With conflict in Israel weighing heavily on many hearts in the cybersecurity community, the preparation for uncertainty in the face of armed conflict is top of mind for many security executives at the moment. Preparing a company and its employees for resilience in an area of potential combat takes a whole other level of preparation and planning beyond the typical business continuity planning. Not only are there elements of physical safety to consider, but today’s reality is that adversaries are likely to also wage cyberwarfare against companies in targeted regions.
Dark Reading recently caught up with a technology leader who has lived this reality during the war in Ukraine. As the CTO of MacPaw, Vira Tkachenko has been an integral part of the executive team tasked with keeping the Kyiv-based software company profitably running through the turmoil of the past two years. With headquarters in Ukraine but offices in the US and other parts of Europe, along with distributed workers worldwide, MacPaw is an international firm that develops utility and security software macOS and iOS users. It’s best known for its CleanMyMac and Unarchiver apps.
In late 2021, Tkachenko and her colleagues at MacPaw were closely following news and intelligence sources to keep tabs on the risk of war, and they started to seriously develop contingency plans.
“We saw satellite images with military vehicles and all this preparation, and we started considering that we need to do some preparation,” she explains. “So we had some plans before the actual outbreak in February 2022. Speaking truly, we hoped nothing would happen and thought it wouldn’t happen — because it’s 2022 and it shouldn’t be like this. But it did happen.”
It’s been 20 months since the full-scale Russian invasion, and MacPaw still remains operational and continues to develop and support software for customers worldwide. Approximately two-thirds of the company remains in Ukraine.
Tkachenko shares here some of the details of how she and her team have navigated through these past months. Her experiences offer fellow security leaders in other hot zones insights on how they might want to think about wartime cyber resilience.
Create an Emergency Team
Around two months before the actual outbreak, MacPaw created a special group, mostly comprised of executive team members like Tkachenko, plus stakeholders from information security, general IT, product teams, and finance. The goal was to get a well-rounded task force that could do scenario analysis and think about ways to mitigate the biggest risks — essentially threat-modeling the business for wartime. The goal was to keep critical systems operational.
“The emergency team was two people from each product and people from finance team, some people from the infrastructure team, and from IT, and two people from information security,” she explains. “And for those people, they were aware that this is their new responsibility and we ask them if … it’s possible to maybe leave Ukraine or move to west of Ukraine to be in more safe areas.”
Set Your Priorities
From the outset, MacPaw prioritized the physical safety and security of employees above all else. Overlaid with that, though, was the understanding that while customers may empathize when a company takes the brunt of adverse situations, they typically still expect to receive the services that they paid for. If a company is unable to deliver — be it because of floods, earthquakes, or acts of war — employees and the organization suffers twice, first from the initial destruction of unfolding events and second from the existential threat to business viability in the long run.
“Our first business priority was the safety of our team,” Tkachenko explains. “But our first information security priority was for our customers. They care what happens because it’s war, and it’s a huge deal. But still, they expect that services they bought should operate.”
Harden Your Headquarters
While most of the preparations Tkachenko describes here are about technology resilience, because of the company’s focus on employee safety it’s important to note that one of the first fundamental preparations the emergency team made was for logistics on the human safety side. MacPaw prepared emergency bags for personnel that included things like first-aid kits, sleeping bags, and even food that could be used if they needed to evacuate or shelter in place at the office.
Headquarters in Kyiv was identified as the company’s main resilience spot. The firm put in place a powerful diesel generator, secured emergency water supplies, and prepared for employees to potentially shelter in the office should shelling make it safer to be there than at home.
Bolster Power and Connectivity Options
As the emergency team surveyed the potential risk scenarios, they saw quickly that as an IT company the biggest vulnerabilities were in losing Internet connectivity and power. In addition to the diesel generator for headquarters, the company also provided strong backup power stations for people occupying critical roles, both in and out of the office, to ride out potential blackouts caused by shelling. Tkachenko says that the earliest continuity planning the company did occurred before Starlink came in to provide Ukraine with Internet services, so MacPaw took the initiative to buy satellite Internet stations and set them up in advance of the invasion.
