by Julien Chesaux | Apr 16, 2019 | Cyber
“Anytime you have a geopolitical conflict now you see its reflection in cyberspace” Kenneth Geers, NATO Cyber Centre Ambassador
What is Cyber Geopolitics?
Traditional geopolitics focuses on the study of space, which is considered as a stake. Geopolitics put in light the power at stake on a territory. Thus, the focus on territoriality, people, and networks are central to the analysis of geopolitics.[1] Nevertheless, in cyberspace, some of these concepts, such as the territoriality or sovereignty are difficult to capture, as they are no longer tangible.
Cyberspace, which is a network, is the newest battlefield to join the ranks of sea, air, land, and space where the same power issues exist. As put by Karl von Clausewitz, while “war is thus an act of force to compel our enemy to do our will”, the powers in competition in the cyberspace are looking for the same advantage as in the traditional fields: influence. Therefore, the notion of cyber geopolitics is still closely associated with power, which is a multiform concept (e.g. soft power and hard power), evolving and complex. [2]
To put it simply, cyber geopolitics is the study of cyberspace considered as a stake. Therefore, there is the research of power and influence in this digital world, with all the intertwined realms such as the economy, diplomacy, and energy. Plus, cyber geopolitics is closely related to data, the research and collection of it as information is power and cyberspace offers a new frontier to capture it.
Keep in mind that we are living in a digital era in which a new, lucrative, and fast-growing commodity has gained tremendous importance: (big) data. As explained in a series of articles published by The Economist, big data is the new driver of growth and change, and by extension power and influence, like oil was in the last century.[3] Before, countries wage war to access those resources, nowadays they are in competition to access to big data. Big data is based on the four V’s: volume, velocity, variety, and value.
Essentially, it is an extremely large amount of digital information being processed very rapidly.[4] This data can be, for example, turned into thousands of different scores or values and used for analysis regarding the business of the user.
Thus, although there are some differences between traditional geopolitics and cyber geopolitics such as the notion of frontier or territory, some fundamentals stay the same such as the research of influence and power but moreover is the wish of control the flow for example the flow of resources like oil and gas but also the control of the flow of data. Infrastructures are the backbone of the flow of data. There is a stake of power and digital sovereignty and rivalry exist at a different level: states, companies, organizations, and individuals to control the flow of data, norms, security, and diffusion of a model of thought.
Like naval strategist Alfred T. Mahan said in his famous “The Influence of Sea Power Upon History,” national prosperity and power depend on the control of world’s sea-lanes: Whoever rules the waves rules the world.[5] In the 21st century, whoever rules the data rules the world.
Why should a security leader/CISO care?
Different threat actors can target companies: script kiddies, hacktivists/cyber terrorists, criminals and state-sponsored actors. By far, state-sponsored are the most dangerous ones as they perform APT (Advanced Persistent Threats) which are long-term, stealthy, complex and targeted cyber-attacks using a combination of techniques and tools.
In cyber geopolitics, information continues to be a backbone of decision-making. As information is power, the more of it, the better the decision. Therefore, state-sponsored groups are craving for data and companies can be the target of these well-skilled groups as a direct source, a proxy or collateral damage. This is why CISOs need to be aware of the geopolitical and cyber geopolitical context of their company.
There are numerous examples where private companies have been impacted by states cyber diplomacy or tensions. In 2007, Estonian banks and public infrastructures experienced a DDoS attack on online services. Then, in Ukraine, a variety of domains were targeted by elaborate and complex cyber-attacks (diplomatic, business, military, social, political and critical infrastructure). In 2017, the US government banned the use of Kaspersky products within its network. The current Huawei issue is the most recent examples of cyber geopolitics where geopolitics are mixed with politics and economics.
The impacts of a cyber attack are:
Legal
- Government fines because you breached a rule or a law
- Class action lawsuits by your clients because you did not protect their data
Financial
- Business stoppage because you cannot continue your service while being hacked
- Forensic investigation to understand what happened
- New software/hardware to buy to restore your service
Reputation
- Loss of public credibility
- Loss of clients for companies
- Loss of data/know-how for institutions and companies that can be copied or reused
- Loss of information that is reused or resold
- Loss of identity that can be reused for malicious acts
- Blackmail to manipulate you
- Layoffs of responsible persons
What should they do about it?
