Last Friday, the Department of Justice indicted 13 Russians and three Russian companies for interfering with the 2016 elections. Also last week, several countries including the U.S., the U.K., Canada, Australia, and Denmark accused Russia of being behind last summer's NotPetya attack.
"[NotPetya] was part of the Kremlin’s ongoing effort to destabilize Ukraine, and it demonstrates ever more clearly Russia’s involvement in the ongoing conflict," said White House Press Secretary Sarah Sanders. "This was also a reckless and indiscriminate cyber attack that will be met with international consequences."
Even though both attacks had political targets, the final list of victims wasn't limited to just political organizations and critical infrastructure providers. "NotPetya had substantial impact beyond the intended political targets, disrupting the IT systems and operations of thousands of civilian organizations worldwide," says Steve Grobman, CTO at McAfee. "It’s critically important to ultimately hold nations accountable for the comprehensive damage inflicted by such attacks.”
Civilian organizations that are targeted by state-sponsored attacks or suffer collateral damage are at a disadvantage when it comes to identifying the attacker. Governments are in a better position to identify the perpetrators behind such attacks, Grobman says, since they have access not only to cyber forensics but also traditional intelligence data.
In cyber war, everyone is a target
Nation-state attackers typically go after political targets: the Democratic National Committee, government agencies, critical infrastructure, and defense contractors. It's become increasingly clear that any company, in any industry, could be affected, either as a result of being a deliberate target or as collateral damage in a wider attack.
Campaigns like NotPetya can hit any company, of any size, and even deliberate, targeted, advanced attacks can hit any industry. "Private entities are being targeted every day," says Adam Meyers, VP of intelligence at CrowdStrike.
North Korea is targeting Bitcoin exchanges and global financial institutions, he says. Chinese groups go after companies making specialized medical hardware and other technology. "You name an industry, and I can tell you a threat actor that we've seen targeting it," he says.
This year's Winter Olympics received its share of cyber attacks as well. Targeted companies included utilities companies, display screen manufacturers, construction companies that were involved in Olympics-related building projects, media firms, and telecoms, he says.
The Russian attacks on the US elections is another example of an attack that went after a very broad range of targets, and where a government-sponsored investigation can bring in substantial resources. In addition to last week's indictments, for example, the Justice Department announced a new cybersecurity task force this Tuesday. The task force will investigate, among other things, Russia's "use of the internet to spread violent ideologies and to recruit followers; the mass theft of corporate, governmental, and private information; the use of technology to avoid or frustrate law enforcement; and the mass exploitation of computers and other digital devices to attack American citizens and businesses."
Who conducts cyber warfare? Almost everyone
Russia isn't the only player in this new era of global cyberwarfare. This Tuesday, FireEye reported that North Korea is expanding its cyber capabilities with tools such as zero-day vulnerabilities and wiper malware, with the goal of targeting South Korea as well as various industry verticals in Japan, Vietnam and the Middle East. FireEye also tracks cyber espionage teams associated with Iran and China.
The cyberattacks go both ways. The U.S. and Israel famously cooperated on the Stuxnet attack against Iran's nuclear program. General James Cartwright and former vice chairman of the Joint Chiefs of Staff under Obama, pled guilty to lying to the FBI about spilling the beans on the operation.
"It is easy for some to look at demons like Russia or China," says Adi Dar, CEO at Cyberbit Ltd., "but I don't believe they are the only ones that are doing this. It is really all over."
When it comes to cyberspace, he says, the world is a very, very small place. "You can sit in whatever country and whatever city and whatever building and attack another organization, state, or enterprise, wherever it is."
Is this World War III? "Nations are testing the limits and seeing what reaction they're going to get," says Alon Arvatz, co-founder and CPO at IntSights. "I wouldn't say we're in a war, but in some type of cold war or pre-war. Nations are still trying to hide their identities."
Outsourcing cyber warfare arms conventional attackers
Even if a nation doesn't have its own in-house resources, many criminal groups or shady cybersecurity firms are willing to do the work as long as they get paid. That ties into another insidious effect of the global cyber war -- nation states are investing heavily in tools and exploits that then leak out into the wider criminal underground. "The use of these tools and techniques has definitely spread into the commercial space," says Ashley Stephenson, CEO at Corero Network Security.
Most notably, the hacking group Shadow Brokers has released tools stolen from the NSA. "The techniques and tools quickly spread and mix with the general bad guy population," he says.
Cyber war by proxy makes attribution harder
Nation-states also use proxies to fight their cyber wars. In last week's indictment, for example, the Justice Department singled out the Internet Research Agency, a notorious troll farm based in St. Petersburg, Russia.
This is a new kind of proxy war, says Tim Maurer, co-director of the Cyber Policy Initiative at Carnegie Endowment for International Peace and author of the book "Cyber Mercenaries: The State, Hackers, and Power," published last month by Cambridge University Press. In the past, global super powers used smaller nations as proxies in their wars. Today, they use a wide variety of external groups such as consulting companies and criminal outfits, he says.
The amount of control they impose varies by country, he added, with some countries taking a very hands-off approach and just looking the other way as long as the groups support the country's strategic goals and avoid going after internal targets. Some countries impose more oversight, and coordinate activities among the groups. Others treat them as subcontractors, with a very tight rein on their activities.
That makes assigning responsibility extremely difficult, Maurer says. If an attack can be traced back to a group affiliated with a particular country, is it enough that the nation-state could have prevented the attack but didn't? We haven't had this discussion when it comes to cyber incidents," he says.
