Before the internet era, geopolitical tensions drove traditional espionage, and periodically erupted into warfare. Nowadays, cyberspace not only houses a treasure-trove of commercially and politically sensitive information, but can also provide access to control systems for critical civil and military infrastructure. So it’s no surprise to find nation-state cyber activity high on the agendas of governments.
Notable cyber attacks launched by nation states in recent years include: Stuxnet (allegedly by Israel and the US); DDoS attacks against Estonia, attacks against industrial control systems for power grids in Ukraine, and electoral meddling in the US (allegedly by Russia); and the global WannaCry attack (allegedly by North Korea). China, meanwhile, has been accused of multiple intellectual property theft attacks and, most recently (and controversially), of secreting hardware backdoors into Supermicro servers.
Download all the Cyberwar and the Future of Cybersecurity articles as a free PDF ebook (free TechRepublic registration required)
The global cyber-threat landscape
What does the current threat landscape look like, in broad terms? The 2017/18 threat matrix from BRI (Business Risk Intelligence) company Flashpoint provides a useful overview:
Threat actors are ranked on a six-point capability scale and a four-point potential impact scale, with Flashpoint’s cast ranging from Tier 2 capability/Negligible potential impact (Jihadi hackers) to Tier 6/Catastrophic impact (China, Russia and Five Eyes).
It’s probably no surprise to find China heading the 2017/18 ranking of threat actors, in terms of capability, potential impact and number of verticals targeted:
In its 2018 mid-year update, Flashpoint highlighted various ‘bellwethers’ that may prompt “major shifts in the cyber threat environment”:
• The tentative rapprochement between the U.S., South Korea, and North Korea fails to result in tangible diplomatic gains to end the North Korean nuclear program.
• Additional states follow the U.S. example and relocate their embassy in Israel to Jerusalem.
• The U.S.’ official withdrawal from the Joint Comprehensive Plan of Action (JCPOA) and the subsequent renewal of economic sanctions prompts an Iranian response.
• The ongoing power struggle between Saudi Arabia and Iran for influence in the Middle East leads to kinetic conflict in the region.
• U.S. and European Union-led economic sanctions in place on Russia are extended or tightened.
• The Trump administration adopts a less-compromising approach toward U.S.-China relations or otherwise enacts policies that threaten Chinese core interests. Alternatively, China adopts an increasingly aggressive policy toward securing its vital core interests, including the South China Sea and the questions of Taiwan’s and Hong Kong’s political sovereignty.
• The situation in Syria further deteriorates into direct armed conflict between major states with differing interests in the region, potentially extending further into neighboring states.
• Other nation-states, such as China, Iran, and North Korea adopt the Russian model of engaging in cyber influence operations via proxies, resulting in the exposure of such a campaign.
Cybersecurity policy in the UK
In the UK, the National Cyber Security Center (NCSC) — an amalgam of CESG (the information security arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure — issues periodic security advisories, among other services. In April, for example, it warned of hostile state actors compromising UK organisations with focus on engineering and industrial control companies. Specifically, the threats involved “the harvesting of NTLM credentials via Server Message Block (SMB) using strategic web compromises and spear-phishing”. Other recent NCSC advisories have highlighted Russian state-sponsored cyber actors targeting network infrastructure devices and the activities of APT28 (a.k.a. the cyber espionage group Fancy Bear).
In its 2018 annual review, the NCSC said it had dealt with over a thousand cyber incidents since its inception in 2016. “The majority of these incidents were, we believe, perpetrated from within nation states in some way hostile to the UK. They were undertaken by groups of computer hackers directed, sponsored or tolerated by the governments of those countries,” said Ciaran Martin, CEO at NCSC, in the report. “These groups constitute the most acute and direct cyber threat to our national security. I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead, what we would call a Category 1 attack.”
A Category 1 attack constitutes a ‘national cyber emergency’ and results in “sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.”
Despite the efforts of the NCSC, a recent report by the UK parliament’s Joint Committee on the National Security Strategy noted that “The threat to the UK and its critical national infrastructure [CNI] is both growing and evolving. States such as Russia are branching out from cyber-enabled espionage and theft of intellectual property to preparing for disruptive attacks, such as those which affected Ukraine’s energy grid in 2015 and 2016.”