There is a need to understand that investing in cybersecurity is a way to ensure the business’ continuity. A cyber incident will ultimately happen anyway, the question to keep in mind is “are we prepared?”. The ultimate aim is to have the necessary resilience to absorb the impact of the cyber attack/incident to continue the daily business, protect the company’s crown jewels and customers.
Thus, an equal focus is needed on the TPP triad (Technology, Process, People). Investment on these three pillars will ensure the best readiness and resiliency. There is a need for equilibrium to be able to support the business and avoid the negative impact of a cyber incident.
Will things get worse in the future?
Yes. This is because the time/effort vs. benefits is always in favor of a cyber attack. Companies are more and more connected and shifting their businesses to the cloud, which increases the amount of data that is hosted outside their internal perimeter, which offers new possibilities for hacking.
Cyber geopolitics and, to another extent, cyber warfare through cyber attacks highlights asymmetry and advantages of offense towards defense as cyber defense is really expensive (think about the technologies, the processes to put in place and the people needed to be trained). Malware is cheap to develop or buy and the attack surface of a target is always wide if we consider the network of a large company or state. There will always be a vulnerability to exploit because a patch is not managed properly, an employee looks for convenience and does not follow the security process, or because of a zero-day for example.
Moreover, it is way cheaper and more efficient to launch a cyber-attack at a company where innovation and R&D is a driver of its business to steal blueprints or commercial secrets that invest millions on R&D without being sure that they will pay off. Finally, the rivalry between states, such as the USA and China, will not diminish and tensions between regional hegemons will allow for more cyber-attacks especially since there are no real consequences to cyber attacks as no international authority is policing these acts.
“Cyber warfare is not going to deliver defeat or victory. But is going to play an increasingly important, even literally vital, role as an enabler and force multiplier for the modes of warfare that do draw blood and break things.”[6]
[1] LASERRE Frédéric, GONON Emmanuel, MOTTET Eric. “Manuel de géopolitique : Enjeux de pouvoir sur des territoires”, 2ème édition, Armand Colin, Paris, 2016, p. 15
[2] VERLUISE Pierre. “Géopolitique – La puissance : Quels sont les fondamentaux”, www.diploweb.com, 10 nov 2013, https://www.diploweb.com/Geopolitique-La-puissance.html
[3] The Economist. “Data Is Giving Rise to a New Economy”, The Economist, May 6, 2017
http://www.economist.com/news/briefing/21721634-how-it-shaping-up-data-giving-rise-new-economy
[4] LUTERBACHER Celia. “What’s the Big Deal About Big Data?”, Swissinfo, June 15, 2017
https://www.swissinfo.ch/eng/explainer_what-s-the-big-deal-about-big-data-/43219660
[5] MAHAN Alfred Thayer, “The Influence of Sea Power upon History: 1660-1783” Little, Brown and Company, Boston, 1890
[6] Gray S. Colin, « Another Bloody Century : Future Warfare», Phoenix, 2005, p. 328
by Nathan Hamiel | Mar 7, 2019 | Cyber
You read the title of this post correctly. Maybe it should be most people don’t care about cybersecurity, but you get the point. It’s a reality that those of us responsible for securing our organizations know but don’t like to acknowledge because it leads to a tough question. If people don’t care, then what is all of this for?
Lack of caring customers affects business decisions. You don’t see large swaths of people holding companies accountable post-breach. As a matter of fact, In many cases, stock prices tend to rebound after a breach. There are also some who advocate that insecure software is still more advantageous than the potential negative impacts it creates. This argument is inaccurate based on skewed and superficial perceptions of the customer and not based on the reality of the situation.
So, should we all change professions and try our hands at being celebrity chefs? If you are like me and have a weak flambé, we should take a closer look at the situation.
Why people don’t care
It’s essential for us to have a look at the conditions that create this apathy in customers. Understanding these issues makes framing potential solutions easier.
