Remember the days when state-sponsored intelligence gathering used to play out like Hollywood spy movies? Long, sophisticated and clandestine plans conducted by undercover operatives. Their goal was to collect intelligence, identify like-minded individuals and influence opinion. These operatives would, of course, also be provided with expensive technology and ample resources. This was all while dodging counter surveillance teams and putting the operation, themselves and diplomatic harmony in grave danger.
Finding a Needle – In a Stack of Needles
The paradigm has shifted. The growing trend is about leveraging the world’s infinite technology infrastructure to snatch coveted stored data, create disruption or advance an ideological agenda. The immensity of the internet, and the ability to remain unidentified and autonomous within it, provides the ideal setting for these nation-state actors. While the volume of human, technological and financial resources to protect against these attacks has increased exponentially, the tools and methods to collect massive amounts of coveted data have significantly outpaced corporate and government protocols to keep data secure.
The reality is it’s easier and cheaper than ever before for “armies of hackers” — working on behalf of another country to sit on the other side of the world, targeting systems, stalking weaknesses and leveraging security gaps — to gain access to corporate, political, economic, infrastructure or personal data that may be used to further their agenda.
What Do These Hackers Want?
The goals of cyber attackers range from disruptions of service and sabotage to highlight an activist cause, damage the reputation of an organization or individual, seek financial gains through information theft or blackmail, or divert attention and resources while another more serious attack commences.
For example, a corporation’s employee or customer data might be valuable to another country for many different reasons:
- Personal financial or medical information could be used to target an employee for blackmail and for corporate espionage.
- Maybe a corporation’s trade secrets or intellectual property are valuable to further a political agenda or to provide a competitive advantage.
- The goal could also be to gain access to your technical networks and probe pathways to corporations or governments where you work.
Often, these cyberattacks have strategic, direct intentions. The “Stuxnet” campaign was a specific attempt to sabotage Iran’s nuclear weapons capabilities. Iran is now believed to have heavily invested in its own cyber capabilities and has been suspected of increased cyber terrorism throughout the world. Other recent examples that bear the hallmarks of state-sponsored attacks include the attack against Sony Pictures, various ransomware assaults and, of course, the state-sponsored meddling in the recent U.S. presidential election, in which a coordinated release of hacked emails surfaced in an effort to sway voter opinions.
Governments Are Playing Catch-Up
I recently received a letter informing me that my personal information was included in a security data breach not too long ago. It seems the Office of Personnel Management (OPM) left data unsecured for up to 21.5 million U.S. citizens. Much of the data were collected from the Standard Form 86 (SF-86) that the government uses to collect sensitive information to determine suitability for government security.
The prevalent belief is that this data loss was facilitated by nation-state actors on behalf of China. This will cost American taxpayers hundreds of millions of dollars as the government investigates the breach, creates improved protections, and provides identification monitoring and repair services for those affected. If the government can’t adequately protect itself from these types of attacks, how can corporations?
Mitigation: What Your Company Can Do to Avoid Cyberattacks
Many organizations have a relatively small group of people who are responsible for the entity’s IT security. Now compare that setup to an industrial-sized, patient and highly-skilled cybercrime organization hyper-focused on a specific task or on acquiring a specific set of information. It’s no contest.
Corporations need to be swift in detecting possible breaches. They have to ensure that data loss is minimal. That means basic security hygiene is essential, and it starts with some simple controls:
- Know your network
- Address easily exploitable vulnerabilities
- Enforce good configuration policy
- Ensure systems are protected by firewalls
- Encrypt all confidential data
- Enforce password and authentication best practices
There’s one more vital control: train your users. Everyone has a role in prevention. Your employees need to be routinely educated to keep a watchful eye out for scams. Any emails or links that look suspicious need to be reported as quickly as possible to diminish the risk of an attack or the damage if one occurs.
Recent successful cyberattacks and data breaches — and the untold number of attempts and unsuccessful probes — strongly indicate that state-sponsored cyberattacks will only increase. It’s imperative that organizations from government agencies to corporations properly prepare themselves — and their coveted data — for any upcoming breaches.