By John Nugent
LONDON—One year ago, Control Risks highlighted two prominent cyber trends and made four predictions for 2015. While none of those predictions appear particularly revelatory in hindsight, they have all proven correct and, along with the trends discussed then, are likely to continue through the year ahead. Moreover, they provided a brief snapshot of the dynamism of the cyber threat landscape, a snapshot that I will look to expand upon in this year’s edition of our cyber security trends to watch.
The role of geopolitics and the emergence of cyber deterrence
Recalling a theme from last year, the first point to note is that geopolitics will be the core determinant of the shape and severity of the cyber threat many public and private sector organizations face. As countries grapple with the uncertainties and vicissitudes of contemporary international relations, it is becoming increasingly clear that cyber deterrence will eventually become a core pillar of 21st century diplomacy. The US is currently working out the finer points of its official cyber deterrence policy and, through websites directly linked to state-run media outlets, the Chinese military has given a fairly clear indication of its own. Russia, on the other hand, has already put its approach to cyber deterrence into action, regularly carrying out retaliatory operations seemingly intended to punish and shape the decision-making of strategic rivals and erstwhile allies. Likewise, North Korea has episodically lashed out with disruptive attacks against identified adversaries, knowing that its self-contained internet infrastructure largely protects it from external cyber retaliation.
Alarmingly for business, the majority of apparent cases of cyber deterrence involved targeting of commercial entities. This reflects the imperative role that corporate enterprises play in ensuring that, at a fundamental level, populations are provided with basic commodities like electricity, food, water, fuel and the ability to communicate. It is also indicative of the internet’s status as the backbone of any modern society. Because they deliver a privately-owned public good, critical national infrastructure (CNI) providers are likely to bear the brunt of nation-states’ deterrent cyber attacks. There is little prospect of many of the more outlandish doomsday scenarios put forward about cyber operations against CNI being realized. Nonetheless, the threat is real and growing.
Formerly, Iran was assessed by many observers in the Western intelligence community as one of the nations most likely to conduct a destructive attack against their core industries. However, the lifting of US and international nuclear sanctions will bring about a step change in Iranian operations that will reshape the nature and potentially reduce the scope of the Iranian cyber threat to the West. Namely, there will be a transition from cyber operations almost solely focused on developing situational policy awareness and collecting target-specific intelligence with a view to future disruptive attacks, to a situation in which cyber-enabled corporate espionage becomes increasingly prominent.
Simply put, Tehran’s gradual reintegration into the global economy will provide a motive for corporate cyber espionage that did not exist when the sanctions regime was in place. Corporates in key sectors for Iran like oil and gas, infrastructure, the automotive industry, consumer goods, and finance, will now face a heightened threat from remote intelligence gathering, as well as more direct physical and digital surveillance should company representatives visit the country.
This qualitative shift in the nature of the Iranian threat will not extend to its cyber operations against regional rival Saudi Arabia, however, with the clear disruptive intent displayed in previous attacks remaining a core aspect of these campaigns. The collapse of what was already a fractious bilateral relationship between the two counties following Riyadh’s execution of Shia cleric Nimr al-Nimr in early January 2016 has redoubled Iran’s intent to target state-owned and/or economically vital Saudi enterprises with destructive cyber attacks. Significantly, the gradual revitalization of the Iranian economy over coming years will enable the government to further increase its already substantial cyber security spending, with the result that Iran’s cyber attacks are likely to become more frequent, more advanced and more persistent. Military planners in Israel, another favored Iranian target, are probably formalizing the country’s own, Iran-centered, cyber deterrence strategy as we speak.
As for Saudi Arabia, the July 2015 breach of Hacking Team revealed that it, like many other countries, is actively looking to improve its cyber capabilities. Nevertheless, Riyadh is starting from a low base and is unlikely to be able to rapidly develop the requisite means to either deter or adequately protect itself from all serious attacks attempted by Iran. Espionage campaigns identified in 2015 that are seemingly traceable to Argentina, Lebanon and Vietnam further underscored the wide range of countries seeking to cultivate the ability to conduct offensive cyber operations.
Such efforts will largely take one or more of three forms: purchasing tools from and commissioning operations by legitimate or quasi-legitimate cyber security vendors (locally and internationally), leveraging domestic cyber activist groups (which are flourishing in Latin America and the Middle East), and purchasing or redeveloping malware and other capabilities acquired from cybercriminals on the deep and dark web.
For businesses, these trends, in tandem with the growing centrality of economic factors within states’ conceptions of security, are going to mean that more companies will be targeted by an increasing number of nation-states. Though many of these attacks may involve the use of rudimentary tools and techniques, their volume and diversity will magnify the overall level of threat.
Beyond nation-states: Other threat actors
Looking to other threat actors, the evolution of nation-state cyber threats will be mirrored and enabled by developments in the cybercriminal underground. Criminal forums will continue to increase in number and serve as ecosystems for illicit activity of various kinds. However, we anticipate that criminals’ targeting patterns will diverge. The most advanced and resource rich cybercriminal groups will continue to pursue immediate financial gain by targeting – increasingly secure – banks in operations of nation-state level sophistication and persistence.
Those with more mid-range capabilities or less extensive cash-out infrastructures on the other hand, will focus on new target sets (like healthcare providers) and those who have yet to adopt more hardened security postures, such as hotels that have not transitioned to chip-and-pin (EMV) card payment systems. Equally, extortion attacks will become more targeted and tailored. As attackers’ skillsets improve, they will look to exploit the apparent correlation between asset criticality and ransom payment value and to target key systems or information.
How can businesses defend themselves?
The first building block of any effective cyber security posture should be a deep and regularly updated understanding of the threat landscape. This is a core facilitator of the other three main components. Firstly, by helping organizations to comprehend who is going to target them, why they are going to be targeted and what is going to be targeted, threat understanding enables an asset-based approach to defense that is both a more efficient and effective use of money. It also enhances defenders’ ability to detect attacks affecting their network because of the greater knowledge they possess about the methods and techniques used by their assailants.
Lastly, because of the insight it provides into how cyber incidents typically evolve, good cyber threat intelligence leaves a company better positioned to respond more quickly and successfully to the breaches that all firms, without exception, eventually suffer. Protection, detection and response are the bedrocks of cyber security, but they must be informed by intelligence about the threat.
John Nugent is a senior cyber security consultant at Control Risks, the world’s leading political, integrity and security risk consultancy.
This article was written by Control Risks from Forbes and was legally licensed through the NewsCred publisher network.