The government needs to do more to change the culture of CNI operators and their extended supply chains, the report said, adding that: “This is also a lesson for the Government itself: cyber risk must be properly managed at the highest levels.”
Specifically, the Joint Committee report recommended an improvement in political leadership: “There is little evidence to suggest a ‘controlling mind’ at the centre of government, driving change consistently across the many departments and CNI sectors involved. Unless this is addressed, the government’s efforts will likely remain long on aspiration and short on delivery. We therefore urge the government to appoint a single Cabinet Office minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”
Cybersecurity policy in the US
In the US, the September 2018 National Cyber Strategy (the first in 15 years, according to the White House) adopted an aggressive stance, promising to “deter and if necessary punish those who use cyber tools for malicious purposes.” The Trump administration is in no doubt about who the US is up against in the cyber sphere:
“The Administration recognizes that the United States is engaged in a continuous competition against strategic adversaries, rogue states, and terrorist and criminal networks. Russia, China, Iran, and North Korea all use cyberspace as a means to challenge the United States, its allies, and partners, often with a recklessness they would never consider in other domains. These adversaries use cyber tools to undermine our economy and democracy, steal our intellectual property, and sow discord in our democratic processes. We are vulnerable to peacetime cyber attacks against critical infrastructure, and the risk is growing that these countries will conduct cyber attacks against the United States during a crisis short of war. These adversaries are continually developing new and more effective cyber weapons.”
The US cyber security strategy is built around four tenets: Protect the American People, the Homeland and the American Way of Life; Promote American Prosperity; Preserve Peace through Strength; and Advance American Influence.
As far as preserving ‘peace through strength’ is concerned, the Trump administration states that: “Cyberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power. The United States will integrate the employment of cyber options across every element of national power.” The objective is to “Identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace.”
It would seem that the stakes in the cybersecurity/cyberwar game have just been raised by the world’s most powerful nation.
2019 nation-state / cyberwar predictions
Nation-state activity has been prominent in previous annual roundups of cybersecurity predictions (2018, 2017, 2016), and given the above overview we expect plenty more in 2019. Let’s examine some of the predictions in this area that have been issued so far.
|Increase in crime, espionage and sabotage by rogue nation-states||Nuvias Group||With the ongoing failure of significant national, international or UN level response and repercussion, nation-state sponsored espionage, cyber-crime and sabotage will continue to expand. Clearly, most organisations are simply not structured to defend against such attacks, which will succeed in penetrating defences. Cybersecurity teams will need to rely on breach detection techniques.|
|The United Nations proposes a cyber security treaty||Watchguard||In 2019, the United Nations will address the issue of state-sponsored cyber attacks by enacting a multinational Cyber Security Treaty…The growing number of civilian victims impacted by these attacks will cause the UN to more aggressively pursue a multinational cyber security treaty that establishes rules of engagement and impactful consequences around nation-state cyber campaigns. They have talked and argued about this topic in the past, but the most recent incidents — as well as new ones sure to surface in 2019 — will finally force the UN to come to some consensus.|
|A nation-state launches a ‘fire sale’ attack||Watchguard||In 2019, a new breed of fileless malware will emerge, with wormlike properties that allow it to self-propagate through vulnerable systems and avoid detection…Last year, a hacker group known as the Shadow Brokers caused significant damage by releasing several zero day vulnerabilities in Microsoft Windows. It only took a month for attackers to add these vulnerabilities to ransomware, leading to two of the most damaging cyber attacks to date in WannaCry and NotPetya. This isn’t the first time that new zero day vulnerabilities in Windows fueled the proliferation of a worm, and it won’t be the last. Next year, ‘vaporworms’ will emerge; fileless malware that self-propagates by exploiting vulnerabilities.|
|State-sponsored cyber warfare will take center stage||CGS||Traditional cybersecurity tools to protect against state-sponsored cyberattacks are not adequate and often obsolete as soon as they come to market. It is nearly impossible to keep up with cyberattacks as these threats are automated, continuous and adaptive. In the next year, we will continue to see government entities ramping up efforts to develop state-sponsored cybersecurity protections, policies, procedures and guidance. With individuals, businesses and government departments under attack, there must be a unified approach by the government to create guidance on a more holistic, official, focused effort to thwart state-sponsored attacks.|
|A collision course to cyber cold war||Forcepoint||Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cyber tactics to disrupt government, critical infrastructure, and vital industries.|