Here are the major ones:
- Immediacy
- Short attention span
- Numb to breach occurrence
- Good detection and recovery
Immediacy
Effects of breaches aren’t immediately felt. Of course, this is assuming an attack doesn’t delete all of your data, and by your data, I mean your customer’s data.
If compromised data is used in some form of attack or fraud, it’s not done immediately. Tying an instance of abuse to a specific breach can be hard for a consumer. In that time, their data may have been compromised in other locations, so who does the consumer blame?
Short on Attention
People these days live under a constant bombardment of content all competing for their attention. This is on top of the professional and personal priorities they have. They can be mad at a hotel chain for a breach one day and book a stay with points the next. With the perception that too much is on their plate, only the most egregious instances will stay top of mind.
For perspective, people are more likely to hold a grudge with a restaurant they had a bad experience with than the credit company who lost enough of their data for a criminal to commit identity theft.
Numb
People have gotten numb to all of the breaches. High-profile breaches have become a regular occurrence and lesser profile ones even more so. The number of breaches has a numbing effect, so news of a new instance results in little more than a sigh and an eye roll.
Good Detection and Recovery
Companies have gotten good at detection and recovery in post-breach scenarios. Think of your bank calling you when it notices some odd transactions or notification from another site offering free credit monitoring. Most often the customer doesn’t have to take much action at all and only encounters a mild inconvenience.
A Dangerous Road
If your customers don’t care about security, then it can be a hard sell to management and other business units. On the surface, this makes business sense, but letting security priorities slip is a dangerous road. The lack of prioritization and focus on security initiatives opens the door for nefarious actors that goes far beyond the superficial surface. Here are just a few areas to consider.
Autonomous Systems
Autonomous systems make decisions without human interaction. The integrity of the data these systems consume is paramount because tainted data could cause the system to make the wrong decision. Think of a drone attacking the wrong target or an automated trading algorithm triggering a mass selloff of stocks.
Injury or Death
Of course, building off of the previous point about autonomous systems, there is the fact that systems that can kill us are becoming more common. Medical implants, self-driving cars, industrial systems, drones, and countless others that aren’t obvious to consumers have the potential to impact their health and wellness. It shouldn’t take a breach causing large scale death for people to begin caring. Unfortunately, that may very well be what it takes.
Funding Criminals
Stolen data and compromised systems have monetary value to criminals. Criminals have various motivations for their activities, but a compromise of your systems could assist in the ongoing support of illegal activities. Some of these activities could include terrorism.
Privacy
Losing a customer’s data is a breach of privacy. Privacy has never been in more danger through shady purposeful activities, but unauthorized disclosure makes it worse. On this front, I think there is some hope. Not only has privacy importance been elevated by regulation such as GDPR, but younger people seem to be caring about it more as technology becomes less of a novelty and more something that’s always been part of their lives.
Longevity
In my Black Hat Europe presentation last year, I spent some time talking about how the technology created today will be with us tomorrow possibly much longer than their support cycles. You aren’t likely to upgrade your refrigerator or car at the same frequency you do your phone or smartwatch. Tons of low-cost devices are spreading across the planet that will affect our security posture for years to come.
What can we do?
So if all of this is a problem, then what can we do to ensure we are protecting our organizations both now and in the future?
Not be part of the problem as an organization
By contributing to the larger problem, we are contributing to a sea of already compromised data making it hard to determine where it came from other than when an attacker makes it known for their marketing purposes.
Avoid the top-down approach
Far too often people feel that security needs buy-in from senior management to drive initiatives through the company. Laboring under this delusion can cause you to miss opportunities. It’s true that management support can make things easier, but it’s not the only way to get security initiatives implemented. Buy-in from the bottom up or even cross-pillars to other peers can be just as effective, if not more.
Reduce friction
It shouldn’t be a secret that reducing the friction of a solution increases adoption. We all know someone who never locked their phone because entering numbers was an inconvenience. Their behavior changed with the inclusion of things like TouchID and FaceID, indirectly causing an increase in security posture. We should be investigating areas where a reduction in friction could lead to increased adoption.
