لنستخرج كنوزا من المعرفة و الإبداع و العلم و الأفكار
Cyberattacks have occurred for decades, but the Stuxnet incident marked a pivotal moment in cybersecurity. Stuxnet, a cyber operation that targeted gas centrifuges used in Iran’s uranium enrichment program in Natanz, launched a global cyber arms race when it became public in 2010. While its impact was primarily contained to Iran’s nuclear facility, the high-profile attack demonstrated how nations can weaponize cyber tools to wreak havoc not only on computers and servers, but on critical infrastructure and government facilities to achieve foreign policy objectives. Since then, malicious actors have used and modified the Stuxnet code to attack a range of targets, including water treatment plants, power plants and gas lines. Although no one has claimed responsibility for Stuxnet, it possesses the signature of a state operation with cybersecurity experts linking its origin to US and Israeli intelligence.
Two years after Iran learned of Stuxnet, it initiated its own cyberattacks, first against the world’s largest oil company Saudi Aramco, in which hackers destroyed data on 30,000 computers, and later on American banks, causing millions of dollars in lost business. By 2014, North Korea joined in the cyber arms race with a hack into Sony Pictures that caused as much as $35 million in damages. Amid these attacks, then-US Defense Secretary Leon Panetta sounded the alarm over the potential for a “cyber Pearl Harbor” on critical infrastructure.
As threats to governments and private industry spread across borders, the UN’s Group of Governmental Experts (GGE) on Information Security called in 2013 and 2015 for the application of international law in cyberspace, including voluntary norms of responsible state behavior, state sovereignty, and the protection of human rights and fundamental freedoms, to which all members of the UN General Assembly agreed. In 2016, the North Atlantic Treaty Organization (NATO) similarly recognized the growing risks to international security, identified cyberspace as an operational domain and expressed the need for member states to bolster their cyber defense of national infrastructure.
To date, however, these efforts have demonstrably failed to deter attacks, hold bad actors accountable or sufficiently protect citizens. Rapidly evolving cyber capabilities, declining costs and relatively low barriers to entry have made the digital weapons increasingly accessible and powerful tools, and a force-equalizer among state and non-state actors. While essential for 21st-century economies, the proliferation and integration information and communication technologies (ICT) further expands the attack surface, requiring more agile and sophisticated defenses.
The Rise of State-Sponsored Hacking
Cyberspace is now a strategic domain as states use cyber tactics to conduct stealth attacks on rivals and target private industry for espionage and commercial gain, helping to level the geopolitical playing field. For state actors, the cyber domain is fast becoming the weapon of choice and is a “short of war” means to pressure other governments, manage conflict, impose costs on leaders and project national power. Over the last few years, the rate and sophistication of cyber incidents has increased sharply. According to a recent study by HP, from 2017 to 2020 the frequency of state-sponsored cyberattacks doubled, with an average of 10 publicly attributed cyberattacks per month in 2020. Threat actors’ techniques have also advanced, making them harder to identify and more threatening to targets.
While the types of operations have varied, they have increasingly taken the form of mis- and disinformation campaigns. The Oxford Internet Institute found that in 2020, organized disinformation campaigns were waged in 81 countries, and government agencies in 62 countries used computational propaganda to shape public attitudes. States’ growing use of ICT-enabled covert information campaigns that seek to influence the overall stability of other states is raising concerns about their threat to the international community. These campaigns already permeate society and institutions, and we are only beginning to discern the breadth of damage and costs.
While mis- and disinformation attacks are on the rise, the preponderance of known state-sponsored cyberattacks involve data extortion through the use of ransomware, intellectual property (IP) theft and surveillance. As the boundary between the physical and digital world shrinks, such politically motivated cyberattacks can inflict widespread damage and tremendous direct and indirect costs—with consequences that transcend borders. In the past year alone, intelligence-gathering attacks to acquire vaccine-related IP have been linked to China, Russia and North Korea; Chinese state-sponsored surveillance operations and espionage efforts targeted pro-democracy organizations and individuals in Hong Kong; and unattributed ransomware attacks spread across more than 400 hospital and healthcare facilities in Puerto Rico, the United Kingdom, and the United States, causing an estimated $67 million in damages. While such attacks are a global issue, the US is the most targeted country for nation-state activities, followed by the UK, Canada, South Korea, and Saudi Arabia, according to Microsoft’s 2020 Digital Defense Report.
Perhaps as worrisome as the attacks themselves is their frequent and increasing use during peacetime, when rules of engagement and international humanitarian law do not clearly apply. As cyber defenses of high-value targets have improved, threat actors have turned to supply chain attacks in which they compromise a supplier’s software or hardware prior to installation in order to infiltrate data and manipulate IT hardware, operating systems, or services. In 2019, supply chain attacks increased by 78 percent. According to HP, at least 27 supply chain attacks associated with state-sponsored actors occurred between 2017 and 2020. The rapid digitalization of industry and services, and growing reliance on digital infrastructure, particularly during the pandemic, have experts anticipating further escalation of such attacks across cyberspace.
