Much has changed since the first major offensive nation-state attack went public with Stuxnet, in 2010-2012. Just three years later, cybersecurity has become a common weapon of war, and countries are mulling their next move on that front at the highest levels of government. But big obstacles remain when it comes to determining the rules of engagement.
There’s no question that nation-state activity has escalated precipitously. “The Stuxnet operation at the time was the most sophisticated state on state attack—the US-Israeli-led attack on Iran’s nuclear program,” said David Sangar, national security correspondent at the New York Times, speaking on a media panel at FireEye’s annual Cyber Defense Summit. “It was very hard to find other major state-on-state actions. Now, you have China and OPM, North Korea and Sony, Iran against Saudi Aramco and RasGas. That tells you that this has moved from a story about criminal activity and fraud to a new weapon of war, one which countries could use for things that previously they would only do by covert action, such as bombing nuclear or scientific facilities.”
The pace of the activity cannot be understated. “Five years ago an attack with 10,000 credit cards stolen would be a big story,” said Damian Paletta, reporter at the Wall Street Journal. “But now it’s every week that we hear about 10 million things stolen. The sheer numbers of these attacks is astounding. So governments now feel that they don’t have a choice: To survive, they feel that they need to build offensive cyber into their military organizations.”
That includes the United States. President Obama has made it clear that a destructive attack against the US infrastructure or that of its allies can be considered an act of war. But what constitutes a “destructive attack” is still up for debate.
“One of the few times the US named an adversary was [the] Sony hack—but that wasn’t against critical infrastructure,” said Michael Riley, a reporter with Bloomberg and Businessweek. “We vowed to respond but…what happened? Obviously they didn’t let the missiles loose."
Part of the issue is that government is often hamstrung from acting because the private sector doesn’t necessarily want the government to be involved. As Sangar said, “In the private sector there’s the usual bifurcation between the people that say, ‘get the government out of our networks;’ and then when the big attack happens, it’s, ‘what is the government going to do for me?’”
Riley added, “Government is in a tough position—a huge amount of IP has left and gone to China,” said Riley. “But there was a demand from [the] private sector not to have the NSA and the government on their networks.”
So, even as it overtly attempts to build a reporting network that takes input from all of the companies that are seeing activity, the government is also relying on well over 100,000 implants around the world to act as a sort of advance radar system, Sangar said. The Edward Snowden leaks have shown to what extent the NSA and other intelligence agencies are building out listening posts and infrastructure for anticipating attacks.
But here too there are obstacles—largely when it comes to figuring out how to streamline responses once attacks are identified. “Governments are helping themselves to data with offensive cyber-armies,” added Paletta. “But they’re also genuinely trying to figure this out. Agencies aren’t at a point where they have a plan to address this collectively. Everyone has their little bit of turf that they’re trying to defend.”
The panelists also pointed out one critical concern in the United States: the lack of political will to move cybersecurity forward as a legislative agenda item.
“In Congress, cybersecurity is a ‘like-to-do’ rather than a must-do—unlike raising the debt ceiling,” said David Perera, correspondent with Politico. “Only the government can have a deterrent strategy [as opposed to the security vendor community]. But I don’t think cybersecurity will affect the political process in the next year.”