Regulatory compliance and privacy law
Regulatory compliance is a topic that many in the industry love to hate. It may very well take governments and other regulatory bodies getting involved effecting a broader change. Although the effectiveness of such compliance measures can be debated, discussions spring out of these requirements.
Conclusion
It may very well take something that causes multiple deaths or a substantial financial impact to get the average consumer to care about cybersecurity, but we as security professionals can’t let that guide our decisions. Are we okay with allowing people to die before we take a problem seriously? We need to be proactive and find creative ways to get our solutions adopted and look for areas to reduce friction before it’s too late.
by Kudelski Security Team | Feb 5, 2019 | Cyber
Unless you’ve been living under a rock for the last few years, you’ll already be familiar with the buzzwords du jour: Blockchain and the cloud.
One has become an established reality of modern business. The other is set to change everything… but nobody seems quite sure how, or why.
As it happens, we believe both cloud and blockchain technologies will have a tremendous impact during 2019 — albeit to solve completely different problems — but will bring with them a host of new concerns for security professionals.
The Cloud
Few technologies have changed corporate IT infrastructure as much as the cloud. But for all its benefits, cloud technology — and multi-cloud in particular — dramatically increases the attack surface of organizations.
Simply put, the more complex an organization’s IT infrastructure is, the harder it will be to secure. Modern multi-cloud environments add tremendous complexity to the average corporate network, and many organizations simply don’t have the skills and resources in place to adequately secure their cloud environments.
Which brings us onto our 2019 predictions for the cloud:
- Organizations will take cloud security more seriously in the wake of several high profile breaches. Uptake of Cloud Access Security Brokers (CASBs) will increase, and there will be tremendous demand for security professionals with the skills and experience to work in a multi-cloud environment.
- Even more stress will be placed on the skills shortage. In our first 2019 trends post, we noted that the need for cybersecurity professionals vastly outweighs the number available. When it comes to cloud security, which is a specialized field, that imbalance becomes even more acute. Our prediction, which is really more of a statement of fact, is that organizations will be forced to upskill existing security personnel, as finding experienced cloud security professionals will be extremely difficult.
- There will be more cloud security incidents. Again, this is our prediction, but in reality, it’s a near-certainty. Cybercriminals will go wherever they can make money, and once organizations start storing valuable data in the cloud you can be sure cyber activity will follow. It’s also worth noting that cloud services have a larger attack surface than traditionally-hosted systems, making them a more appealing (though not necessarily easier) target for cybercriminals.
- There will be at least one major cloud breach where the affected organization blames its cloud service provider. This one has been on the cards for a while, and we believe the wait will come to an end in 2019. It remains to be seen how regulators will determine fault, but it seems unlikely that pointing the finger elsewhere will be enough to avoid repercussions.
Blockchain
Even more than the cloud, blockchain is the buzzword of the moment. Organizations all over the world are clamoring to become early adopters, and blockchain technology is already being adapted to fit the needs of every major industry. And, naturally, as the adoption of blockchain technology rises, it will increasingly be targeted by cybercriminals.
Perhaps the most important thing for early adopters to understand is that blockchain technology is not inherently secure. In order to withstand cyber attacks, blockchain architecture must be developed and configured with security in mind. While some organizations are understandably in a hurry to realize a use case for blockchain technology, security cannot simply be added as an afterthought.
So far the vast majority of blockchain attacks have been financially motivated, and have consequently targeted the public blockchains utilized by popular cryptocurrencies. However, as organizations start to trust blockchain technology more, and use it to store sensitive (and therefore valuable) information, we can expect to see an increase in attacks on private blockchains.
In terms of 2019 predictions for blockchain technology, we have four:
- There will be a lot of investment in blockchain technology. We’ll continue to see heavy investment in financial applications of blockchain, but we should also start to see financiers taking an interest in the technology’s wider applications.
- Security industry players will aim to develop a unified framework for integration in blockchain. Whether this will be completed during 2019 is difficult to say, but ultimately there will be an agreed set of security protocols and best practices for blockchain technology.
