Several regions around the world have emerged as key battlegrounds for cybersecurity, both as a destination for attacks from state and non-state actors, and as hubs of innovation in the fight against these threats.
The United States is not only a cybercrime launch pad, but also a place for innovation in security solutions. And there can be no denying that both China and Russia have hit the headlines accused of cyberattacks.
Dr Cathy Mulligan, research fellow at Imperial College Business School, points out that both China and Russia have extremely high levels of technical education, plus a fertile set of circumstances, such as geo-political threats combined with technical capacity. These factors come together not so much as a ripe breeding ground for hackers, but rather “a rational response to what China and Russia perceive as threats to their sovereignty”, says Dr Mulligan.
Vince Warrington, founder of Protective Intelligence, adds: “Russia has a well-established and sophisticated serious criminal network that can easily exploit talent. The influence of Putin’s doctrine of ‘the West is out to get us’ also plays well into the nationalistic pride of young Russian hackers.”
As for China, it can make up for any military cyber-graduate shortfall with civilian contractors. These provide “a veneer of plausible deniability, as well as a degree of initiative and flexibility that the military can’t always meet”, says Malwarebytes security researcher William Tsing.
According to the latest threat intelligence report from NTT Security, China has 731 million, or 20 per cent, of the world’s internet users. Attack source data has moved it from number three to two in the source countries for cyberattack in the third quarter of 2017. The intelligence report suggests finance (40 per cent) and manufacturing (31 per cent) were the most heavily targeted industries from Chinese sources. So in general terms, you could say China has invested in its cyberespionage capabilities to help fast track economic development.
“Russia has done the same,” says Ed Williams, senior threat intelligence consultant at Context Information Security, “but is also associated with using cyber-capability for cybersabotage and to conduct cyber-enabled information warfare.” In terms of cybercrime, the Russian state’s willingness to co-opt, coerce or collaborate with cybercriminals, as opposed to combating them, is a key factor.
Difficulty extraditing suspects is possibly the single largest problem in combating this global cybercrime wave. “Ideology and information warfare is often exercised both within actual state operations and in how they co-operate or don’t with others,” explains Ross Rustici, senior director of intelligence services at Cybereason. “This exercise of power allows them to shape agendas and change narratives to suit their purposes.”
So does identifying the threat group behind a given attack, and ostensibly the originating region, make any difference in the real world for organisations defending against that activity? Kyle Ehmke, senior threat intelligence researcher at ThreatConnect, thinks so. “Understanding the who, how and why of an attack are key components that organisations should seek to identify,” he says. “These aspects of threat intelligence help organisations efficiently prepare for and respond to attacks from their biggest threats.”
Silicon Valley is often cited as spearheading innovation in the defensive cyberfight, but a much smaller nation may have usurped it on the frontline: Israel.
Israel has military conscription and a highly specialised cyber-intelligence operation within the military, known as Unit 8200
Because Israel has military conscription and a highly specialised cyber-intelligence operation within the military, known as Unit 8200, a culture of cybersecurity that belies the relatively small size of the country has been fostered. Most Unit 8200 alumni will leave after three or four years of service, so there is a constant pool of talent to draw upon. The Israeli technology sector benefits from this experience as the sheer number of innovative cyber-startups shows.
Phil Neray, vice president of industrial cybersecurity at Israeli firm CyberX, thinks that both a strong entrepreneurial culture and the practical experience in cyberdefence from military service are equally important. “Working in a startup is very similar to being in an Israel Defense Forces (IDF) unit,” he says. “You work in small groups to solve major problems, with limited resources.” Mr Neray also points out that the IDF encourages soldiers to challenge and question authority; traits that are also very useful in cybersecurity startups.
Dima Stopel, co-founder at Twistlock, acknowledges the importance of Unit 8200 as a differentiator, driving innovative cyber-thinking in Israel, but doesn’t think it paints the complete picture. “Thinking out of the box is part of Israeli culture, and is encouraged even in kindergartens and elementary schools,” says Mr Stopel. Indeed, his company has bucked the general trend by leveraging cloud concepts to boost the security of organisations.
“Cloud-native entities are minimalistic, declarative and immutable, creating a much better security offering,” he says.
Cyber-startup Karamba Security has created automotive-specific cyber-solutions by thinking differently. Rather than trying to shoehorn existing datacentre solutions into the automobile industry, co-founder David Barzilai says: “Our software takes advantage of the fact that the car controllers are not user-changeable, and it seamlessly hardens them according to factory settings and deterministically prevents any change to it.” With self-driving cars becoming a reality and internet-connected vehicles already well established, it’s no great surprise that Karamba has grown so quickly.
The heavy churn of conscripts into the intelligence units of the military is the real key to Israel’s cyber success. Israeli cybersecurity veteran and chief scientist at Imperva, Amichai Shulman, says: “Since military units are forced to work with inexperienced people, they choose and groom those who have entrepreneurial qualities. Hence we have many people at a young age, highly motivated, highly trained who feed the industry, which is likely to create innovation in the space.”
The size of the country must also be considered. Unlike the United States, there is little scope to sell in the domestic market, if a company wants to flourish. So, at the earliest stages, Israeli cyber-startups are driven to conquer the world instead. Other than scale, about the only difference between Unit 8200 and the US National Security Agency (NSA), when it comes to the technical intelligence it produces, is that it doesn’t tend to leak like the NSA.
Finally, it’s widely accepted that Israeli intelligence units were behind the Stuxnet campaign uncovered in 2010 and which caused massive damage to Iran’s then-emerging nuclear programme. This is an important factor to consider as members of Unit 8200 are constantly being “exposed to the most technologically advanced systems, and face the most serious cybersecurity challenges, both as defenders and attackers”, according to Ofer Schreiber, a partner in leading Israeli cyber-investment company YL Ventures.
“These graduates usually combine a rare combination of offensive and defensive cybersecurity understanding, deep engineering skills and entrepreneurship,” Mr Schreiber concludes. “This is the main reason so many cutting-edge cybersecurity startups are founded in Israel every year.”