|The US-China trade war will reawaken economic espionage against Western firms||Forrester||With heightened geopolitical tensions in Europe and Asia and the US and China in a trade war, expect China’s hacking engine, after a brief respite from 2016 to 2018, to turn again to the US and Western countries. The current (13th) five-year plan serves as an early warning system for firms in eight verticals: 1) new energy vehicles; 2) next-generation IT; 3) biotechnology; 4) new materials; 5) aerospace; 6) robotics; 7) power equipment; and 8) agricultural machinery. If you’re in one of these industries, expect a breach attempt very soon.|
|Trade wars trigger commercial espionage||Cyberark||Government policies designed to create ‘trade wars’ will trigger a new round of nation-state attacks designed to steal intellectual property and other trade secrets to gain competitive market advantages. Nation-state attackers will combine existing, unsophisticated, yet proven, tactics with new techniques to exfiltrate IP, as opposed to just targeting PII or other sensitive data.|
|In 2019 and beyond, we expect to see more nations developing offensive cyber capabilities||FireEye (Kevin Mandia)||There are people that claim nations should not do this, but in the halls of most governments around the world, officials are likely thinking their nation needs to consider offensive operations or they will be at a disadvantage.|
|We are also seeing deteriorating rules of engagement between state actors in cyber space||FireEye (Kevin Mandia)||I have spent decades responding to computer intrusions, and I am now seeing nations changing their behaviors. As an example, we have witnessed threat actors from Russia increase their targeting and launch cyber operations that are more aggressive than in the past. Today, nearly every nation has to wonder: “What are the boundaries of cyber activities? What can we do? What is permissible? What is fair game?” We have a whole global community that is entirely uncertain as to what will happen next, and that is not a comfortable place to be. We must begin sorting that out in the coming years.|
|The final priority is diplomacy. Cyber security is a global problem, and we are all in this together||FireEye (Kevin Mandia)||The fact that a lone attacker sitting in one country can instantaneously conduct an operation that threatens all computers on the internet in other nations is a problem that needs to be addressed by many people working together. We need to have conversations about rules of engagement. We need to discuss how we will enforce these rules of engagement, and how to impose risks on attackers or the nations that condone their actions. We may not be able to reach agreements on cyber espionage behaviors, but we can communicate doctrine to help us avoid the risk of escalating aggression in cyber space. And we can have a global community that agrees to a set of unacceptable actions, and that works together to ensure there exists a deterrent to avoid such actions.|
|As we move into 2019: remain skeptical about what you read, especially on the internet||FireEye (Sandra Joyce)||Russia has been conducting influence operations for a really long time, and not just in the cyber realm. They’re very skilled. We’re seeing other threat actors learning from Russia’s success in cyber influence. For example, we recently uncovered several Iranian inauthentic accounts being used to propagate a social agenda that was pro-Iranian. We’re going to increasingly see these cyber operations from more nations than just Russia, and now Iran, as nations realize how effective this tactic can be. The upside of social media is that everyone can be part of the conversation, but that can clearly be a downside as well.|
|China’s Belt and Road Initiative to drive cyber espionage activity in 2018 and beyond||FireEye (Threat Intelligence)||The Belt and Road Initiative (BRI) is an ambitious, multiyear project across Asia, Europe, the Middle East, and Africa to develop a land (Silk Road Economic Belt) and maritime (Maritime Silk Road) trade network that will project China’s influence globally. We expect BRI to be a driver of cyber threat activity. Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a catalyst for emerging nation-state cyber actors to use their capabilities. Regional governments along these trade routes will likely be targets of espionage campaigns. Media announcements on BRI progress, newly signed agreements, and related development conferences will likely serve as operational drivers and provide lure material for future intrusions.|
|Iranian cyber threat activity against U.S. entities likely to increase following U.S. exit from JCPOA, may include disruptive or destructive attacks||FireEye (Threat Intelligence)||Last year, we reported that should the U.S. withdraw from the JCPOA [Joint Comprehensive Plan of Action], we suspect that Iran would retaliate against the U.S. using cyber threat activity. This could potentially take the form of disruptive or destructive attacks on private companies in the U.S. and could be conducted by false front personas controlled by Iranian authorities purporting to be independent hacktivists. While we do not anticipate such attacks in the immediate or near-term, we suspect that initially Iranian-nexus actors will resume probing critical infrastructure networks in preparation for potential operations in the future.|
|Cyber norms unlikely to constrain nation-state cyber operations in the near future||FireEye (Threat Intelligence)|| Norms of responsible state behavior in cyberspace, though still in their infancy, have the potential to significantly affect the types of future cyber operations conducted by nation-states and their proxies in the long term. Norms can be positive or negative, either specifically condoning or condemning a behavior. The future of cyber norms will be most strongly influenced by political and corporate will to agree, and ultimately decisions by particular states to accept or disregard those norms in their conduct of cyber operations.