- There will be a rise in blockchain uptake for the identity management space. Nobody likes giving away their personal information, and passwords are inherently a bad security protocol. Blockchain technology can solve both of these problems, so expect to see plenty of activity in this space during 2019.
- Privacy poisoning will become a thing. One of the major selling points of blockchain technology is that once information is recorded, it’s extremely difficult to remove it. Unfortunately, this will leave poorly implemented blockchains open to so-called “privacy poisoning,” where personally identifiable information (PII) is stored in a non-compliant way, but can’t be easily removed. There’s a simple solution to this problem (privacy by design and a ban on free text) but we can expect to see cases of privacy poisoning in 2019 nonetheless.
Whatever You Do, Do It Properly
New technologies are exciting, but they can (and usually do) also cause problems for organizations. Even relatively mature technologies like the major cloud platforms can be tricky to administer and require careful planning and development to ensure there are no major security flaws.
Ultimately, an organization’s ability to safely adopt new technologies will come down to one thing: Whether security is considered at the outset, or simply “bolted on” at the end.
The former, while more costly and time-consuming, is a strategy that will enable organizations to realize the benefits of transformative new technologies without drastically increasing their risk profile.
The latter, however, is a recipe for disaster.
by Kudelski Security Team | Jan 30, 2019 | Cyber
In our last post, we looked at the strategic cybersecurity trends we expect to see in 2019.
Now it’s time to concentrate on the technologies underpinning cybersecurity (and cyber attacks) and think about how they’re likely to evolve during the next year.
As always, the cybersecurity industry is replete with buzzwords and jargon, leaving many to wonder which technologies are truly about the takeoff, and which are no more than hype. In this post, we’re going to look at two of the four technologies we think are genuinely going to change the future of business and security.
The Internet of Things and Operational Technology
So far, the Internet of Things (IoT) and Operational Technology (OT) have been a mixed blessing for organizations.
On one hand, Internet-connected devices and machinery have the potential to significantly improve efficiency in business and manufacturing processes. In 2019, we can expect to see greater integration of IoT and OT devices with the broader IT and security landscape, as organizations look to improve productivity. At a domestic level, we will no doubt also see IoT devices expand into more homes and cities.
However, as we’ve started to see, IoT and OT devices also have the potential to introduce significant weaknesses to otherwise secure networks. From hacking WiFi kettles in a lab to breaching a casino through its Internet-connected fish tank thermometer, smart devices and machinery have already been heavily exploited, and we’re anticipating the trend to continue in 2019.
The addition of large numbers of network-enabled devices — many with dubious in-built security — to already unwieldy corporate networks will cause difficulties for security professionals, who will need to develop a strategy for securing IoT and OT devices if they haven’t already.
In light of this, cybersecurity vendors are already hard at work developing systems to secure the modern workplace, and we’ll no doubt see more products coming to market in 2019 that have been designed with IoT and OT security in mind.
Finally, in terms of predictions, we’re anticipating at least one major IoT attack during 2019, along with further exploitation of IoT botnets. Since it has such a large attack surface, the manufacturing industry seems a likely target for this form of attack, which depending on motivation could even be perpetrated or sponsored by one of the six major nation-state actors — Most likely China or Russia.
Artificial Intelligence and Machine Learning
Artificial Intelligence (AI) and Machine Learning (ML) have been widely touted in recent years as the future of technology. And for good reason. In the security world, AI and ML have a tremendous number of applications, including the identification of anomalous network activity, updating rule-based systems, and reducing false positives.
In 2019 we expect to see AI and ML increasingly being used by security vendors to enhance their product offerings, and by organizations to reduce the work burden of security personnel.
However, as valuable as AI and ML are to security initiatives, they also have plenty of “black hat” applications, such as using it to solve CAPTCHAS. Both criminal hackers and state cyber actors will inevitably utilize AI and ML techniques to enhance the sophistication of their campaigns, and we’d be very surprised if there isn’t at least one high profile case of these next-generation attacks in 2019.
Stay Tuned for Part 3: Blockchain and the Cloud
Every year new technologies are developed that have the potential to revolutionize the way we live and work. For organizations, jumping on new technologies early can be hard to resist, as it promises an opportunity to pull ahead of close competitors.
