Nation-State Cybersecurity Attacks: Three Myths

Nation-State Cybersecurity Attacks: Three Myths

When I talk about the cybersecurity threats posed by nation states, I can almost see the inner eye-roll, and hear my listener thinking, “Come on! What’s she going on about now?”

They view the entire issue as something out of science fiction; scary in some alternate future, but not something they should be investing money and mental bandwidth on today.

They’re wrong.

Most people subscribe to three beliefs about nation-state cybersecurity attacks that are, to put it bluntly, myths. Let’s take a look at them:

Myth 1: The risk is overblown

No, it’s not.

Cyberterrorism represents a low-risk, high-reward way for bad actors to exert power. For a relatively modest investment of money (compared with, say, the costs of missiles, planes, and warships) a country can develop  a finely-tuned toolkit to go after whoever it wishes. Moreover, it can choose whether or not to claim responsibility for its actions, which is yet another lever to set in the exercise of power.

For this reason, nation-states have been ratcheting up cyberterrorism efforts in recent years.  Russia’s interference in the 2016 election is indisputable; US intelligence agencies are united in their belief that Russian-backed groups have tampered with the U.S. election, including not just disinformation campaigns but also actively hacking voting and registration systems. (Despite claims, there is little to no evidence that other countries, including Ukraine, have successfully done so.)

There are good reasons to believe these activities are only the beginning, and 2020 will mark the start of a major upshift in state-sponsored cyberterrorism.  Iran is highly likely to follow up its January 2020 missile attack with cyberattacks, according to the U.S. Department of Homeland Security. Nations have been investing in cyberterrorism for years, and the investments are bearing fruit. In addition to Russia and Iran, which are considered the most dangerous in the world, the most active are China and North Korea.

Each country perates a portfolio of groups.  Russia’s  FSB-backed Turla group in particular represents a major threat, according to Western authorities. Turla has been operational since at least 2012 and has attacked businesses and governments (mostly in Europe) on an ongoing basis since then.  Other Russian groups include APT28 and APT29 (APT stands for Advanced Persistent Threat.)

Iran also operates a suite of groups, including  APT33, APT34, and APT39; in an interesting twist, Turla recently hacked APT34 and was able to gain access to both its victims and its toolkits.  China has a veritable flotilla, starting with the oldest (first widely covered in 2011), called APT1. APT12, APT16, APT17, APT19, and APT41 (among others) are also Chinese. North Korea operates APT37 and  APT38, which  has focused most recently on attacking financial services firms.

The full list of publicly-known nation-state cyberterrorist threats is published by MITRE. It’s worth a read; not only are there dozens, with a universe of attack strategies,  but there’s a broad range of targets, both in terms of geography and vertical industry. Which brings us to the second myth…

Myth 2: I’m not a target

Yes, you are!

Cybersecurity professionals often have the mistaken belief that state-sponsored cyberterrorists only attack other states, not commercial enterprises or not-for-profit or educational institutions. Nothing could be farther from the truth. As noted in the list above, everyone from financial services firms to logistics, hospitality and entertainment companies (along with major universities) have been targets. Moreover, if you’re among the 67% of organizations deploying IoT today, you’re particularly vulnerable. MITRE recently launched an initiative to track ICS attacks, and the list of known attacks (and attackers) is sobering. (ICS stands, of course, for industrial control systems).

If you’re an American country, you’ve likely downplayed the risks because until now, the majority of non-governmental targets have been outside the U.S. For the reasons noted above, that’s likely to change. Nation-states have actively and officially targeted the US, and government and national infrastructure is only one part of the potential target base. Keep in mind that the goal of these attacks is to exert power and sow chaos; attacks on government offices and infrastructure is only one way to do that. Effective attacks on non-governmental businesses and not-for-profits can do equally well.

My belief, as a cybersecurity professional and someone with personal experience with terrorist attacks (both in Rome, Italy and in New York City), is that in 2020, nation-states will begin targeting “iconic” American brands (American Airlines, Starbucks, McDonalds, Disney, etc.) A successful attack against any one of these companies would serve the dual purpose of materially damaging the U.S. economy and of exposing American weakness.  Speaking of American weakness, that brings us to the third myth…

Myth 3: The government will protect me

No, it won’t.

Despite several recent, high-profile announcements such as the creation of the Cybersecurity and Infrastructure Security Agency  and the passage of a range of cybersecurity acts,  the federal, state, and local governments are doing frighteningly little to protect themselves, let alone American companies and not-for-profits. In 2019 several municipalities, including Baltimore, New Orleans, and Pensacola were paralyzed by ransomware attacks. And in terms of material investment, although the Senate finally authorized $425 million in election-protecting cybersecurity funds in late December, most professionals believe this investment is too little, and too late, to have much impact on the 2020 elections.

If the government can’t even protect itself, then, the message to non-governmental organizations is, “Good luck!”

What’s a Cybersecurity Pro Like Me To Do*?

If you’ve read this far and are starting to get scared, good. Fear can be the energy required to take necessary actions. While by no means comprehensive, here’s a starting checklist:

  • Have a strategy for dealing with nation-state attacks. Although the actual impact of such attacks may be indistinguishable from those from other sources, it’s worth investing the time and energy to think specifically about nation-state attacks. Even if all you do is task a team member with staying up to speed on these attacks, and refresh your database of local, state, and federal agencies empowered to assist with such attacks, that’s better than nothing.
  • Pay special attention to protection from ransomware, supply-chain, industrial IoT, and spyware attacks. Nation-state attacks fall disproportionately into two categories: Denial-of-service and spying. That is, the goal is often either to keep an organization from functioning normally (the net effect of ransomware and IoT attacks) or to invisibly and undetectable capture sensitive information.
  • Review your cybersecurity insurance policies. There’s a rule of thumb that cybersecurity insurance doesn’t cover cyberterrorism. That may or may not be accurate, depending on the policy, but either way you’ll want to know.
  • Revise your incident response policy to include the case of nation-state attacks. This may be as simple as adding a pre-written communications message informing employees and customers that your organization has been the victim of a nation-state attack. It may also include adding the right law-enforcement groups to your response. Regardless, your IRP should cover the case.
  • Monitor MITRE and other sites tracking nation-state attacks. Don’t assume they have nothing to do with you. Keep tabs on what’s going on, and take action as you believe necessary.
  • Engage your customers and third parties in dialogue about nation-state attacks. Your customers may be as complacent as you might have  been before reading this article. Or they may be way ahead of you. Reach out to them and initiate a discussion with their cybersecurity teams about ways you can work together to combat such attacks.

As noted, there’s plenty more that you can and should be doing. If you’re interested in a discussion, hit me up at johna at nemertes dot com; I’m happy to help.

*H/T Warren Zevon, Turbulence, ©1989

Turmoil back in Moscow brought this turbulence down on me
Well you can talk about your perestroika
And that’s all right for you
But, Comrade Schevardnadze, tell me
What’s a poor boy like me to do?


Share this post