Before the internet era, geopolitical tensions drove traditional espionage, and periodically erupted into warfare. Nowadays, cyberspace not only houses a treasure-trove of commercially and politically sensitive information, but can also provide access to control systems for critical civil and military infrastructure. So it’s no surprise to find nation-state cyber activity high on the agendas of governments.
Notable cyber attacks launched by nation states in recent years include: Stuxnet (allegedly by Israel and the US); DDoS attacks against Estonia, attacks against industrial control systems for power grids in Ukraine, and electoral meddling in the US (allegedly by Russia); and the global WannaCry attack (allegedly by North Korea). China, meanwhile, has been accused of multiple intellectual property theft attacks and, most recently (and controversially), of secreting hardware backdoors into Supermicro servers.
Download all the Cyberwar and the Future of Cybersecurity articles as a free PDF ebook (free TechRepublic registration required)
The global cyber-threat landscape
What does the current threat landscape look like, in broad terms? The 2017/18 threat matrix from BRI (Business Risk Intelligence) company Flashpoint provides a useful overview:
Threat actors are ranked on a six-point capability scale and a four-point potential impact scale, with Flashpoint’s cast ranging from Tier 2 capability/Negligible potential impact (Jihadi hackers) to Tier 6/Catastrophic impact (China, Russia and Five Eyes).
It’s probably no surprise to find China heading the 2017/18 ranking of threat actors, in terms of capability, potential impact and number of verticals targeted:
In its 2018 mid-year update, Flashpoint highlighted various ‘bellwethers’ that may prompt “major shifts in the cyber threat environment”:
• The tentative rapprochement between the U.S., South Korea, and North Korea fails to result in tangible diplomatic gains to end the North Korean nuclear program.
• Additional states follow the U.S. example and relocate their embassy in Israel to Jerusalem.
• The U.S.’ official withdrawal from the Joint Comprehensive Plan of Action (JCPOA) and the subsequent renewal of economic sanctions prompts an Iranian response.
• The ongoing power struggle between Saudi Arabia and Iran for influence in the Middle East leads to kinetic conflict in the region.
• U.S. and European Union-led economic sanctions in place on Russia are extended or tightened.
• The Trump administration adopts a less-compromising approach toward U.S.-China relations or otherwise enacts policies that threaten Chinese core interests. Alternatively, China adopts an increasingly aggressive policy toward securing its vital core interests, including the South China Sea and the questions of Taiwan’s and Hong Kong’s political sovereignty.
• The situation in Syria further deteriorates into direct armed conflict between major states with differing interests in the region, potentially extending further into neighboring states.
• Other nation-states, such as China, Iran, and North Korea adopt the Russian model of engaging in cyber influence operations via proxies, resulting in the exposure of such a campaign.
Cybersecurity policy in the UK
In the UK, the National Cyber Security Center (NCSC) — an amalgam of CESG (the information security arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure — issues periodic security advisories, among other services. In April, for example, it warned of hostile state actors compromising UK organisations with focus on engineering and industrial control companies. Specifically, the threats involved “the harvesting of NTLM credentials via Server Message Block (SMB) using strategic web compromises and spear-phishing”. Other recent NCSC advisories have highlighted Russian state-sponsored cyber actors targeting network infrastructure devices and the activities of APT28 (a.k.a. the cyber espionage group Fancy Bear).
In its 2018 annual review, the NCSC said it had dealt with over a thousand cyber incidents since its inception in 2016. “The majority of these incidents were, we believe, perpetrated from within nation states in some way hostile to the UK. They were undertaken by groups of computer hackers directed, sponsored or tolerated by the governments of those countries,” said Ciaran Martin, CEO at NCSC, in the report. “These groups constitute the most acute and direct cyber threat to our national security. I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead, what we would call a Category 1 attack.”
A Category 1 attack constitutes a ‘national cyber emergency’ and results in “sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.”
Despite the efforts of the NCSC, a recent report by the UK parliament’s Joint Committee on the National Security Strategy noted that “The threat to the UK and its critical national infrastructure [CNI] is both growing and evolving. States such as Russia are branching out from cyber-enabled espionage and theft of intellectual property to preparing for disruptive attacks, such as those which affected Ukraine’s energy grid in 2015 and 2016.”
The government needs to do more to change the culture of CNI operators and their extended supply chains, the report said, adding that: “This is also a lesson for the Government itself: cyber risk must be properly managed at the highest levels.”