“We had to buy very expensive equipment that was not that easy to use, and it gave us very slow connection speed,” she says. “But we ordered two stations to create some areas for critical people to be able to operate.”
Once Starlink became available, the company started leveraging that as its backup Internet provider.
Build Up Hardware Reserves
In addition to heading off potential connectivity disruptions, MacPaw also prepared for potential supply chain issues that could jeopardize the continued operation of their critical IT systems and servers.
“We expected hardware supply chain disruptors, because when war starts all borders are usually closed and it’s not that easy to get a new, say, laptop,” Tkachenko says. “That’s why we built up in our warehouse some amount of reserve hardware we need for our work, because things will break.”
Set Up Redundant Comms
Whether it is handling security incident response on any normal day or coordinating emergency cooperation during wartime, businesses need their team members to be able to communicate across distributed locations when conditions are rapidly changing. To prepare for conflict, MacPaw introduced additional channels of communication to bolster what it already had in place.
“Communication is everything,” says Tkachenko. “We already used Slack in our company, but we wanted to add another mobile messenger and decided to use Signal. I asked everyone to install Signal and created a huge group for emergency communication.”
Stay Flexible and In Touch
Once the outbreak of war hit, the emergency team tried to stay in touch daily and be flexible with their business arrangements.
“Every morning at 10 a.m. we had a meeting and we discussed what changed. At the beginning, the situation was changing even each hour with new information to consider. At the daily meeting we discussed the current situation, launched projects, and made decisions. Today we’re a lot closer to our routine regimen, but sometimes when a new danger comes up — for example, when there was word about potential danger to the Zaporizhzhia nuclear power plant — we meet regularly again to plan and discuss new activities.”
Plan to Freeze Code Changes
All the while, as a software developer, the company took pains to protect their No. 1 asset during the initial days of the invasion.
“We decided to have a special code freeze regime, because in time of such unusual events everyone gets emotional and some engineer could make changes without thinking rationally that could potentially break all of the systems,” Tkachenko explains.
During a code freeze, the idea is to leave the critical source code in a read-only mode for a period of time.
“Only people from the emergency team were actually authorized to make some changes, if needed,” she says.
Prepare for Spike in Cyberattacks
Finally, on the cyber defense front, the MacPaw emergency team also assessed the potential for heightened cyberattacks that could come in concert with Russian armed invasion.
“We added defenses. We are a very visible company here in Ukraine, and we knew we could be a target from some attacks from Russia,” Tkachenko says. And they did see a spike in DDoS attacks that they think originated from Russia, she explains, especially during the first weeks of the invasion.
In response to that, MacPaw bolstered DDoS protection by partnering with Cloudflare. They also picked up more tooling from a number of companies in the US and Europe that reached out to help. Additionally, the company has bolstered its security education to help employees detect more targeted social engineering attempts.
“We have had security education before, but this year we invested even more into this to provide more advanced education,” Tkachenko says.
Account for Human Realities
Finally, Tkachenko says MacPaw leadership and those on the emergency team have stayed focused on not only the physical health, but also the emotional health of its employees. When employees are scared, coordinating evacuation or shelter-in-place plans for their families, or worried about family members they’re separated from, there’s not a whole lot of room to get work done. The company leadership understood these realities and did their best to just keep employees connected and safe.
“From the emotional side, for the first two weeks we experienced no performance. All of our channels in Slack and other messengers were about the war because we were sitting and reading news,” she says. “Only the emergency team were trying to do some work. What helped us is communication from our COO because our people needed reassurance.”
The company provided financial support and gave employees who wanted to evacuate help to relocate. After a few weeks the company asked its employees to start gradually moving back to work, wherever they were in the world. The executive and emergency teams reviewed strategy and moved deadlines out to account for inevitably lower performance from the teams.
“So even now we’ve got lower performance from some employees because we are human, but it’s getting better,” Tkachenko says. “And sometimes people say that when we’re working, it helps us not think about the war. So work is a positive outlet.”