But new technologies are never perfect, and problems arise time and time again when new technologies are adopted but security is only considered as an afterthought. Poor implementations of new technologies can be facile to compromise by those with enough motivation, so it’s important to ensure security personnel are involved at the earliest possible opportunity whenever new technologies are to be adopted.
In the third and final post in our 2019 cybersecurity trends mini-series, we’ll cover the two biggest buzzwords of the moment — blockchain and the cloud — and look at some of the advantages and concerns we expect to see from them in the coming months.
by Kudelski Security Team | Jan 15, 2019 | Cyber
2018 was a year of ups and downs in the cybersecurity world.
On one hand, we saw some of the biggest data breaches ever recorded, including almost a billion records leaked in September alone.
But on the other hand, organizations across all industries took cybersecurity more seriously than we’ve seen in the past, and committed more resources than ever to protect their digital assets.
Now, with 2018 done and dusted and security professionals preparing to start the cycle all over again, we thought we’d cast our gaze forward, and cover some of the cybersecurity trends we expect to see in the coming months.
In this post we’ll be covering strategic cybersecurity trends — Keep an eye out for our follow-up posts, which will delve into the technologies you can expect to see flourish (or not) in 2019.
CISOs and Cybersecurity Leadership
The role of Chief Information Security Officer (CISO) has evolved tremendously over the last few years. In 2019, we expect to see a continued expansion of responsibility for CISOs, particularly in their capacity as primary security advisors to executive boards. cybersecurity has become a widely accepted topic at board level, and CISOs will be expected to advise on major concerns such as brand protection and compliance.
On that note, executive boards will increasingly want to see objective measurement of cybersecurity programs. Most organizations have invested heavily in cybersecurity over of the last few years, and there will be an expectation that security programs deliver measurable ROI. Senior executives, who are almost exclusively non-technical, will rely on CISOs to keep them up to date on key security concerns, and CISOs will need to develop a strong communications strategy with regular KPI updates to achieve this.
At the same time, cybersecurity has been identified as a top three area for increased technology investment across all industries. Gartner predicts global spend on cybersecurity will grow by a further $10 billion in 2019 to a total of $124 billion — an 8.7% increase — and boards will be relying on CISOs to identify and justify the most important areas for investment. Historically it has been difficult even for experienced security leaders to penetrate the marketing hype surrounding security solutions. However, with the market stabilizing, CISOs will be expected to provide concrete evidence of anticipated ROI when recommending further investment.
In addition to the continued expansion of the CISO role, we anticipate an increase in the use of independent cybersecurity contractors to advise on specific areas of concern. In particular, external advisors will be called upon to identify areas of cyber weakness — e.g., via risk assessment, penetration testing, and threat hunting — and provide vendor-neutral advice on how to close any identified gaps. Similarly, as larger organizations look to be at the forefront of newer technologies such as blockchain and IoT, they will engage expert contractors for advice and support.
Finally, in line with the increasingly mature nature of the cybersecurity landscape, in the coming year CISOs will be focused on the business logic surrounding cybersecurity programs. They’ll be aiming to answer questions such as:
- Who is doing what, where, when, and why?
- How do existing components of a cybersecurity program fit together?
- How can systems and processes be better integrated?
- What gaps exist, and how can they be filled?
The answers to these questions will inform further investment, and ultimately lessen the burden placed on overloaded security professionals.
The Cybersecurity Skills Shortage
With substantial increases in cybersecurity investment expected, it should be no surprise that the widely-publicized skills shortage will continue to cause headaches for security leaders across the board in 2019. Unfortunately, it seems there is no end in sight, as industry analysts forecast a shortfall of 3.5 million cybersecurity jobs by 2021.
In addition to insufficient numbers of skilled security personnel, three other factors will contribute to the skills shortage conundrum:
- An ever-increasing volume of cyber threats
- The corresponding rise in the number of technologies required to hold threats at bay
- Broader attack surfaces due to adoption of new technologies, e.g., cloud, IoT, and BYOD
Since 3.5 million new security practitioners aren’t going to appear anytime soon, existing security personnel are going to be faced with heavier workloads than ever in 2019.