Specifically, the Joint Committee report recommended an improvement in political leadership: “There is little evidence to suggest a ‘controlling mind’ at the centre of government, driving change consistently across the many departments and CNI sectors involved. Unless this is addressed, the government’s efforts will likely remain long on aspiration and short on delivery. We therefore urge the government to appoint a single Cabinet Office minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”
Cybersecurity policy in the US
In the US, the September 2018 National Cyber Strategy (the first in 15 years, according to the White House) adopted an aggressive stance, promising to “deter and if necessary punish those who use cyber tools for malicious purposes.” The Trump administration is in no doubt about who the US is up against in the cyber sphere:
“The Administration recognizes that the United States is engaged in a continuous competition against strategic adversaries, rogue states, and terrorist and criminal networks. Russia, China, Iran, and North Korea all use cyberspace as a means to challenge the United States, its allies, and partners, often with a recklessness they would never consider in other domains. These adversaries use cyber tools to undermine our economy and democracy, steal our intellectual property, and sow discord in our democratic processes. We are vulnerable to peacetime cyber attacks against critical infrastructure, and the risk is growing that these countries will conduct cyber attacks against the United States during a crisis short of war. These adversaries are continually developing new and more effective cyber weapons.”
The US cyber security strategy is built around four tenets: Protect the American People, the Homeland and the American Way of Life; Promote American Prosperity; Preserve Peace through Strength; and Advance American Influence.
As far as preserving ‘peace through strength’ is concerned, the Trump administration states that: “Cyberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power. The United States will integrate the employment of cyber options across every element of national power.” The objective is to “Identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace.”
It would seem that the stakes in the cybersecurity/cyberwar game have just been raised by the world’s most powerful nation.
2019 nation-state / cyberwar predictions
Nation-state activity has been prominent in previous annual roundups of cybersecurity predictions (2018, 2017, 2016), and given the above overview we expect plenty more in 2019. Let’s examine some of the predictions in this area that have been issued so far.
|Increase in crime, espionage and sabotage by rogue nation-states||Nuvias Group||With the ongoing failure of significant national, international or UN level response and repercussion, nation-state sponsored espionage, cyber-crime and sabotage will continue to expand. Clearly, most organisations are simply not structured to defend against such attacks, which will succeed in penetrating defences. Cybersecurity teams will need to rely on breach detection techniques.|
|The United Nations proposes a cyber security treaty||Watchguard||In 2019, the United Nations will address the issue of state-sponsored cyber attacks by enacting a multinational Cyber Security Treaty…The growing number of civilian victims impacted by these attacks will cause the UN to more aggressively pursue a multinational cyber security treaty that establishes rules of engagement and impactful consequences around nation-state cyber campaigns. They have talked and argued about this topic in the past, but the most recent incidents — as well as new ones sure to surface in 2019 — will finally force the UN to come to some consensus.|
|A nation-state launches a ‘fire sale’ attack||Watchguard||In 2019, a new breed of fileless malware will emerge, with wormlike properties that allow it to self-propagate through vulnerable systems and avoid detection…Last year, a hacker group known as the Shadow Brokers caused significant damage by releasing several zero day vulnerabilities in Microsoft Windows. It only took a month for attackers to add these vulnerabilities to ransomware, leading to two of the most damaging cyber attacks to date in WannaCry and NotPetya. This isn’t the first time that new zero day vulnerabilities in Windows fueled the proliferation of a worm, and it won’t be the last. Next year, ‘vaporworms’ will emerge; fileless malware that self-propagates by exploiting vulnerabilities.|
|State-sponsored cyber warfare will take center stage||CGS||Traditional cybersecurity tools to protect against state-sponsored cyberattacks are not adequate and often obsolete as soon as they come to market. It is nearly impossible to keep up with cyberattacks as these threats are automated, continuous and adaptive. In the next year, we will continue to see government entities ramping up efforts to develop state-sponsored cybersecurity protections, policies, procedures and guidance. With individuals, businesses and government departments under attack, there must be a unified approach by the government to create guidance on a more holistic, official, focused effort to thwart state-sponsored attacks.|
|A collision course to cyber cold war||Forcepoint||Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cyber tactics to disrupt government, critical infrastructure, and vital industries.|