Various countries active in cyber diplomacy, along with a small number of international corporations, are exploring norms to manage their increasingly complex and crowded cyber threat landscape. However, except for an emerging consensus to not conduct cyber-enabled theft of intellectual property with the intent to provide commercial advantage, no norm has yet found significant, explicit agreement among states.
It’s clear from the above round-up of predictions that nation states are likely to be more active than ever in cyberspace in 2019. Perhaps we’ll even see the sort of ‘national cyber emergency’ envisaged by the UK’s NCSC, with potential loss of life. That’s the point where cyber attack moves towards cyberwar.
It’s also clear that governments — in the UK and US at least — are increasingly, if belatedly, acknowledging the scale of the problem of hostile nation-state cyber activity. It remains to be seen how effectively they can defend themselves, and even retaliate.
RECENT AND RELATED COVERAGE
Russian hackers are trying out this new malware against US and European targets
A new phishing campaign from a Russian-state backed hacking group targets American and European inboxes.
Russia wants DNC hack lawsuit thrown out, citing international conventions
Russian Federation says it benefits from the same legal protections as the US does when carrying out military cyberattacks.
Security warning: UK critical infrastructure still at risk from devastating cyber attack
Not enough is being done to protect against cyber attacks on energy, water and other vital services.
US, Russia, China don’t sign Macron’s cyber pact
New cyber peace pact signed by 51 other countries, 224 companies, and 92 non-profits and advocacy groups.
States activate National Guard cyber units for US midterm elections
National Guard cyber units activated in Washington, Illinois, and, more recently, Wisconsin.
Work from Home Security
Spin Master is a leading global children’s entertainment company that invents toys and games, produces dozens of television and studio series that are distributed in 160 countries, and creates a variety of digital games played by more than 30 million children. What was once a small private company founded by childhood friends is now a public global supply chain with over 1,500 employees and 28 offices around the world.
Like most organizations in 2020, Spin Master had to adapt quickly to the new normal of remote work, shifting most of its production from cubicles in regional and head offices to hundreds of employees working from home and other remote locations.
This dramatic shift created potential security risks, as most employees were no longer behind the firewall on the corporate network. Without the implementation of hardened endpoint security, the door would be open for bad actors to infiltrate the organization, acquire intellectual property, and ransom customer information. Additionally, the potential downtime caused by a security breach could harm the global supply chain. With that in mind, Spin Master created a self-imposed 30-day deadline to extend its network protection capabilities to the edge.
- Think Long Term: The initial goal of establishing a stop-gap work-from-home (WFH) and work-from-anywhere (WFA) strategy has since morphed into a permanent strategy, requiring long-term solutions.
- Gather Skills: The real urgency posed by the global pandemic made forging partnerships with providers that could fill all the required skill sets a top priority.
- Build Momentum: The compressed timeline left no room for delay or error. The Board of Directors threw its support behind the implementation team and gave it broad budget authority to ensure rapid action, while providing active guidance to align strategy with action.
