The harmonious headline themes of the September Group of 20 summit in Hangzhou, China, included climate change, economic growth and limits on offshore tax havens. But when U.S. President Barack Obama emerged from a one-on-one with his Russian counterpart, Vladimir Putin, Obama described the meeting with the ominous diplomatic code words “candid, blunt and businesslike.”
E-mails of Obama’s party organization, the Democratic National Committee (DNC), had recently been hacked into, and the attack was widely attributed to Russia — although the White House itself was not openly saying so. Confirming in his news conference that cybersecurity was a discussion point with Putin, Obama made a rather remarkable boast. “We’re moving into a new era here where a number of countries have significant capacities,” he said. “Frankly, both offensively and defensively, we have more capacity.”
To experts in information security, the U.S.’s cyber superiority has never been called into question, even as Russia has displayed “significant capacities” in conjunction with military actions against Estonia, Georgia and Ukraine, and China allegedly orchestrated sizable intellectual property and trade secret thefts before cutting back on the practice last year.
But throwing down the gauntlet as he did, Obama brought attention and urgency to a source of cyberthreats, known as state actors, that had been obscure to many businesses and the general public. Criminality, as in online credit card or identity theft, and politically motivated hacktivism by the likes of Anonymous or WikiLeaks have been more immediate and tangible attack vectors.
Lines were blurred in the November 2014 infiltration of Sony Pictures Entertainment, a hacktivist-like protest of the release of the film The Interview that the U.S. officially attributed to a state actor, North Korea. It showed the havoc that a relatively small hacker force can cause and how a geopolitical issue can “bleed over into civic–commercial space,” says Kenneth Geers, Toronto-based senior research scientist with cybersecurity company Comodo and nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative.
The DNC hack and other incidents this year — involving two state election agencies, the SWIFT bank messaging network, the U.S. National Security Agency and the Moscow bureau of the New York Times — suggest that it is not just nation-states that should be on alert for state actors.
“Everybody has to realize that there is a way in, and you have to be prepared,” says Rishi Bhargava, co-founder and vice president of marketing at Demisto, a Cupertino, California–based developer of automated security operations and investigation tools. State actors “have more than financial motivation, and they are on the offensive,” Bhargava says. A direct assault on, say, a major bank has not been documented, “but states are capable of sophisticated, collaborative attacks,” such as denial-of-service attacks that can disable a website and cause financial and reputational damage. “It’s only a matter of time,” he notes.
David Thompson, head of product management at Israel- and Silicon Valley–based attack detection technology company LightCyber, points out that cyber advances, in common with other technological innovations, “democratize over time.” If nation-states are at the top of the pyramid, their capabilities will likely “trickle down to other actors.” A proliferation of attacks could be a serious problem for older network infrastructures.
“Barriers to entry get lower over time,” says Cedric Leighton, a Virginia-based consultant whose background includes Air Force intelligence and the National Security Agency. He expects companies “will be more and more on the frontlines of cyber war,” and they will have to raise their game “because they are not accustomed to a militarized environment.” They could be caught up in high-level “influence operations” like those Russia has carried out in its border conflicts — “the U.S. is seen as the biggest prize to gain influence over,” Leighton adds. In the worst case, he says, hostile actors could gain access to intellectual property or strategic plans and threaten a company’s survivability.
“You should have as broad a perspective on the threat landscape as you can,” advises Steve Durbin, managing director of the nonprofit Information Security Forum: “If you are a multinational corporation, if you do work with government agencies, you could be a target, or you could be a route into a third-party target. Really, everybody is in it.” •
Get more on trading and technology.