Understanding the Impact of the Russia-Ukraine Conflict on Cybersecurity

We will always remember the waning days of February 2022, when Russia undertook an unprovoked attack on and invasion of Ukraine. As these words become available to read in March 2022, it is unlikely that we will have a clear roadmap toward a peaceful solution. In our thematic investing, we have been focused on the cybersecurity megatrend and find it interesting to consider this particular megatrend in light of Russia’s well-established cyber warfare tactics. It is also important to consider how the very large stocks of raw materials in Russia and Ukraine can travel through related technology-oriented supply chains.

Companies Focused on Cybersecurity Are Taking Action

Microsoft is likely the world’s largest cybersecurity company, if we accept the need to secure such things as Azure (its cloud platform) and Office 365 (its productivity suite, used across the world). The current size of Microsoft’s cybersecurity business is $15 billion in revenue, representing year-over-year growth of 45%. This doesn’t mean that Microsoft doesn’t get compromised.¹ Of late²:

• Microsoft was compromised in the December 2020 Solarwinds hack, an attack with possible links to the Russian government.
• Only months later, the Exchange email attack had possible links to China’s government.
• Relatively recently, a flaw within the Azure cloud platform was discovered by cybersecurity company Wiz Inc.

Charlie Bell, a 23-year veteran of Amazon Web Services, is responsible for Microsoft’s cybersecurity effort, and he has 10,000 reports and billions of dollars to deploy in this effort. 

On February 23, 2022, CrowdStrike noted, on its blog, the existence of a new wiper malware being used to target Ukraine systems, known as DriveSlayer. According to CrowdStrike, this was the second destructive malware found recently targeting the region, the first being WhisperGate.³  

Mandiant, another leading cybersecurity company, has reminded customers that Russia has twice turned off power to Kiev in winter. The company also implored customers to recall the effects of the NotPetya attack in 2017. Mandiant noted that cyber warfare is asymmetric, in that Russia, which cannot compete with the world’s largest militaries straight up, needs to use such tactics to show the appearance of parity with other countries.⁴

Characterizing the KNOWN Risks

IT Outsourcing

Ukraine is a vibrant marketplace for information technology (IT) outsourcing services. Its Ministry of Foreign Affairs notes that more than 100 of Fortune 500 companies rely at least partially on services provided from Ukraine. In fact, Ukraine’s IT export volume increased 36% to a figure of $6.8 billion in 2021, up from roughly $5 billion in 2020. Currently, there are 85,000 to 100,000 export service workers in Ukraine, focused primarily on software engineering and IT services.⁵

Certain companies have noted using and employing engineers in the region, including:

• SAP SE
• Revolut Ltd.
• Fiverr
• Wix.com

Semiconductor Supply Chains

Without question, the Ukraine conflict is not focused on a global center of semiconductor production—which would be in direct contrast to a location like Taiwan if it were to come up as a region of future potential conflict. However, Ukraine and Russia are important for the global supply of both neon and palladium. 

This region supplies 40%–50% of semiconductor-grade neon, which is used in some of the lasers involved in chip production. About 75% of the global production of neon ends up used for this purpose. ASML, a major player in the production of chip-making equipment, has indicated that less than 20% of the neon it uses comes from this region, so there shouldn’t be a massive impact in the shorter term.⁶ Of course, that could change as the conflict extends into the future. 

Then, about 37% of the world’s palladium supply comes from Russia. Even if it’s not the main ingredient in chips, it does get used in certain sensor and memory chips.⁷ The global chip shortage from the pandemic has yet to be resolved, so further hurdles will not be helpful in putting this behind us in the global economic landscape. 

Cyberattacks

Russia has an established history of using cyberattacks against Ukraine, most notably the NotPetya attack of June 2017. This knocked out federal agencies, transport systems, cash machines and even the radiation monitors at the Chernobyl site—in short, it was basically ‘lights out’ in Ukraine’s infrastructure for a period. However, as is often the case with networked systems, NotPetya did not stay confined to Ukraine, a country that is globally integrated. Some of the world’s largest companies were impacted⁸:

• Maersk-Shipping
• Saint-Gobain-French Construction
• Mondelez International (owns Cadbury)
• Merck-Pharmaceuticals

The overall estimate of the global damage was in the range of $10 billion, and it is widely believed to be the most expensive example of a cyber attack ever recorded. 