|The US-China trade war will reawaken economic espionage against Western firms||Forrester||With heightened geopolitical tensions in Europe and Asia and the US and China in a trade war, expect China’s hacking engine, after a brief respite from 2016 to 2018, to turn again to the US and Western countries. The current (13th) five-year plan serves as an early warning system for firms in eight verticals: 1) new energy vehicles; 2) next-generation IT; 3) biotechnology; 4) new materials; 5) aerospace; 6) robotics; 7) power equipment; and 8) agricultural machinery. If you’re in one of these industries, expect a breach attempt very soon.|
|Trade wars trigger commercial espionage||Cyberark||Government policies designed to create ‘trade wars’ will trigger a new round of nation-state attacks designed to steal intellectual property and other trade secrets to gain competitive market advantages. Nation-state attackers will combine existing, unsophisticated, yet proven, tactics with new techniques to exfiltrate IP, as opposed to just targeting PII or other sensitive data.|
|In 2019 and beyond, we expect to see more nations developing offensive cyber capabilities||FireEye (Kevin Mandia)||There are people that claim nations should not do this, but in the halls of most governments around the world, officials are likely thinking their nation needs to consider offensive operations or they will be at a disadvantage.|
|We are also seeing deteriorating rules of engagement between state actors in cyber space||FireEye (Kevin Mandia)||I have spent decades responding to computer intrusions, and I am now seeing nations changing their behaviors. As an example, we have witnessed threat actors from Russia increase their targeting and launch cyber operations that are more aggressive than in the past. Today, nearly every nation has to wonder: “What are the boundaries of cyber activities? What can we do? What is permissible? What is fair game?” We have a whole global community that is entirely uncertain as to what will happen next, and that is not a comfortable place to be. We must begin sorting that out in the coming years.|
|The final priority is diplomacy. Cyber security is a global problem, and we are all in this together||FireEye (Kevin Mandia)||The fact that a lone attacker sitting in one country can instantaneously conduct an operation that threatens all computers on the internet in other nations is a problem that needs to be addressed by many people working together. We need to have conversations about rules of engagement. We need to discuss how we will enforce these rules of engagement, and how to impose risks on attackers or the nations that condone their actions. We may not be able to reach agreements on cyber espionage behaviors, but we can communicate doctrine to help us avoid the risk of escalating aggression in cyber space. And we can have a global community that agrees to a set of unacceptable actions, and that works together to ensure there exists a deterrent to avoid such actions.|
|As we move into 2019: remain skeptical about what you read, especially on the internet||FireEye (Sandra Joyce)||Russia has been conducting influence operations for a really long time, and not just in the cyber realm. They’re very skilled. We’re seeing other threat actors learning from Russia’s success in cyber influence. For example, we recently uncovered several Iranian inauthentic accounts being used to propagate a social agenda that was pro-Iranian. We’re going to increasingly see these cyber operations from more nations than just Russia, and now Iran, as nations realize how effective this tactic can be. The upside of social media is that everyone can be part of the conversation, but that can clearly be a downside as well.|
|China’s Belt and Road Initiative to drive cyber espionage activity in 2018 and beyond||FireEye (Threat Intelligence)||The Belt and Road Initiative (BRI) is an ambitious, multiyear project across Asia, Europe, the Middle East, and Africa to develop a land (Silk Road Economic Belt) and maritime (Maritime Silk Road) trade network that will project China’s influence globally. We expect BRI to be a driver of cyber threat activity. Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a catalyst for emerging nation-state cyber actors to use their capabilities. Regional governments along these trade routes will likely be targets of espionage campaigns. Media announcements on BRI progress, newly signed agreements, and related development conferences will likely serve as operational drivers and provide lure material for future intrusions.|
|Iranian cyber threat activity against U.S. entities likely to increase following U.S. exit from JCPOA, may include disruptive or destructive attacks||FireEye (Threat Intelligence)||Last year, we reported that should the U.S. withdraw from the JCPOA [Joint Comprehensive Plan of Action], we suspect that Iran would retaliate against the U.S. using cyber threat activity. This could potentially take the form of disruptive or destructive attacks on private companies in the U.S. and could be conducted by false front personas controlled by Iranian authorities purporting to be independent hacktivists. While we do not anticipate such attacks in the immediate or near-term, we suspect that initially Iranian-nexus actors will resume probing critical infrastructure networks in preparation for potential operations in the future.|
|Cyber norms unlikely to constrain nation-state cyber operations in the near future||FireEye (Threat Intelligence)|| Norms of responsible state behavior in cyberspace, though still in their infancy, have the potential to significantly affect the types of future cyber operations conducted by nation-states and their proxies in the long term. Norms can be positive or negative, either specifically condoning or condemning a behavior. The future of cyber norms will be most strongly influenced by political and corporate will to agree, and ultimately decisions by particular states to accept or disregard those norms in their conduct of cyber operations.
