Over the past six months, a relatively unsophisticated group of attackers used a variety of remote access Trojans to attempt to grab banking details from companies—a scheme reminiscent of tactics used by cyber-criminals.
Yet, these attacks also targeted a number of Russian, Spanish and U.S. government agencies and were more likely the work of nation-state operators, according to an analysis published by network security firm Palo Alto Networks.
Unlike many nation-state attacks, the group was not connected to Russia, China, Iran or North Korea, but to the developing cyber capability in Pakistan, just one of an increasing number of nations developing their cyber capabilities. Pakistan has joined more than 30 nations who now have cyber-attack capabilities, according to the United States' annual threat assessment published in February.
"The risk is growing that some adversaries will conduct cyberattacks—such as data deletion or localized and temporary disruptions of critical infrastructure—against the United States in a crisis short of war," Daniel R. Coats, the U.S. Director of National Intelligence, stated in the report. "Ransomware and malware attacks have spread globally, disrupting global shipping and production lines of U.S. companies."
As the number of nation-state actors increase, U.S. businesses—a favored target of nation-state and cyber-criminal hackers—will continue to be under threat. Unfortunately, even a cyber capability modestly funded by a smaller nation is usually too persistent for most companies to repulse on a regular basis. Larger nation-states will outclass any private-sector opponent, experts say.
"The most dangerous opponents are nation-states," James Lewis, senior fellow at the Center for Strategic and International Studies, told eWEEK. "They are big, they are rich, and they don't really care about the law. No company is going to be able take them on, and that is where companies can reasonably say to the government that your job is to protect me—and we are not there yet."
So far damages are mounting. In a report released this year, the U.S. Council of Economic Advisors estimated that malicious cyber-activity cost the U.S. economy between $57 billion and $109 billion in 2016. In 2017, the double whammy of the q pidemics likely mean that damages rocketed even higher.
For companies looking to the government to help, however, the wait may be long. A variety of issues still hobble government efforts to aid private-sector firms: from over-classification to concerns over targeting the right adversary. But here are five ways that cyber-security experts hope the U.S. government will help businesses.
1. Sanctions can help, but are not the only way
In 2015, the Obama administration threatened sanctions against China unless the country stopped economic attacks on U.S. private companies. The resulting agreement between China and the United States only blocks the nations from hacking each other's industry for economic gain. Espionage is still fair game. While attacks may have declined, there is no solid evidence that Chinese operational activity has declined, said Christopher Porter, chief intelligence strategist of cyber-security company FireEye,
"There is no evidence that such measures have improved cyber-security for the United States," Porter stated. "Chinese operations continued apace after the 2014 indictment of hackers associated with the Chinese military and decreased only after diplomatic efforts became serious."
A lack of fear of repercussions has made hacking between countries the status quo. Most other countries have operations that hack with relative impunity, because they don't fear retribution. The U.S. government will have to take quick, decisive action to cause economic pain to the countries who hack U.S.-based businesses, CSIS’s Lewis said.
"If we are not willing to do something back, then the bad guys will never stop," Lewis said.
2. U.S. should reconsider what constitutes critical infrastructure
Both the U.S. government and companies need to determine which private-sector systems are critical and should be protected by the weight of the federal government. The U.S. Department of Homeland Security lists 16 critical infrastructure sectors, but vulnerable industries are still not on the list.
Prior to the 2016 presidential election, for example, election systems were considered to solely be the responsibilities of the states, but now efforts are underway to have them designated as critical infrastructure. In January 2017, the U.S. Department of Homeland Security clarified that it now considered election infrastructure to be critical.
"Recent history has shown that the U.S. government is not as good at picking which industries to protect as threat actors are at finding strategically valuable soft targets to hit," FireEye's Porter said. "And today’s institutions, however well-staffed, well-equipped and well-led, have not focused on the right problems."
3. Make more information available to U.S. firms
While some information sharing and analysis centers (ISACs) do well at providing members with information about the latest threats, timely threat information continues to be scarce.
Firms are wary about sharing information with competitors and of the liability inherent in admitting that they may have been breached. Furthermore, when government agencies receive information, it is often a one way street. Information about attacks tends to be classified and often only provided to industry after companies that could have made best use of the data have been breached by cyber-attacks.
"At a minimum, the director of national intelligence should consider requiring intelligence agencies to provide Secret-level briefings of major findings and technical indicators for all cyber-related finished intelligence that is published," FireEye's Porter wrote. "This would greatly widen the circle of outside experts, private companies, and cleared academics that could benefit from reporting."
However, CSIS's Lewis argued that companies should only participate if they are able to use the data.
"A small company that gets information is probably not going to be able to do something with it," he said. "So, in that case, we need managed services."
4. Increase attackers' pain
To dissuade nation-state groups from attacking companies, federal agencies should find ways to make attacking businesses more painful. Indictments and sanctions do not do enough to dissuade the attackers, said CSIS's Lewis
"We have to think of what are more extreme measures that would increase the pain for these guys," Lewis said. "Part of it is that the previous administration was unwilling to take action and so there was a general perception among our state opponents that the U.S. would never do anything back."
FireEye's Porter argued that giving more responsibility to military commanders and intelligence directors to conduct cyber operations could help make the U.S. response more agile.
"The U.S. and its allies must push more authority to the commanders of cyber-forces so that they have freedom to act to the degree required to keep citizens safe from ongoing and imminent cyber operations, he said. "President Trump’s decision to revisit PPD 20 and take off some of those handcuffs is a necessary first step."
5. Create international norms for cyber operations
Lewis contributes to a group of internet experts aiming to set standards of behavior among actors in cyberspace. Called the Global Commission on the Stability of Cyberspace, the group is working with the United Nations and other group to establish normative rules on how countries should act.
"Norms help set behavioral standards," he said. "You have to say here are norms that everyone has agreed to, and your behavior deviated from those norms, and so that justifies some kind of punitive action, whether it's public censure or sanctions or something else."
While companies—especially large enterprises—have the technical resources and capabilities to defend against most threats, the government can help head off the well-funded nation-state actors, Lewis said.
"Getting new defensive technologies out there—the private sector does that quite well," he said. "The government can help bring everyone up to the same level, through standards, and help dissuade the threats though norms and other actions."