According to Bryan Becker, an application security researcher at WhiteHat Security, the United States is “woefully behind the entire developed world in terms of cybersecurity.” Defensively, he insists, it would “easily take us a decade” and then some to catch up with allies and competitors alike. Does this mean that it’s up to the cybersecurity industry, rather than the military, to protect systems and data from nation-state attack? I’ve been exploring the role of cybersecurity vendors when it comes to cyberwarfare, and what business needs to do in order to prevent becoming a collateral damage statistic in the ongoing geopolitical cyber conflict.
Mention cyberwarfare and most businesses tend to sigh and move on to something less weighted down with the baggage of hyperbole. Which, truth be told, is a huge mistake. While there are plenty of opinions out there as to what is actually meant by cyberwarfare from the intellectual and theoretical perspective, in the real-world the distinctions between a cyberwar play and a cybercriminal attack are precious few. The cyberwarfare label can make a threat look far removed from something that a mainstream business might imagine being a target for. That relevancy disconnect is actually pretty damaging. Zeki Turedi, a technology strategist with CrowdStrike, told me that “the techniques and approaches used by state sponsored actors are often the same as used by cybercriminals, so the motivation is less important in many ways than the need to spot and deal with these incidents in a timely and proactive manner.”
This blurring of tactics used by nation states and cybercriminals alike is something that Turedi calls the ‘democratization of cyberwarfare.’ If evidence were required to show why business needs to take this stuff seriously, then the CrowdStrike Observations From The Front Line Of Threat Hunting report published earlier this month is it. This highlighted that China was the most prolific nation-state actor, actively engaging in persistent and highly targeted intrusion campaigns against economic sectors including mining, pharmaceutical, professional services and transportation amongst others. Which isn’t to say that China is necessarily the biggest threat in this attack realm. “Russia clearly poses the largest threat, both immediate, and long term” says Becker. He told me that both Russia and North Korea have been investing in and growing their cyber-operations continually since the cold war and are now decades ahead of the rest of the world in terms of their experience. This conflicts somewhat with the view of Trevor Reschke, head of threat intelligence at Trusted Knight, who I mentioned in my earlier analysis of likely cyberwar outcomes as saying North Korea doesn’t possess any real cyberwarfare capabilities but rents these from others. “North Korea tends to focus their efforts on stealing money for the regime” Becker says, while Russia is more focused on destabilizing the liberal West. Part of the problem in attributing attack capabilities is that false flags are so commonplace. From the perspective of the security researcher, attributions requires the discovery of artefacts such as time zones where the code was created, language specific keywords buried deep within it and so on. “However, these artefacts can also be deliberately planted to throw researchers off track” according to Liviu Arsene, senior e-threat analyst at Bitdefender who continues “which is why attributing a cyberattack to a declaration of war is something much more than just a technical analysis of the malware itself.”