Various countries active in cyber diplomacy, along with a small number of international corporations, are exploring norms to manage their increasingly complex and crowded cyber threat landscape. However, except for an emerging consensus to not conduct cyber-enabled theft of intellectual property with the intent to provide commercial advantage, no norm has yet found significant, explicit agreement among states.
It’s clear from the above round-up of predictions that nation states are likely to be more active than ever in cyberspace in 2019. Perhaps we’ll even see the sort of ‘national cyber emergency’ envisaged by the UK’s NCSC, with potential loss of life. That’s the point where cyber attack moves towards cyberwar.
It’s also clear that governments — in the UK and US at least — are increasingly, if belatedly, acknowledging the scale of the problem of hostile nation-state cyber activity. It remains to be seen how effectively they can defend themselves, and even retaliate.
RECENT AND RELATED COVERAGE
Russian hackers are trying out this new malware against US and European targets
A new phishing campaign from a Russian-state backed hacking group targets American and European inboxes.
Russia wants DNC hack lawsuit thrown out, citing international conventions
Russian Federation says it benefits from the same legal protections as the US does when carrying out military cyberattacks.
Security warning: UK critical infrastructure still at risk from devastating cyber attack
Not enough is being done to protect against cyber attacks on energy, water and other vital services.
US, Russia, China don’t sign Macron’s cyber pact
New cyber peace pact signed by 51 other countries, 224 companies, and 92 non-profits and advocacy groups.
States activate National Guard cyber units for US midterm elections
National Guard cyber units activated in Washington, Illinois, and, more recently, Wisconsin.
Phish Fight: Securing Enterprise Communications
Yes, much of the world may have moved on from email to social media and culturally dubious TikTok dances, yet traditional electronic mail remains a foundation of business communication. And sadly, it remains a prime vector for malware, data leakage, and phishing attacks that can undermine enterprise protections. It doesn’t have to be that way.
In a just released report titled “GigaOm Radar for Phishing Prevention and Detection,” GigaOm Analyst Simon Gibson surveyed more than a dozen enterprise-focused email security solutions. He found a range of approaches to securing communications that often can be fitted together to provide critical, defense-in-depth protection against even determined attackers.
Figure 1. GigaOm Radar for Email Phishing Prevention and Detection
“When evaluating these vendors and their solutions, it is important to consider your own business and workflow,” Gibson writes in the report, stressing the need to deploy solutions that best address your organization’s business workflow and email traffic. “For some it may be preferable to settle on one comprehensive solution, while for others building a best-of-breed architecture from multiple vendors may be preferable.”
In a field of competent solutions, Gibson found that Forcepoint, purchased recently by Raytheon, stood apart thanks to the layered protections provided by its Advanced Classification Engine. Area 1 and Zimperium, meanwhile, are both leaders that exhibit significant momentum, with Area 1 boosted by its recent solution partnership with Virtru, and Zimperium excelling in its deep commitment to mobile message security.
A mobile focus is timely, Gibson says in a video interview for GigaOm. He says companies are “tuning the spigot on” and enabling unprecedented access and reliance on mobile devices, which is creating an urgent need to get ahead of threats.
Gibson’s conclusion in the report? He singles out three things: Defense in depth, awareness of existing patterns and infrastructure, and a healthy respect for the “human factor” that can make security so hard to lock down.
When Is a DevSecOps Vendor Not a DevSecOps Vendor?
DevOps’ general aim is to enable a more efficient process for producing software and technology solutions and bringing stakeholders together to speed up delivery. But we know from experience that this inherently creative, outcome-driven approach often forgets about one thing until too late in the process—security. Too often, security is brought into the timeline just before deployment, risking last minute headaches and major delays. The security team is pushed into being the Greek chorus of the process, “ruining everyone’s fun” by demanding changes and slowing things down.
But as we know, in the complex, multi-cloud and containerized environment we find ourselves in, security is becoming more important and challenging than ever. And the costs of security failure are not only measured in slower deployment, but in compliance breaches and reputational damage.
The term “DevSecOps” has been coined to characterize how security needs to be at the heart of the DevOps process. This is in part principle and part tools. As a principle, DevSecOps fits with the concept of “shifting left,” that is, ensuring that security is treated as early as possible in the development process. So far, so simple.
From a tooling perspective, however, things get more complicated, not least because the market has seen a number of platforms marketing themselves as DevSecOps. As we have been writing our Key Criteria report on the subject, we have learned that not all DevSecOps vendors are necessarily DevSecOps vendors. Specifically, we have learned to distinguish capabilities that directly enable the goals of DevSecOps from a process perspective, from those designed to support DevSecOps practices. We could define them as: “Those that do, and those that help.”
