Electricity Cybersecurity Board Training | Hybrid and Cyber Risks

Our Briefings for the Board:

We offer customized briefings designed to address specific needs. Whether you require a focused session on a particular topic or a broader discussion on emerging risks, we can tailor the content to align with your priorities. Please feel free to discuss your needs with us, and we will develop a briefing that best supports the Board’s oversight responsibilities.

Alternatively, you can select from our existing briefing topics, designed to provide strategic insights and practical guidance on key governance and risk management challenges and opportunities:

1. No, it is not cyber risk. It is hybrid risk.

Overview

We will keep it simple and clear: Cyber risk must be seen as part of hybrid risk.

There are still companies and organisations that consider cyber risk a technical risk. But even the most advanced organizations must adapt and build their risk management framework on the foundation that we now operate in a fundamentally different world, one where cyber risk is a core component of hybrid risk. The old mindset is dangerously outdated. Today, cyber operations are embedded in economic warfare, political conflict, supply chain disruption, and military strategy. Cyber risk today is not just about protecting networks, it’s about protecting societies from hybrid threats.

A hybrid risk management framework should identify primary cyber threats, map their cascading effects on financial, legal, and business operations, and develop cross-functional response strategies.

For centuries, Newtonian mechanics was considered a complete and stand-alone framework for understanding motion and forces. It worked well for most practical applications but failed to explain phenomena at very small (quantum) or very large (cosmological) scales. Eventually, the theory of relativity and quantum mechanics showed that Newtonian physics was just a subset of a much broader and more complex reality.

Similarly, cyber risk has traditionally been seen as a stand-alone issue, much like Newtonian mechanics. However, just as physics evolved to integrate quantum and relativistic perspectives, cyber risk must now be understood as part of the larger hybrid risk environment, where cyber operations interact with economic, political, military, and psychological dimensions.

Instead of thinking “cyber risk”, decision-makers should think “hybrid risk with a cyber component”, to develop a more realistic and effective response strategy. Security strategies must address the full spectrum of hybrid threats, not just cybersecurity in isolation.

Target Audience

This presentation will be delivered exclusively in person during a quarterly Board meeting, featuring tailored case studies specific to an organization’s needs. It will not be available online or via Zoom or similar applications.

Duration

Our briefings can be as short as 30 minutes while remaining comprehensive, or longer, depending on the needs, the program content, and the case studies. We always tailor the program to the needs of each client.

Instructor

George Lekatis. For information about his background and experience, you may visit: https://www.cyber-risk-gmbh.com/About.html

---

2. State-sponsored but independent hybrid adversaries. The long arm of countries that exploit legal pluralism and make the law a strategic instrument

Overview

According to Article 51 of the U.N. Charter: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.”

But is a cyber-attack comparable to an armed attack?

There is no international consensus on a precise definition of a use of force, in or out of cyberspace. Nations assert different definitions and apply different thresholds for what constitutes a use of force.

For example, if cyber operations cause effects that, if caused by traditional physical means, would be regarded as a use of force under jus ad bellum, then such cyber operations would likely also be regarded as a use of force.

Important weaknesses of international law include the assumption that it is possible to isolate military and civilian targets with sufficient clarity, and to distinguish a tangible military objective to be attained from an attack.

More than 20 countries have announced their intent to use offensive cyber capabilities, in line with Article 2(4) and Article 51 of the United Nations (UN) Charter.

Unfortunately, these capabilities will not help when the attackers are State-sponsored groups, and the States supporting them, claim that not only they are not involved, but also that their adversaries (the victims) have fabricated evidence about it. This is a very effective disinformation operation.

Adversaries have already successfully exploited weakness of non-authoritarian societies, especially the political and legal interpretation of facts from different political parties. It is difficult to use offensive cyber capabilities in line with democratic principles and international law, as it is almost impossible to distinguish with absolute certainty between attacks from States and attacks from State-sponsored independent groups.

Even when intelligence services know that an attack comes from a State that uses a State-sponsored independent group, they cannot disclose the information and the evidence that supports their assessment, as disclosures about technical and physical intelligence capabilities and initiatives can undermine current and future operations. This is the “second attribution problem” – they know but they cannot disclose what they know.

As an example, we will discuss the data breach at the U.S. Office of Personnel Management (OPM). OPM systems had information related to the background investigations of current, former, and prospective federal government employees, U.S. military personnel, and those for whom a federal background investigation was conducted. The attackers now have access to information about federal employees, federal retirees, and former federal employees. They have access to military records, veterans' status information, addresses, dates of birth, job and pay history, health insurance and life insurance information, pension information, data on age, gender, race, even fingerprints.

But why?

Aldrich Ames, a former intelligence officer turned mole, has said: “Espionage, for the most part, involves finding a person who knows something or has something that you can induce them secretly to give to you. That almost always involves a betrayal of trust.”

Finding this person is much easier, if you have data easily converted to intelligence, like the data stolen from the U.S. Office of Personnel Management (OPM). This leak is a direct risk for the critical infrastructure.

There are questions to be answered, and decisions to be made, not only about tactic and strategy, but also political and legal interpretation.

We tailor the program to meet specific requirements. You may contact us to discuss your needs.

Target Audience

The program is highly beneficial for the Board of Directors, C-suite executives, and professionals with privileged access to sensitive corporate information.

Duration

Our briefings can be as short as 30 minutes while remaining comprehensive, or longer, depending on the needs, the program content, and the case studies. We always tailor the program to the needs of each client.

Instructor

Our instructors are professionals with extensive, real-world experience in their respective fields. They are equipped to deliver full-time, part-time, or short-form programs, all customized to suit your specific requirements. Beyond teaching, our instructors provide hands-on guidance, offering real-world insights that help bridge the gap between theory and practice. You will always be informed ahead of time about the instructor leading your program.

---