So how will organizations respond to these challenges?
First, a focus on upskilling existing security personnel will be essential. As there is no guarantee new skilled personnel will be available to organizations looking to expand their cyber programs, there will be little alternative but to invest in training and support to help junior security practitioners develop in-demand skills.
Traditionally organizations have shied away from heavy investment in upskilling programs for two obvious reasons:
- cybersecurity training programs are often very expensive
- Once trained, security personnel have many opportunities for career advancement, and may simply leave
These concerns, while understandable, will need to be put to bed, or organizations simply will not have the necessary skills and experience to maintain a strong cybersecurity program.
Of course, not all security personnel requirements are permanent. Some security functions, such as penetration testing, threat hunting, and gap analyses can instead be filled by security contractors. While this approach is already popular, we expect to see a rise in the use of consultative security services across a range of temporary needs.
Increased Nation State Activity
Depending on the industry you’re in, nation state cyber activity may be either very important or totally irrelevant. Either way, 2019 is set to be a year of increased nation state activity in the cyber realm.
Over the past decade, nation states have continually pushed the boundaries of what could be considered acceptable cyber activity. However, now that some actors (Russia, China, and North Korea in particular) have been allowed to continually push the boundaries without repercussion, we can expect to see a further increase in nation state and state-sponsored cyber activity in 2019.
If you aren’t sure whether you’re likely to be a target, it may help to have a basic understanding of each of the major nation states’ motivations:
China — Economic, technological, and industrial espionage
USA — National security, both offensive and defensive
Russia — Geopolitical influence and financial gain
Iran — Military, political, and nuclear advancement
Israel — Political and military disruption (primarily directed at Iran)
North Korea — Open to speculation
Functionally, most organizations in the Western world need only concern themselves with the activities of Russia and China, since the other major nations have a very narrow focus for their cyber activities. In particular, organizations focused on technology innovation, telecommunications, research (e.g., universities), and national infrastructure should be aware they are very likely to be targeted by one or more nation state actors.
So what makes cyber activity so appealing for nation states? There are a number of factors:
- There are effectively zero consequences, even when activities are definitively tied to a particular nation — At a minimum, Russia, China, North Korea, Israel and the US have all carried out widely reported cyber attacks and suffered no consequences whatsoever.
- It can be highly effective. Russia successfully crippled the Ukrainian financial sector by deploying NotPetya. The USA and Israel managed to disrupt Iran’s nuclear program with Stuxnet. By releasing WannaCry into the wild, North Korea caused mass disruption.
- It’s cheaper, faster, and less committal than military intervention. And, as Russia has proven repeatedly, cyber activity also works well in conjunction with traditional military action.
Given all of the above, it’s no surprise that the idea of a cooperative international agreement (sometimes described as a “Digital Geneva Convention”) has been floating about for several years now.
But do we think it’s likely to happen in 2019? Probably not. At least, not in any meaningful capacity.
The difficulty is that while some countries will no doubt be happy to sign such an agreement — particularly those countries without an established cyber program — none of the six most active countries would be willing to do so.
As if to highlight this point, toward the end of 2018 French President Emmanuel Macron launched an international agreement on cyber activity at the Paris Peace forum. While the agreement was signed by 51 countries, none of the “usual suspects” were willing to put pen to paper. And if China, Russia, the USA, Israel, Iran, and North Korea won’t sign, there really isn’t much value to such an agreement.
Next Up: Technology Trends for 2019
2019 is going to be a busy year for security professionals as the cyber landscape continues to evolve.
Although cybersecurity budgets are rising, the corresponding rise in attack velocity means that in real terms security leaders stay in precisely the same position they have been in for the past several years — Never quite being in a position to cover all of their bases.
As before, then, a risk-based approach will be essential as CISOs and security teams look to build out their cyber programs.
This has been part one of our 2019 cybersecurity trends mini-series. In the next post, we’ll take a closer look at some of the technologies that will impact the cyber landscape in 2019, and provide insight into how you can expect to see them evolve.