This is how to tell the two types of vendor apart and how to use them.
Vendors Enabling DevSecOps: “Tools That Do”
A number of tools work to facilitate the DevSecOps process -– let’s bite the bullet and call them DevSecOps tools. They help teams set out each stage of software development, bringing siloed teams together behind a unified vision that allows fast, high-quality development, with security considerations at its core. DevSecOps tools work across the development process, for example:
- Create: Help to set and implement policy
- Develop: Apply guidance to the process and aid its implementation
- Test: Facilitate and guide security testing procedures
- Deploy: Provide reports to assure confidence to deploy the application
The key element that sets these tool sets apart is the ability to automate and reduce friction within the development process. They will prompt action, stop a team from moving from one stage to another if the process has not adequately addressed security concerns, and guide the roadmap for the development from start to finish.
Supporting DevSecOps: “Tools That Help”
In this category we place those tools which aid the execution, and monitoring, of good DevSecOps principles. Security scanning and application/infrastructure hardening tools are a key element of these processes: Software composition analysis (SCA) forms a part of the development stage, static/dynamic application security testing (SAST/DAST) is integral to the test stage and runtime app protection (RASP) is a key to the Deploy stage.
Tools like this are a vital part of the security layer of security tooling, especially just before deployment – and they often come with APIs so they can be plugged into the CI/CD process. However, while these capabilities are very important to DevSecOps, they can be seen in more of a supporting role, rather than being DevSecOps tools per se.
DevSecOps-washing is not a good idea for the enterprise
While one might argue that security should never have been shifted right, DevSecOps exists to ensure that security best practices take place across the development lifecycle. A corollary exists to the idea of “tools that help,” namely that organizations implementing these tools are not “doing DevSecOps,” any more than vendors providing these tools are DevSecOps vendors.
The only way to “do” DevSecOps is to fully embrace security at a process management and governance level: This means assessing risk, defining policy, setting review gates, and disallowing progress for insecure deliverables. Organizations that embrace DevSecOps can get help from what we are calling DevSecOps tools, as well as from scanning and hardening tools that help support its goals.
At the end of the day, all security and governance boils down to risk: If you buy a scanning tool so you can check a box that says “DevSecOps,” you are potentially adding to your risk posture, rather than mitigating it. So, get your DevSecOps strategy fixed first, then consider how you can add automation, visibility, and control using “tools that do,” as well as benefit from “tools that help.”
High Performance Application Security Testing
This free 1-hour webinar from GigaOm Research. It is hosted by an expert in Application and API testing, and GigaOm analyst, Jake Dolezal. His presentation will focus on the results of high performance testing we completed against two security mechanisms: ModSecurity on NGINX and NGINX App Protect. Additionally, we tested the AWS Web Application Firewall (WAF) as a fully managed security offering.
While performance is important, it is only one criterion for a Web Application Firewall selection. The results of the report are revealing about these platforms. The methodology will be shown with clarity and transparency on how you might replicate these tests to mimic your own workloads and requirements.
Register now to join GigaOm and sponsor NGINX for this free expert webinar.
Arecibo radio telescope’s massive instrument platform has collapsed
The immense instrument platform and the large collection of cables that supported it, all of which are now gone. On...
Waymo is building a new replica city to test its driverless tech
Waymo is opening two new autonomous vehicle facilities, including a dense urban playground for its self-driving passenger cars as they...
Samsung will reportedly kill the Note line to focus on foldables
It has been rumored for years, but now even Reuters is claiming that Samsung is killing the Galaxy Note. Samsung’s...
Loop Team wants to give remote workers an in-office feel – TechCrunch
As we’ve moved to work from home during the pandemic, it’s been challenging for remote workers to feel connected. Loop...
The Galaxy Note 2021 death knell keeps getting louder
Ask not for whom the bell tolls, Galaxy Note, it tolls for thee! Another set of sources delivered bad news...
Social10 months ago
CrashPlan for Small Business Review
Gadgets2 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile2 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social2 years ago
iPhone XS priciest yet in South Korea
Cars2 years ago
What’s the best cloud storage for you?
Security2 years ago
Google latest cloud to be Australian government certified
Cars2 years ago
Some internet outages predicted for the coming month as ‘768k Day’ approaches
Social2 years ago
Apple’s new iPad Pro aims to keep enterprise momentum