Ten years ago, back when the West was first waking up to the rising threat of Chinese state-sponsored cyber attacks, American legal scholar and political commentator Noah Feldman had this to say: “As a strategic matter, [these attacks] do not differ fundamentally from older tools of espionage and sabotage.”
At the risk of going all 007 here, the comparison remains an apt one today, whether we’re talking about attacks at the level of nation states, or among businesses and individuals. After all, the vast majority of cyber attacks don’t come direct from governments or the military; they generally involve a certain amount of deniability, given the various steps that can be taken to obscure an attack’s origin; and there are some significant prizes up for grabs, especially if the attack results in financial losses or major data breaches.
Crucially, though, anything goes. “Cyber war takes place largely in secret, unknown to the general public on both sides,” Feldman wrote. (The latter point there has aged a little, but we’ll forgive that.) “And best of all for China, the rules for cyber war are still very much in flux.”
How is cyber warfare changing?
Even a decade on, that state of flux is still a defining feature of modern cyber espionage. And the latest twist is that corporate cybersecurity providers around the world are increasingly finding themselves in the firing line. Were this a Bond movie, this would be the point at which the villain becomes obsessed with destroying our hero, usually to the detriment of their own dastardly plans.
And things really are getting personal out there. For instance, as the Financial Times reported last month, the CEO of one US-based cybersecurity company received a message earlier this year in which a hacking group declared that it had accessed his firm’s email server and threatened to publish sensitive data unless a ransom was paid. When the CEO refused to play ball, the hackers found his son’s passport details, school and telephone number online.
That experience is far from unique. Beyond conventional forms of attack, techniques such as ‘doxxing’ and ‘swatting’ – publishing someone’s personal details online, and calling in a police Swat team to someone’s address – are increasingly being turned against the good guys, as opposed to simply being used against familiar targets in the public and private sectors. The scale of the problem is such that the leaders of the US, UK, Australian, Canadian and New Zealand cybersecurity agencies issued a joint warning about the threat to managed service providers at last year’s CyberUK conference.
Why unconventional attacks demand smart investments
In short, then, we’re witnessing a campaign of aggression and intimidation which owes little to the era of the gentleman spy. In fact, this is where the Bond analogy is apt to break down entirely. The modern cybervillains aren’t doing this because of some particular animus they bear towards cybersecurity providers. Rather, going after those firms protecting their real targets – in this case, businesses – is a shrewd and calculated strategy.
Fundamentally, it’s a strategy that both cybersecurity providers and their clients will need to adapt to – and fast. To begin with, the cyber experts will need to get their house in order, or else they risk adding embarrassment to their more tangible losses when they themselves fall victim to an attack. In the short to medium term, that will mean investing in both technical upgrades and a thorough audit of existing processes and in-house skills, to ensure that all bases have been covered and gaps plugged.
And on the client side, most businesses would be well advised to pay far closer attention to their vetting process when selecting a cybersecurity provider. Hiring the flashiest firm that comes along and hoping for the best will no longer cut it. Instead, the C-suite needs to up its understanding of cybersecurity and start asking the right questions of their providers. After all, in an ever-evolving threat landscape, that may be the only quantum of solace up for grabs.