December 16, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

The Russian attack on many US government cyber systems reported Sunday in the New York Times is being called on of the most sophisticated attacks we have seen. 

Among the many troubling items, this attack highlights the fact that the cyber-attack community – both nation-state and criminal (often they are indistinguishable in many respects) is continuing to innovate. 

This reality contrasts unfavorably with growth and development of cybersecurity systems, which, apart from some technical advances, remains largely traditional and stagnant.

It is becoming increasingly imperative that the cybersecurity community, and specifically government, begin to match our adversaries not only in technical initiatives but in the organizational and economic aspects of the cyber threat which are becoming increasingly sophisticated.

Booz Allen’s recently released 2021 Cyber Threat Trends Outlook notes a particularly brazen innovation in cybercrime business models:

“Cybercriminals inspired by the successes of innovative tactics by ransomware operators will double-down on experimentation with ransomware business models and cybercriminal business ventures further professionalizing this formerly amorphous subset of cybercrime… This may lead to the emergence of new financing mechanisms for criminal operations. Cybercriminals have discussed in open forums proposals to create a venture capital organization or stock market where interested parties can finance the development of malware tools and frameworks without ever writing a line of code.”

While the ability to contract out for cyber-attack tools has been around for years,  the creation of more organized and “professionalized” structures to facilitate this activity is a noteworthy and concerning development.  It opens up the prospect of ever-widening collaboration between criminal and nation-state actors including providing access to smaller nation-states who may have greater financial strength than technical know-how and may be able to access increasingly powerful cyber weaponry. 

The vastly increased profitability and growing sophistication both on a technical and organizational level was highlighted in a study published by Cybercrime Magazine, which noted “recent year-over-year growth, a dramatic increase in hostile nation-state sponsored and organized crime hacking activates.”

These developments only serve to again place in stark relief the inherent interrelationship between the technical aspects of cyber-attacks and their organizational and economic elements.

As we have noted in a series of earlier posts, China, for one, has strategically aligned its geo-political and economic goals with innovative leveraging of digital technology to quickly move itself into a near-center location on the world stage – often to the detriment of the US interests. To a lesser degree, North Korea has achieved a degree of prominence perhaps out of line with traditional measures of global status in substantial measure through use of digital technology to rob banks and subsidize its nuclear program.

While our criminal and nation-state cyber adversaries are innovating at the technical and organizational levels, public policy seems to continue to lag.  The National Defense Authorization Act which passed Congress takes some positive steps by creating a cybersecurity director in the White House and imbuing that person with responsibilities to help respond to cyber-attacks of national significance. However, these steps, while progressive, are still not equivalent to the sorts of innovative and troubling mechanisms being developed in our adversary’s camp.

For example, the recent attacks on several prominent federal departments, while linked to Russian intelligence agencies, was actually a “supply-chain” attack targeting a prominent private sector contractor. This modality highlights a new level of systemic cyber-attack where vulnerabilities on the private sector side can directly threaten a broad range of public sector entities. 

This sort of systemic attack, different in kind from the traditional attacks on specific entities like Target, Equifax or the Office of Personal Management, is still another innovation that needs to be carefully studied, and defense systems need to be calibrated to address it.  Old models may not be sufficient to address the ever-evolving cyber threat.

Join the Rethink Cybersecurity Community click here