The Rise in Nation-State Cyber Threats

Today’s threat landscape includes nation-state actors as well as attackers looking to test their skills or turn a profit. AT ISC2 Security Conference in Las Vegas, CISA advisor and former New York Times cybersecurity journalist Nicole Perlroth took the stage to discuss what has changed over the last 10 years of cyber warfare. Her presentation was the capstone of the conference, held Oct. 13-16.

Nation-state attackers look for ‘target-rich, cyber-poor’ victims

Perlroth presented a timeline of nation-state attacks she covered throughout her journalism career, from 2011 to 2021. Barriers to entry for attackers have worsened since she began her career, with ransomware-as-a-service evolving into “a well-oiled economy.” The CrowdStrike outage showed how much a widespread attack could disrupt operations.

While it used to be conventional wisdom that the United States’ geographical location kept it isolated from many threats, “those oceans don’t exist anymore” when it comes to the cyber landscape, Perlroth said. Likewise, the digital “edge” has transformed into the world of the cloud, software as a service, and hybrid workforces.

“The new edge is the people, it’s the endpoints,” Perlroth said.

Attacks on this new frontier could take the form of deepfakes of targeting CEOs or nation-state attacks on critical infrastructure. Perlroth focused her discussion on Chinese state-sponsored attacks on U.S. infrastructure and businesses, such as the 2018 cyber attack on the Marriott hotel chain.

Marriott or Change Healthcare were “target-rich, cyber-poor” environments, Perlroth said. These environments may not have large, dedicated cybersecurity teams, but have valuable data, such as the personal information of government workers who may have used the health system or visited a hotel.

Another target-rich, cyber-poor environment Perlroth said defenders should focus on is water treatment. Local water treatment facilities may not have a dedicated cybersecurity professional, but an adversary tampering with water utilities could prove catastrophic.

“The code had become the critical infrastructure and we really hadn’t bothered to notice,” Perlroth said.

Russia, China explore cyberattacks in connection with military action

In terms of wider geopolitical implications, Perlroth notes cybersecurity professionals should be especially aware of Russia’s military offensive and of China eyeing a possible incursion into Taiwan in 2027. Threat actors could aim to delay U.S. military mobility or use social engineering to sway public opinion. The U.S. has a mutual defense pact with Taiwan, but China has seen the U.S. “waffling” in the defense of Ukraine, Perlroth said.

Perlroth said geopolitical commentators have been surprised there haven’t been more cyber attacks from Russia in concert with the attack on Ukraine. On the other hand, there have been significant cyber attacks around Ukraine, including DDoS attacks and the interruption of commercial ViaSat service just before the war began. PIPEDREAM, a Russian-linked malware, may have been intended to strike U.S. infrastructure, Perlroth said.

SEE: How to Create an Effective Cybersecurity Awareness Program (TechRepublic Premium)

Generative AI changes the game

“The biggest change in cybersecurity has been AI,” Perlroth asserted.

AI enables companies and threat actors to craft zero-day attacks and sell them to governments, she said. Attackers can generate new code with AI. At the same time, defenders equipped with AI can reduce the cost and time it takes to respond to major attacks. She anticipates the next large-scale enterprise attack, like the SolarWinds hack, will start from generative AI-related systems.

Cybersecurity professionals should study how to ensure employees interact safely with generative AI systems, she said.

How can cybersecurity professionals prepare for large-scale attacks?

“We need to start doing a sort of sector-by-sector census to see what is the Change Healthcare of every industry,” said Perlroth. “Because we know our adversaries are looking for them and it would be great if we could get there first.”

The good news, she said, is that cybersecurity professionals are more aware of threats than ever before. Cyber professionals know how to persuade the C-suite on security matters for the well-being of the entire organization. CISOs have become a type of business continuity officer, Perlroth said, who have plans for how business can resume as quickly as possible if an attack does happen.

Cybersecurity professionals should factor in the culture, management, budget, HR, education, and awareness in their organizations as well as technical skill, Perlroth said. The primary questions cybersecurity professionals should ask is still “What are my crown jewels and how do I secure them?”

Although her presentation emphasized the scope and prevalence of threats, Perlroth said her goal wasn’t to scare people — a tactic that has been used to sell security products. However, cybersecurity professionals must strike a balance between maintaining confidence in existing systems and explaining that threats, including nation-state threats, are real. Stories like the disruption of the PIPEDREAM attack should “give us immense hope,” she said.

As she concluded: “We have picked up some serious learnings about what we can do together in the government and private sector when we come together in the name of cyber defense.”

Disclaimer: ISC2 paid for my airfare, accommodations, and some meals for the ISC2 Security Congress event held Oct. 13–16 in Las Vegas.