- Nation-state cyber incidents have increased 100% between 2017 and 2020, according to a study conducted by Dr. Michael McGuire, senior lecturer at the University of Surrey, and sponsored by HP. The report, released Thursday, used data gathered from publicly available information, including incidents involving leaks or whistleblowers, between 2019 and 2021. The report also includes a survey of more than 50 leaders in cybersecurity, intelligence, government, law enforcement and academia.
- Enterprises represent 35% of nation-state targets, whereas government or regulatory agencies are 12% of targets, according to the report. Critical infrastructures, a shared responsibility between the sectors, was a target 10% of the time.
- One-fifth of cyberattacks are directly attributed to regional conflicts, according to the report. An average of at least 10 cyberattacks per month were attributed to nation-state actors in 2020, according to the report.
Because of the combination of existing regional tensions among nations and attack frequency, the report concluded the cybersecurity community is "closer to advanced cyberconflict" compared to any other time since the internet began.
Cyberattacks are blurring the lines of international conflict. Though the laws of war are well established, cyber is challenging traditional notions of kinetic war. "For centuries, kinetic war was the legitimate way that states resolve their disputes," said Scott Shapiro, the Charles F. Southmayd professor of law and professor of philosophy at Yale University, during Enigma's virtual conference in January. War was legal; "it was like going to court."
Now governments are facing a quandary in resolving cyberattacks, whether through in-kind attacks or economic sanctions. Cyberattacks are rarely fit neatly and exclusively in either violent or nonviolent buckets.
To further complicate resolutions following a cyber incident, "cyber-armies rarely march in formation," according to the report. They show no sign of who they are loyal to, or who they are hacking on the behalf of. In some instances, cybercriminals operate without permission or knowledge of their jurisdiction.
The "invisible" feature of nation-state actors contributes to the "100% denial rate" because "to date, no state has confessed to any cyberattack, even where evidence is clear," the report said.
If a nation-state actor escalated a cyberattack to impact the physical world, something the operational technology (OT) security community has feared since Stuxnet in 2010, it would make the attack violent and therefore kinetic. But an act to implement a firewall, blocking packets sent from an adversary, would be benign, said Shapiro.
"Because it would be a refusal to interact with another country, it would be passive. The firewall would be akin to economic sanctions," he said.
But cyberattacks aren't always cut and dry. More than 40% of attacks involved physical and digital implications, according to the report.
Now that private industry is part of the adversarial threat model, security leaders are waiting on government leadership to shape intervention. The U.S. trails its international counterparts in cybersecurity spending:
- Between 2019 and 2021, the U.S. cybersecurity spending is expected to increase 11%, according to the report.
- By 2023, China will likely increase its cybersecurity spending by 25%, European nations by 50% and Russia's estimated growth is 200%.
Despite the increase in spending, 50% of nation-state attacks leverage "low budget tools," according to the report. Adversarial countries have more personnel behind their missions, while also "stockpiling" exploits and attack techniques.
The sectors are working to patch holes in a relationship, where mistrust or a lack of incentives inhibits substantial information sharing. But the private sector knows, if a nation state decides to target their company, the nation state will likely succeed.
2020 ended with the SolarWinds compromise, which emphasized the need for the public and private sectors to share threat information given the common vulnerabilities.
When cyberattacks begin to interfere with other countries' governments, the assumption is the act was illegal. Security experts are still hesitant to call the SolarWinds hack an "act of war," though at least nine federal agencies were impacted.
Deciding when to call a cyberattack an "act of war" is a task allied nations have yet to determine. Because of this, countries are quick to call "all serious cyberattacks" cyberwarfare, according to the United Nations. "This perturbs national policy and fuels a cyberwar arms race, resulting in more instability and less security for everyone."
Shapiro proposes nations agree upon a standard of "cyber norms," and violation of those norms would result in reduced or denied access to the member nations' networks. At least 70% of the survey's respondents said a cyber treaty is necessary moving forward, though 47% said the treaty would take either between 10-20 years or more to develop.