In recent weeks, reports have surfaced about several cyberattacks that targeted patient health records, critical infrastructure intelligence, employee data and personal financial and credit card information. Collectively, these breaches demonstrate both the diversity of targets and their shared vulnerabilities.
Specifically, the breaches suffered by the U.S. Nuclear Regulatory Commission (NRC), U.S. Investigative Services (USIS) and more recently four banks including JPMorgan point to an alarming reality: Sponsored cyberattacks are fast becoming the method of choice for foreign governments to infiltrate and steal information and intelligence from U.S. businesses – and we are woefully underprepared to stop them.
There has been endless speculation about the reason for these breaches, with most experts pointing to two primary motives: retaliation for U.S. economic sanctions and intelligence gathering for other, potentially more nefarious purposes.
USIS, the largest provider of background investigations for the Department of Homeland Security, experienced a data breach that compromised the personal information of 25,000 employees. While this breach represents another black eye for USIS, as it was the firm that performed the background check for Edward Snowden and also the U.S. Navy Yard shooter, the broader implications of this attack are serious and highly concerning. This type of attack is almost always intended for the purposes of identifying potential recruitment candidates for intelligence purposes. By collecting such information, the sponsors behind this attack will now be able to systematically identify which members of the U.S. security clearance population might be suitable for a possible targeted approach by a foreign government.
Similarly, the NRC suffered its third hack in three months as a result of a phishing attack. The breaches appear to have been designed to gather information on the intentions and capabilities of U.S. nuclear assets and to probe the cyber readiness of the NRC workforce.
This should not come as a surprise to anyone who has been following similar attacks against U.S. SCADA and industrial control system environments (ICS). All 16 sectors of U.S. critical infrastructure, including nuclear reactors and materials, are obvious targets for foreign actors seeking to exploit vulnerabilities targeting water, energy, and other critical infrastructure essential for daily life.
What should we do now?
These breaches illustrate an important and alarming shift in the cyber threat landscape as our adversaries increasingly leverage cyber strategies to exploit vulnerabilities and further their own national interests or influence U.S. political or economic policies. This isn’t to suggest that state-sponsored data breaches are a new threat, but these recent, real-world breaches should serve as a thunderous wakeup call for organizations of all sizes and in all industries.
As the techniques hackers use have become more sophisticated and effective, the cybersecurity preparedness of U.S. organizations hasn’t kept pace with the threats against them. Although companies spend millions on technology solutions to deter, detect, and deflect unauthorized access and network intrusion, these breaches keep happening. Clearly, these efforts aren’t working. With the threat of foreign-sponsored cyberterrorism looming, we need to make a change in how we think about and approach cybersecurity. Below are a few thoughts for consideration.
- For starters, we need to stop thinking about data breaches as external threats. More than 70 percent of all reported breaches are attributed to the actions of a trusted insider, a strategy the Chinese have used for years to infiltrate U.S. businesses and steal sensitive data and intellectual property.
- We must take a more holistic view of our security preparedness. If an adversary is determined enough, he will persist and identify an attack vector that offers the path of least resistance. This could be done by targeting a privileged insider, exploiting a physical security vulnerability, or even exploiting the lack of network segmentation between a company’s network and that of a third-party contractor or supplier.
- It should not fall on a select few to defend an entire organization. Organizations must create a security culture and encourage vigilance across the company. Every employee – from the janitor to the CEO – should receive frequent, up-to-date training on security procedures, processes, and threat identification, specifically phishing attacks, insider threat anomaly detection, and other techniques used by foreign hacker groups.
In today’s cyber environment, there is no such thing as total security. Nor is there any reason for negligence, especially when U.S. innovation and security are at risk. In order to defend against foreign-sponsored cyberattacks, we must accept that traditional IT security, while essential, is not a panacea. Instead we must adopt a more comprehensive philosophy that views security through a holistic lens that incorporates the physical, technical, and administrative risk across the entire organization, including third-party threats and the insider threat lurking within. Only through this approach can we identify our vulnerabilities and prevent a serious data breach from occurring in the first place.
Armond Caglar is senior threat specialist at TSC Advantage and has 10 years of international security and consulting experience. He has managed complex global projects as well as led specialized training and awareness programs focusing on threat remediation and intellectual asset protection for both the private and public sector.