Corporate leaders might well wonder how to reconcile frequent global headlines about cyber espionage with last year’s unprecedented anti-hacking agreement by the Group of 20 largest economies. Current events, leaks, and reports from researchers have propelled press coverage of potential nation-state hacking, including a U.S. assessment that state-sponsored cyber spies stole political data leaked amid the U.S. presidential race; unconfirmed reports that such hackers might have also purloined and disclosed U.S. National Security Agency hacking tools; media buzz asserting a decline in cyber-enabled economic espionage against U.S. industry; and unconfirmed reports that nation-state hackers orchestrated one of the biggest bank heists in history.
Without delving into particular investigations, let’s dispel four myths about cyber espionage that might arise from the headlines.
This is Part 1 of a series. Part 2 will examine how watchful companies can proactively mitigate sophisticated cyber risks.
Myth: World leaders agreed last year not to hack the private sector.
Reality: Last year’s G-20 agreement was never expected to ban all cyber espionage – it was aimed at prohibiting spying for commercial gain. The agreement is silent on all hacking conducted by governments under the auspices of national security, meaning such operations will likely continue amid uncertainty about the future of cyber deterrence policy. In addition, outlier governments that shun international norms represent a wild card in the global risk landscape. The need for vigilance in the form of proactive mitigation of cyber risks has never been greater. The inability to prevent all cyber incidents has put a premium on detecting threats as soon as possible.
PwC’s Global State of Information Security® Survey 2016 report highlights the prospect of increasingly bold state-sponsored hacks. “For governments and businesses,” the report notes, “espionage and political hacking will merge as attack techniques become more nuanced and aggressive.” Further, the report predicts “increasingly brazen attacks by nation-states and politically motivated hacktivists.” State-sponsored hackers generally possess significantly greater resources, tradecraft and technology than criminal groups and lone-wolf hackers. The most elite professionals are uniquely postured to exploit cybersecurity gaps and society’s reliance on digital systems by penetrating networks and remaining undetected for long periods of time, stealing vast quantities of sensitive data; infiltrating key infrastructure; perpetrating cybercrime; and covering their tracks.
Myth: The problem of hacking by foreign governments is receding.
Reality: Sophisticated nation-states can rapidly change their tactics, techniques and procedures, outpacing public reporting by cybersecurity researchers. The murkiness of cyberspace and stealth of state-sponsored hackers make it impossible to be certain whether so-called dips in cyber espionage are genuine or whether malicious actors are instead evading detection – either by honing techniques and adopting methods unknown to the security community or by changing targeting and shifting operations to different personnel.
A Pentagon study, for instance, which identified a decline in suspicious network activity reports attributed to hackers in East Asia and the Pacific in fiscal year 2014, assessed that the hackers “possibly used this slowdown to refine and hone collection actions as the information identified in these attacks appeared to be of greater value.” The suspicious network activity reports were filed by defense contractors with security clearances, as required by the Pentagon.
The latest iteration of the annual study, released this month by the Defense Security Service, states that FY15 marked the third consecutive year with a decline in suspicious network activity reports attributed to hackers in East Asia and the Pacific. “While East Asia and the Pacific entities improved their [computer network exploitation] tactics, techniques, and procedures, cleared contractors also became more aware of these activities,” the agency wrote. Strides that cleared contractors made in their ability to detect and defeat cyber threats might have contributed to the dip in reports, the study assessed with moderate confidence. With equal confidence, however, the study assessed that “cyber actors from East Asia and the Pacific and the Near East will almost certainly continue to conduct spear phishing and network attacks against cleared industry targets, as well as continue adjusting existing tactics, techniques, and procedures and developing new ones.” The study urged cleared contractors to “remain vigilant protecting their networks and educating their employees about this threat.”
Myth: Cyber espionage risks are limited to select countries.
Reality: No organization is immune to the risks of cyber espionage, regardless of geographic location. The World Economic Forum’s Global Risks Report 20161 notes that government-sponsored economic espionage threats in cyberspace “exceed the defensive capabilities of many commercial enterprises, which are more and more frequently looking to other governments to intervene.” What operations state-sponsored hackers might conduct and when, where, why and how could vary significantly depending on their national affiliation and geopolitics. Inherent sensitivities constrain government and industry’s public discussion of these risks, sometimes referred to as “advanced persistent threats.” Given the improbability of preventing breaches by world-class hackers, organizations worldwide face an unprecedented need to proactively manage cyber risks across their enterprises with an emphasis on detecting intrusions as soon as possible.
Further, some regions face relatively steep cybersecurity learning curves. In terms of overall cybercrime, companies in the Middle East suffered greater losses and more frequent incidents compared to other regions last year, according to a PwC Middle East report. Palo Alto Networks has reported this year of cyber espionage efforts within the Middle East targeting financial and defense organizations.
Myth: Recent headlines show that cyber espionage is exclusively a problem for governments to address.
Reality: Cyber espionage threats are evolving in ways that could have significant implications for private-sector organizations worldwide. Increasingly, there are opportunities for businesses to be more watchful about cyber espionage; to better understand the risk landscape; to proactively mitigate cyber risks in ways that meaningfully improve security; to reduce the likelihood of breaches; and to ensure business continuity in the event of a major incident.
The U.S. Democratic National Committee hack and leak – which some analysts have argued is a state-sponsored effort using a false lone hacker persona – has spurred commentary on the challenges of attribution, cyber deterrence and media coverage of potential information operations. NATO’s cyber defense center has labeled the incident “an attempt by a nation, possibly through a proxy, to influence the political and the top electoral process of another nation by means of a cyber attack.” Broadly speaking, the incident raises the prospect that targeted organizations might increasingly need to be concerned about hackers leaking data with malicious intent. The head of U.S. Cyber Command, Adm. Michael Rogers, recently told NPR in an interview that he expects hackers will again in future “attempt to steal significant amounts of privately held data with a view towards potentially attempting to achieve a strategic outcome or impact.”
The theft and leaking of sophisticated “Equation Group” hacking tools – which unconfirmed reports say were stolen from the NSA – raises significant questions about how the disclosure of such information might lead to increased cybersecurity risks worldwide. A mysterious group called the “Shadow Brokers” has claimed responsibility for the disclosure. If hacking tools used by elite government professionals under the auspices of national security fall into the hands of criminal groups, the distinction between the tactics, techniques and procedures used by such threat actors could increasingly blur as criminals creatively exploit capabilities previously beyond their reach.
Government actions – including indictments of hackers, President Obama’s 2015 executive order on cyber sanctions, nascent efforts to develop cyber deterrence policy, and international agreements – both bilateral and multilateral pacts – have the potential to advance the development of global norms of behavior in cyberspace for nations. Further, U.S. national security experts have recently cautioned against political rhetoric that might appear to invite cyber espionage.
The private sector, however, can seize the initiative to better understand and address sophisticated cyber risks. In Part 2 of this series, we’ll examine tools that corporate leaders can use to better posture their organizations for success in light of the realities of the evolving threat landscape.
1 The Global Risks Report 2016, World Economic Forum, Switzerland, 2016
Dispelling Myths About Cyber Espionage