Nation-State Cyberthreats Persist
We are often told how particular threats were the responsibility of a certain nation-state, and that there was difference between those nations and cybercriminals. While it made good copy, the cybersecurity domain has always been crowded, and the collaboration between nation-states and criminal elements continues, with China and Russia the most glaring examples.
The use of the criminal element to do one’s bidding ostensibly provides the nation supporting the activity plausible deniability – “That wasn’t us. Those evil-doers should be punished!”
Recently, we heard Admiral (ret) Mike Rogers, former director of the National Security Agency, during an interview with Darren Thomson, head of cyber security strategy at CyberCube Analytic, at the NetDiligence Cyber War Webinar Series, declare that “almost every major actor right now, nation-state, criminal, etc. is just incentivized for more and more activity because they are having great success.” Rogers maintained that the primary threat actors remain non-state actors: criminals or terrorists; from nation-state actors: China, Russia, North Korea and Iran.
“One of the reasons why you don’t see criminal actors or non-state actors, for example, use supply chain significantly is quite frankly, a supply chain attack, it takes a lot of time. It takes a lot of focus, and you have to commit resources to make it successful,” he noted. He continued; describing supply chain attacks as having “high payoff potential if it is successful … when it does work, it tends to work really well. So, it’s a high payoff, but it’s a high cost.” The width and breadth of the SolarWinds attack seemed to support Rogers’ observation. It was executed with precision, over time and thousands of entities were successfully compromised.
Those lines between “nation-state[s] and criminal group[s] blur,” he said.
To that end, U.S. President Joe Biden issued the “Notice on the Continuation of the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities” on March 29. This order, originally issued April 1, 2015, via Executive Order (E.O.) 13694, to deal with the “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States and severity of malicious cyber‑enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States.” The President ordered the continuation of this order for a period of one year, through April 1, 2022.
E.O. 13694 aims to block the properties of persons engaged in significant malicious cyber-enabled activities. Among those who have been sanctioned via this executive order is Yevgeniy Prigozhin, whose Internet Research Agency is used to spread misinformation and disinformation globally. Additionally, both Russia’s Military Intelligence entity, the GRU, and the Federal Security Service, the FSB, have been sanctioned by the U.S. Treasury.
The question remains, will these sanctions be sufficient? Or will the U.S. augment the reactive approach to addressing cyberthreat activities with a more proactive approach? A more proactive approach would require penetration of those entities targeting the United States, be they criminal or nation-state. As Rogers noted, and as evidenced by the SolarWinds aftermath, the status quo has provided adversaries with large-scale successes for their activities.