- Deliver Value: The team established two key requirements that the selected partner must deliver: implementation support and establishing an ongoing managed security operations center (SOC).
Key Criteria for Evaluating Privileged Access Management
Privileged Access Management (PAM) enables administrative access to critical IT systems while minimizing the chances of security compromises through monitoring, policy enforcement, and credential management.
A key operating principle of all PAM systems is the separation of user credentials for individual staff members from the system administration credentials they are permitted to use. PAM solutions store and manage all of the privileged credentials, providing system access without requiring users to remember, or even know, the privileged password. Of course, all staff have their own unique user ID and password that they use to complete everyday tasks such as accessing email and writing documents. Users who are permitted to handle system administration tasks that require privileged credentials log into the PAM solution, which provides and controls such access according to predefined security policies. These policies control who is allowed to use which privileged credentials when, where, and for what tasks. An organization’s policy may also require logging and recording of the actions undertaken with the privileged credentials.
Once implemented, PAM will improve your security posture in several ways. The first is by segregating day-to-day duties from duties that require elevated access, reducing the risk of accidental privileged actions. Secondly, automated password management reduces the possibility that credentials will be shared while also lowering the risk if credentials are accidentally exposed. Finally, extensive logging and activity recording in PAM solutions aids audits of critical system access for both preventative and forensic security.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Vendor Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
Adventist Risk Management Data Protection Infrastructure
Companies always want to enhance their ability to quickly address pressing business needs. Toward that end, they look for new ways to make their IT infrastructures more efficient—and more cost effective. Today, those pressing needs often center around data protection and regulatory compliance, which was certainly the case for Adventist Risk Management. What they wanted was an end-to-end, best-in-class solution to meet their needs. After trying several others, they found the perfect combination with HYCU and Nutanix, which provided:
- Ease of deployment
- Outstanding ROI
- Overall TCO improvement
Nutanix Cloud Platform provides a software-defined hyperconverged infrastructure, while HYCU offers purpose-built backup and recovery for Nutanix. Compared to the previous traditional infrastructure and data protection solutions in use at Adventist Risk Management, Nutanix and HYCU simplified processes, speeding day-to-day operations up to 75%. Now, migration and update activities typically scheduled for weekends can be performed during working hours and help to increase IT staff and management quality of life. HYCU further increased savings by providing faster and more frequent points of recovery as well as better DR Recovery Point Objective (RPO) and Recovery Time Objective (RTO) by increasing the ability to do daily backups from one to four per day.
Furthermore, the recent adoption of Nutanix Objects, which provides secure and performant S3 storage capabilities, enhanced the infrastructure by:
- Improving overall performance for backups
- Adding security against potential ransomware attacks
- Replacing components difficult to manage and support
In the end, Nutanix and HYCU enabled their customer to save money, improve the existing environment, and, above all, meet regulatory compliance requirements without any struggle.
HP ZBook G8 laptop trio gets Intel’s 11th Gen H-series CPUs
Like a number of other companies, HP today is announcing a new line of notebooks using Intel’s 11th Gen Core...
Meet Matter: The IoT badge aiming to simplify the smart home
Get ready to look out for a new name and logo as you shop for the smart home, with the...
Programming a robot to teach itself how to move
Enlarge / The robotic train. Oliveri et. al. One of the most impressive developments in recent years has been the...
HTC’s newest headsets signal end of Vive’s 5-year “VR for the home” mission
The HTC Vive Focus 3, the company’s latest and highest-powered untethered VR system yet. New controllers, improved internal specs… and...
YouTube announces a $100M fund to reward top YouTube Shorts creators over 2021-2022 – TechCrunch
YouTube is giving its TikTok competitor, YouTube Shorts, an injection of cash to help it better compete with rivals. The...
Social1 year ago
CrashPlan for Small Business Review
Gadgets3 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile3 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social3 years ago
iPhone XS priciest yet in South Korea
Cars2 years ago
What’s the best cloud storage for you?
Security2 years ago
Google latest cloud to be Australian government certified
Social3 years ago
Apple’s new iPad Pro aims to keep enterprise momentum
Cars2 years ago
SK Telecom and Samsung to collaborate on 5G for enterprise