State actors also conduct cyberattacks targeting physical infrastructure during or in response to kinetic conflicts. This blend of conventional and non-conventional methods of warfare is known as “hybrid warfare.” In a 2020 study, 40 percent of analyzed state-sponsored incidents involved a cyberattack on assets that have both physical and digital components, such as power plants, waste water systems and running dams. Such strategies are invaluable to state actors’ efforts to advance their broader regional and geo-strategic policy goals, as demonstrated by the destructive attacks by Russian-backed hackers that sabotaged critical infrastructure in Estonia, Georgia, and, most dramatically, Ukraine, where in 2015 a quarter-million Ukrainians lost power after a cyberattack.
Cooperation Between State-Sponsored Attackers and Cybercriminals Elevates Security Risks
The cyber weapons used by state actors vary in sophistication and scope, with half of cyberattacks involving low-budget tools. More complex cyber weapons and operations can be resource-intensive and require vast domain and server infrastructure, as well as talented hackers on hand. For instance, threat actors may seek an unknown vulnerability in software – a zero-day exploit – in order to penetrate a system, especially one not connected to the internet. Such an operation can be expensive, with documented prices for a zero-day exploit ranging from $60,000 to $2.5 million, with no guarantee that the exploit will work. As a result, some state-sponsored attackers are leveraging the cybercrime market and collaborating with cybercriminals to fund and support their cyber operations.
The costs of these attacks to the victims and to society are growing exponentially. In 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas and carries gasoline and jet fuel to the southeastern United States, suffered a ransomware attack that resulted in a $4.44 million payoff ($2.3 million was later recovered), drastically raised gas prices, and necessitated restoration work costing tens of millions of dollars. Weeks later, JBS Foods, the world’s largest meat company by sales, also paid $11 million in response to a ransomware attack by a Russian-linked cybercriminal group that forced nine plants to shut down in Australia, Canada, and the US. Experts fear that the disruption, which put immense pressure on an already strained global food-supply chain, may inflate beef prices for the next two to three years. By 2025, cybercrime is anticipated to cost the global economy $10.5 trillion per year (or $20 million per minute), greater than the current nominal GDP of Japan and Germany combined.
Despite the high cost of such attacks, some governments remain unwilling or unable to prosecute these types of crimes, allowing many cybercriminals to continue their ransomware attacks with impunity. The US Ransomware Task Force called ransomware a “national security risk that threatens schools, hospitals, businesses and governments across the globe.” Proceeds from ransomware attacks can help fund state-sponsored objectives, such as developing a nuclear weapons program or evading economic sanctions. This was illustrated by a 2016 incident in which North Korean state-sponsored hackers attempted to steal at least $1 billion from financial institutions around the world and successfully ran off with $81 million from Bangladesh’s central bank. Such risks are compounding as threat actors learn from one another and replicate tactics and tools employed by advanced state and non-state actors alike. In some instances, governments have shared hacking tools with cybercriminals and have purchased custom-made weapons, such as targeted malware or software exploits, through the dark web and other covert sources, in addition to stockpiling zero-day exploits. The emergence of sophisticated “cybercrime-as-a-service” schemes have afforded anonymity to state actors that seek to mask their efforts behind third-party contracts, thereby establishing “an almost impenetrable wall of plausible deniability.”
As the ease of conducting cyber operations grows, and more actors navigate the cyber arena, hacks by smaller, loosely affiliated, and ideologically motivated groups are also emerging as security threats. Recent examples include the ransomware hacks against French hospitals, the attempts to change the chemical levels in a Florida water-treatment facility, and the attack on the Massachusetts Steamship Authority this past year. Although the occurrences of cyber incidents around the globe can appear isolated from one another, the capabilities and impacts transcend borders.
Direct and Indirect Costs of State-Sponsored Attacks are Mounting
In addition to the harm inflicted on the direct targets, cyber vulnerabilities pose serious risks to the global economy as hacks cause large-scale business disruptions, revenue loss and reputation damage. For example, the 2017 NotPetya attack targeted Ukraine, but the impacts spread across Australia, Europe, and the United States, devastating global businesses and critical infrastructure and causing an estimated $10 billion in losses. According to the Foundation for Defense of Democracies, a three-day cyber disruption of a managed service provider can lead to an economic loss of almost $80 billion. The hidden consequences of cyberattacks include insurance premium increases, higher interest rates for borrowed capital if a potentially vulnerable entity is perceived as a high-risk borrower, loss of contract and future opportunity revenue, and loss of trust by customers and citizens.
While intangible losses are difficult to quantify, they play a significant role in the decision-making and risk assessments of potential targets. Often, in fear of reputational costs, companies overstate their confidence in their ability to address cyber threats, particularly those posed by states actors, with firms in Asia exhibiting greater concern and readiness than their European or North American counterparts. Indeed, a Ponemon study determined that 47 percent of private-sector organizations in the UK and the US have not assessed the readiness of their incident response teams. A 2020 review by Dragos also found that 90 percent of analyzed companies had little to no visibility into their industrial control system (ICS) environments, which play essential roles in critical infrastructure management and security. Given that in the US, 85 percent of federal infrastructure is owned by the private sector, according to the US Federal Emergency Management Agency (FEMA), these assessments suggest that government defenses are likely not faring much better.