What constitutes a cyber attack? Nations disagree on the definition
There are also some sensitive issues around what a cyber attack is. In some countries, disseminating certain cultural or political information is a crime, for example. Even limiting discussions of cyber attacks to those against critical infrastructure can be problematic.
"The diplomats who are negotiating this at the UN have very purposefully shied away from defining what critical infrastructure means, because different countries prioritize critical infrastructure differently," Maurer says. "But there are shared expectations of what crosses the line -- if the power goes out, or the financial system is targeted, or hospitals and people would die -- there are areas where there is a consensus, even if it isn't spelled out." It will take time for the international community to work out what the standards are, he says.
Meanwhile, even with attribution, indictments, sanctions or other actions, the reaction to a cyber attack usually comes too late to do much good for the people and companies affected.
How do you defend against nation-state attacks?
Too often, security experts throw up their hands in the face of nation-state attacks. "Nation-states have almost infinite resources," says Varun Badhwar, CEO and co-founder at RedLock. "I don't think, realistically, private organizations can protect their infrastructure against all those types of attacks."
"If you have something of interest to some shape or form, then it's not so much whether you will be breached, but when you will be breached," says Gabriel Gumbs, VP of product strategy at STEALTHbits Technologies. "You're not going to be able to keep that state-sponsored attacker out."
Nation states, after all, have a wide variety of tools at their disposal, including zero-day exploits, top-notch brainpower, and spy agencies with moles and informants, intercepted communications, and access to hardware and software technology supply chains. "A determined actor can easily bypass current cyber-defenses," says Fraser Kyne, EMEA CTO at Bromium.
Waiting for the international community to act isn't likely to help much anytime soon. The nations responsible for the worst attacks -- Russia and North Korea -- are already under sanctions. "If North Korea can launch ICBMs with impunity, how can we expect a nation-state to be held to account for cyberattacks?" says Carson Sweet, co-founder and CEO at CloudPassage.
Fighting back in cyberspace is has its own pitfalls. "Often there's no clear target that would affect a sense of retribution or -- more importantly -- serve as a deterrent," says Sweet. "For example, you can't take down an adversary's power grid, because that would impact civilians."
That doesn't mean that companies can't fight back at all. Instead, they should have technology and processes in place to identity zero-day and unknown attacks, says InSights' Arvatz. Machine learning and artificial intelligence tools can help spot suspicious behaviors. In addition, security teams at companies with reason to believe they're being specifically targeted should actively hunt for possible intruders in their systems.
In addition, companies need to cover the basics, as well, such as keeping all software patched and up to date. "Nation-state actors are also using traditional tools to attack," says Arvatz.
Finally, there's the human element. Many breaches involve an employee making a mistake, and that mistake allows the attacker to gain the first toehold. "You can have the best burglar alarm but if you leave your front door open, the criminals will come in," says Mike Bruemmer, VP of consumer protection at Experian Information Solutions.
Nation-state attackers, like all others, will also prioritize. If one potential target is much less defended than another, it makes sense to go after the weakest one first, he says.
Even if a company might not be able to guarantee that they will keep all sophisticated attackers out, they can significantly alter the odds in their favor. Meanwhile, once the attackers get in, there are plenty of opportunities for companies to reduce the damage that they can cause.
When nation-state attackers are going after sensitive information, such as intellectual property, devaluating that information can be effective, says Ellison Anne Williams, founder and CEO at Enveil, who spent 12 years as a researcher for the NSA. That means encryption, she clarifies. "Take what they're going to try to steal, and make it useless to them," she says.
Companies typically focus on encrypting information with commercial value, such as credit card and social security numbers. Nation-states, however, may be looking for information about industrial processes, business deals of strategic importance, or even embarrassing personal information that can be used for blackmail or disruption. This kind of information may be less well protected, not protected at all, or even shared with small service providers without good security processes in place.
Williams could not comment on the specifics of her work at the NSA, but did say that, despite movies and TV, encryption does work. "If you use good secure, encryption, it's difficult to break no matter who you are," she says. "Images of teenagers breaking real encryption are just fantasy."
When encryption does fail, it's usually due to problems with implementation and configuration, she added. "You have to make sure it's configured correctly, using the appropriate bit level of security, and are monitoring it," she says.
Another technology that can help protect systems even if attackers get in is microsegmentation. "Virtualization is a game-changer," says Bromium's Kyne. "By isolating all applications within virtual machines, malware is rendered useless – hackers have nowhere to go, nothing to steal, and organizations can go about business as usual.”
The immediate future looks grim with more attacks from more sophisticated sources. "We are not headed for a free-for-all situation, where countries are attacking each other, and we're all getting caught in the cross-fire. We are already there," says Mounir Hahad, head of threat research at Juniper Networks. "Some of these attacks, especially in cases when critical infrastructure is involved, are very serious and could very soon start being considered as an act of war," he adds.
Long term, however, there's light at the end of the tunnel. The first big step, acknowledging that there is a problem, has already been taken. "I think there is a mentality shift among the US intelligence community toward openly attributing attacks," says Hahad. "In the past, they would have known with high confidence who the perpetrators of a particular attack are, but that information would not be made public."
Next, he says, there will be action. Either the United Nations will adopt a resolution that will give victim states the right to defend themselves, or the US will issue a statement that draws a line in the sand.
"The same international forces that drove the development of the Law of Armed Conflict will assert itself in this environment as well," says John McClurg, VP at Cylance, who was previously a supervisory special agent at the FBI. "A free-for-all isn’t in the long-term interests of any nation state."