themselves. Through intrusions into the retailers themselves, criminals are able to obtain the largest financial gain; capitalizing on the disjoint defense effort of vendors being able to repeatedly attack. On the other hand, these attacks would not impact the entire ecosystem of the shopping center. Furthermore, cybercriminals are often seeking fast financial compensation and the disruptions are unlikely to last for long periods.
Cyber vandals are motivated by ideology rather than financial gain.
In these cases, individuals, not affiliated with governments or criminal organizations, use cyber tools to cause harm without economic gain. Through their actions they seek to limit the visibility of ideologies that contrast theirs. In the case of shopping centers these opinions are most probably anti-capitalist or anti-establishment, however, there has been an increase in nationalistic cyber vandalism. The cyber tools vandals use vary from crude to very sophisticated and the size of operations vary from small to loosely organized large attacks. Without a clear standard for motivations, it is difficult to predict different attacks. In many cases, the intention of vandals is not originally malicious and stems from interests in how deep they can penetrate cyber systems. With numerous people stuck at home due to the pandemic, these actors could cause potential problems for shopping centers. Although a gray area, many vandals do not recognize the illegal nature for their actions and remain on the wrong side of the law. It is through these operations that the most long-term impacts will be seen. Without a financial gain, the attacker is most likely looking for a lasting impact on the operations of the shopping center. Moreover, these attacks are expected to occur towards the entire infrastructure of the shopping center as this would cause the largest impact.
States create and exploit weaknesses in other states through means in what is often called hybrid influencing.
The goals range from election meddling to inciting lawlessness in order to destabilize state structures and society. The cyber domain has revolutionized how states are able to impact their target societies through e.g. cyber-attacks on critical infrastructure. As a part of population centers, it is likely that shopping malls may act as a target for hybrid operations. Moreover, even if they are not the main target, there may be collateral damage from attacks on other critical infrastructures such as water and energy.
Russia’s hybrid warfare strategy increasingly includes an attempt to achieve a deterrent effect asymmetrically through cyber weapons, whereas in the earlier stages of warfare development it was carried out using kinetic methods such as conventional armed forces. Cybercriminals are also often used as proxies in Hybrid operations, which makes it more difficult to create a reliable situation awareness. The impact of modern cyber weapons on the armed forces, industry, transport and the lives of citizens is already estimated to be close to that of a nuclear weapon. According to a well-known Russian security company, all cyber warfare efforts aim to disrupt the information systems of the enemy’s economic and financial institutions and state organisations, as well as disrupt the daily life of the entire state. In connection with the latter, the primary aim is to disrupt areas that are important for the viability of the population centres and the functioning of society, such as drinking and sewage systems, electricity distribution systems, and communication and transport connections. While this is an indication of the threats that Russia faces, it can also characterise the way in which Russia operates. In other words shopping centres are attractive targets in many ways and also spectacular information impacts can be achieved.
The targets of cyber operations are round the entire society. All vital functions of the society must be secured also from hybrid and cyber threats. The challenge is growing, and the threat and risk landscape is getting more complex. Comprehensive security approach is needed and improved collaboration with critical stakeholders of society is the key to success.
In the case of shopping centres, two different kinds of cyber security need to be considered: the defence of the retailers within the mall and the shopping centres themselves.
For individual retailers, they can tailor their cyber capabilities as they require. For these organisations, conducting cyber risk analysis is the first steppingstone in developing an effective defence strategy. By detecting weak points, retailers are able to protect themselves from localized attacks and reduce their impacts. It is most likely that these attacks will come from criminals seeking financial gain. Moreover, as stores within the shopping centre are unconnected the impacts of cyber-attacks are limited to the stores that are targeted. However, retailers still remain vulnerable to attacks against the shopping centre.
For the shopping centre as a whole, protecting the physical building is pivotal. As a part of critical infrastructure and a location of population centres it is a likely location of hybrid influencing or cyber vandalism. The cyber defences of a shopping centre can be considered similarly to traditional security units. By protecting processes that are vital to its operation shopping centres can ensure that it does not become the target of cyber operations and a level of widescale protection. Notwithstanding, developing cyber defences in order to protect the entire shopping centres is costly and should be accounted for in rents.
In conclusion, shopping centres face a plethora of cyber domain threats.
Hybrid influencing as well as cybercrime and vandalism are the main threats and should shape the defence frameworks. In order to defend against these threats, a base level of defence must be provided by the shopping centres themselves in order to ensure the safety of the base infrastructure. It is the responsibility of shopping centres to allow retailers to access shoppers. In addition to the basic defence, each retailer must have their own tailored cyber defences to protect their vital operations. In creating this, organizations must consider their own needs for protection. Last but not least the work force must be well trained to make sure that the adequate cyber competences are in place and to minimize the possible insider threat.
Text by: Mr Aapo Cederberg, CEO, Cyberwatch Finland
The article has been previously published on the website of Mall CBRN
Photo: Carol Carter Pixabay