It is also worth noting that even before the specific Ukraine conflict in February 2022, there had been a 100% rise in significant nation state incidents between 2017 and 2020. In fact, there was an average of more than 10 publicly attributed cyberattacks a month in 2020.⁹

Specific cyberattacks are often tricky to attribute precisely. Expeditors International, a logistics supply chain company based near the Port of Seattle, was attacked in late February 2022. Their operations were severely impacted,¹⁰ but, as of this writing, the attack is not known to have links to Russian state actors. Nvidia also had a cybersecurity issue in late February 2022, but early disclosures also do not indicate a direct Russia connection. They also indicate that Nvidia was able to largely continue its operations.¹¹

Ways to Invest in the Cybersecurity Response

We would pause to emphasize that any war is a tragedy, and the best possible outcome is always found on a path back toward peace. Barring that for the moment, it is our responsibility as investors, consumers and businesspeople to be reminded of the importance of cybersecurity precautions and having a security mindset. It was interesting to see a quote attributed to Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency in the Biden Administration, to the effect that using two-factor authentication could protect the general user in 99% of cases.¹²

Within the megatrend investment landscape, we offer two primary avenues:

1. Cloud computing: Cloud computing refers to a specific infrastructure setup that allows for the consumption of software through subscriptions and internet connections as opposed to needing physical, local copies. Updates and bug fixes are often pushed seamlessly across all users, and packages can be highly customized. Diversified portfolios of cloud computing companies, such as the WisdomTree Cloud Computing Fund (WCLD) generally include companies focused on delivering cybersecurity solutions.
2. Cybersecurity: Cybersecurity is an important enough topic that concentration could be warranted. Diversified portfolios of specific cybersecurity companies would necessarily be more concentrated than broad-based cloud portfolios, but could provide interesting ways for investors to align with those looking to beef up their cyber defenses. The WisdomTree Cybersecurity Fund (WCBR) is one such example. 

WisdomTree, in collaboration with Nasdaq, leverages the expertise of Bessemer Venture Partners in the case of cloud computing and Team8 in the case of cybersecurity. While Bessemer is a leading venture capitalist in cloud computing firms, Team8 boast in its leadership ranks former heads of the National Security Agency (NSA) and the Israeli Defense Force’s Unit 8200. In both strategies, this expertise is leveraged twice per year to refresh portfolio constituents. 

 

 

 ¹ Source: Tilley, Aaron & Robert McMillan, “Microsoft’s New Security Chief Says it Is Time to Take Shelter in the Cloud,” Wall Street Journal, 2/23/22. 
² Source: Tilley, 2022. 
³ Source: Thomas et al, “CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks,” CrowdStrike Blog, 2/25/22. 
⁴ Source: Joyce, Sandra. “The Ukraine Cyber Crisis: We Should Prepare, but Not Panic,” Mandiant Blog, 2/15/22
⁵ Source: Bousquette, Isabelle & Suman Bhattacharyya, “Ukraine’s Booming Tech Outsourcing Sector at Risk after Russian Invasion,” Wall Street Journal, 2/24/22. 
⁶ Source: Bhattacharyya, Suman, “Russian Attack on Ukraine Could Dent Chip-Maker Supply Lines,” Wall Street Journal, 2/25/22. 
⁷ Source: Bhattacharyya, 2022. 
⁸ Source: “Companies Have a Lot to Fear from Russia’s Digital Warmongering,” The Economist, 2/19/22. 
⁹ Source: McGuire, Michael, “Nation States, Cyber Conflict and the Web of Profit.” HP Wolf Security, 2021. 
¹⁰ Source: Liu, Nicolle, “Expeditors International Shuts Down Computer Systems after Cyberattack,” Wall Street Journal, 2/22/22. 
¹¹ Source: King, Ian & William Turton, “Nvidia Breach Seen as Ransomware Attack Unconnected to Ukraine,” Yahoo Finance, 2/25/22. 
¹² Source: Jen Easterly @CISAJen, Twitter, 11/9/21.