A series of recent breaches at United Airlines, Anthem and, most recently, Sabre Corp. and American Airlines are reportedly tied to state-sponsored cyber attackers. These attacks further highlight an important trend in the cybersecurity arena: Government entities are targeting corporations in addition to other governments, with far-reaching implications.
While “cyber attack” conjures images of destruction, these attacks are rarely about breaking things and are more often about affecting outcomes. Governments are beginning to use cyber attacks to influence very specific events and gain calculated strategic advantages, e.g., giving one company leverage over another in a competitive bid.
This is uncharted and complex territory from a policy perspective. To make matters worse, corporations currently have few incentives to report and share breach information, meaning these attacks will continue to escalate.
The U.S. government and the private industry are interconnected; this means that hackers can exploit a corporation’s weak security posture as an access point to government information, making these attacks a very real threat to national security.
The New Rules Are Revealed
In May 2014, the first public signs of cyber espionage appeared in the news. The U.S. Justice Department indicted five members of the Chinese military for hacking into computers and stealing valuable trade secrets from leading steel, nuclear plant and solar power firms.
Never before had the U.S. government leveled charges against another government for such crimes as computer fraud, conspiracy to commit computer fraud, damaging a computer, aggravated identity theft and economic espionage.
Eric Holder, U.S. Attorney General at the time, summed up all that was at stake:
“The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”
Despite his strong statement, protecting U.S. corporations from cyber attacks perpetrated by foreign governments remains an ongoing challenge.
Land, Sea, Air And Cyber
The United States has very specific and clear policies for defense when it comes to the land, the sea and the air, but cyber represents a fourth domain where U.S. policy is still in development. Corporations have raised questions about how the U.S. government can provide adequate assistance in the event of a cyber attack by a foreign government.
Policies must be created in a way that balances privacy and civil liberties. Businesses need legal protections that align with the modern threat landscape. But fashioning those protections presents a significant challenge, most notably rendered in self-disclosure or threat-intelligence-sharing debates.
Eat The Breach
Enterprises targeted by sophisticated attacks are not incentivized to report the breaches. There are no incentives for protections from litigation or fines that encourage companies to self-disclose a breach. A self-reported breach faces the same litigation or fines as a breach detected by law enforcement or discovered by way of publicly leaked documents.
Because there is little incentive from the government to self-report and because companies also risk a loss in consumer confidence and face the potential of backlash in the media, many companies would rather the breach not become public.
State-sponsored breaches are often about gaining a strategic advantage rather than causing damage.
Sharing breach information is widely proposed as a means to help enterprises protect against attacks. But a number of companies see little benefit in sharing threat information, as security is seen as a competitive advantage.
Informing a competitor of a potential threat helps the competitor better defend against that same threat. Companies that invest in security are reluctant to give their competitors free threat information.
Finally, there is a stigma that surrounds breaches. A common trend in cyber-breach announcements is the shaming of the victimized organization, especially the organization’s CIO or CISO. Harsh remarks toward the security leadership is commonplace in cyber-breach reports and media discourse. Following a breach report, IT leaders often step down and security teams are demoralized.
State-sponsored breaches are often about gaining a strategic advantage rather than causing damage, making the actual cost of a breach hard to quantify. Rather than spending money on remediation or risk fines and audits or public shaming, many companies simply eat the breach.
Organizations don’t report breaches unless absolutely necessary, e.g., when personally identifiable information is lost. More than likely, the number of breaches perpetrated by foreign government groups is much higher and pervasive than what is reported.
The Path Of Least Resistance
If government attacks on corporations could simply be written off as the price of doing business in the modern world, then enterprises could weigh the cost of a breach versus the cost of investment in security and proceed accordingly. Unfortunately, the situation is not that simple.
Many U.S. corporations produce products and services that are created or discovered after significant financial and time investments. These products and services are part of our economy and our daily lives. A compromised infrastructure or a breached industry affects all of its consumers — the U.S. government and private citizens alike.
Furthermore, the U.S. government is interconnected with the private sector through third-party contracting. When a foreign government launches a cyber attack against a private organization, the ultimate target could still very well be the U.S. government.
The attackers could be picking the weakest security point and working their way to the intended target. If we can’t create clear policies that protect enterprises and incentivize corporations to report and remediate breaches, the attacks will continue to escalate. The ultimate victims in all this are our national security and our strategic interests.