Much has been made in the news by governments identifying the serious threats of state-sponsored or directed actors, also known as advanced persistent threats (APT)
Indeed, both security vendors as well as online and print news outlets continually draw attention to various suspected governments involved in cyber espionage activities, and in some more limited incidents, destructive attacks against specific target vectors. Despite some evidence of state involvement in such activities being brought to the public light by some governments, there has been pushback from other security experts with the fidelity of the data. It is likely that when governments share some data, more “firm” evidence is withheld to protect classified information, and in particular, the sources and methods used in collection. Nevertheless, suspected state-driven cyber activities command the attention of the mainstream press, as well as security bloggers, and private sector companies.
Certainly, APT-style threats may be a national security concern especially if these operations are directed against targets deemed sensitive to a given government’s security interests. Some suspected nation state cyber activities have been clearly articulated in the following events:
- The targeting of various country elections in 2016 and 2017.
- The theft of military technology.
- The illicit acquisition of military war plans.
- The theft of government employee personal information and data.
- The destruction of industrial control system devices.
- The unauthorized access of a dam’s command-and-control architecture.
These incidents represent legitimate potential national security concerns for any government, especially as they reflect the intent of nation states to gain economic, political, and military advantage over adversaries.
However, the focus on state-sponsored actors should be disconcerting for the general public as the activities by APTs rarely impact their interests while cyber crime remains a flourishing activity that continues to evolve. The target of APTs (as have been reported on in public channels) have been limited insofar as they have largely concentrated on data acquisition, and to a lesser extent gaining access to systems, and to a much lesser extent the destruction of information systems and/or the information on them.
On the other hand, cyber crime remains a global problem that continues to be innovative and all-encompassing. What’s more, cyber crime doesn’t focus solely on organizations but also on individuals. The statistics demonstrates the magnitude of the cyber crime onslaught. According to a 2017 report by one company, damages incurred by cyber crime is expected to reach USD $6 trillion by 20201. Conversely, cyber security investment is only expected to reach USD $1 trillion by 2021, according to the same source. Furthermore, data breaches continue to afflict individuals. During the first half of 2017, more than 2 billion records were victim of cyber theft, whereas “only” 721 million records were lost during the last half of 2016, a 164 percent increase. According to another reputable source, among the three major classifications of breaches impacting people were identity theft (69 percent), access to financial data (15 percent), and access to accounts (7 percent). With cyber crime communities existing all over the world, these groups and individuals offer professional business goods and services based on quality and reputation that serves to quickly weed out inferior performers, innovation and dependability are instrumental to success.
Perhaps more disconcerting than a cyber criminal ecosphere becoming prolific, is the lack of any credible government-led strategy to go mitigate this threat. As suspected nation state activity continues to headline news, governments are challenged with trying to deter or at least alter actor behavior. Indeed, governments have entered in “no hack” pacts for commercial advantage; established military cyber commands; and are actively engaged in acquiring offensive cyber capabilities. While each of these initiatives may support national security concerns, there is little evidence that the similar efforts are being exerted to counter cyber crime. As a country’s economic status can be considered a national security priority, it calls into question why there are not more joint international efforts being orchestrated by governments to mitigate this threat. The last significant effort was the Budapest Convention on International Cyber Crime, an international treaty whose membership continues to grow but still lacks consensus especially from non-Western nations such as China and Russia.
In this regard, the European community may have gotten it right when it enacted its General Data Protection Plan (GDPR) that puts the protection and rights of the citizens first and imposes severe fines on those organizations that fail to adhere to its mandates. By levelling responsibility and by extension accountability on organizations that process, store, or produce personal data, the GDPR underscores a shift on how cyber security is viewed, an important change that previously relied primarily on conventional investment in cyber security technology. This sends the message that while company profit and intellectual property are important, they are not more valuable than the security interests of people who comparatively are far more impacted than organizations.
Countries like the United States, which is a primary target of both cyber espionage and cyber crime would benefit to follow the example set forth by the GDPR, particularly as mass breaches continue to afflict victims who are then “treated” to a free year of credit monitoring, an unacceptable penalty for a lifetime of personal identifiable information exposure. Rather than punish the C-Suite, penalties such as those laid out by the GDPR demonstrate commitment to altering company cyber security behavior. It’s time that individuals are placed first on government’s protection list. Striking organizations at the bottom line is a good step in helping them make this goal a reality.
About the author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter