By Alberto Yépez, Managing Director, Trident Capital Cybersecurity
* In September, Yahoo reported that “state-sponsored” hackers stole data on about 500 million users in 2014, probably the largest-ever publicly disclosed cyber-breach. In addition to compromising personal identity data and consumer privacy on a massive scale, this is prodding Verizon Communications to consider renegotiating its pending acquisition of Yahoo. Likely aggressor: Unknown, but Russia is suspected.
* In July, the Democratic National Committee (DNC) reported an email leak in which more than 19,000 emails and more than 8,000 attachments were confiscated. Likely aggressor: Russian intelligence agencies.
* In July 2015, the U.S. Office of Personnel Management (OPM) announced that it had been the target of a data breach of millions of federal government employee records. Likely aggressor: Chinese intelligence agencies.
* In November 2014, Sony Pictures was hacked, erasing corporate data, crippling the Sony network for days and stealing and releasing pre-release movies and information about thousands of employees. Likely aggressor: North Korea.
* In June 2012, the media belatedly learned that the so-called Stuxnet virus had ravaged Iran’s Natanz nuclear facility and reportedly destroyed one-fifth of Iran’s nuclear centrifuges, programming them to spin out of control. Likely aggressors: U.S. and Israeli intelligence agencies.
Could Next Major War Be Cyber?
There is often talk that the next major war will be a cybersecurity war. Of course, that’s far from certain. What is already abundantly clear, however, is that nation-states are regularly launching successful cyberattacks against each other, the frequency continues to grow, and such hostilities, while non-violent, indisputably have the potential to morph into something deadly.
It’s also troubling that nation-state cyberattacks are becoming a global problem, not one mostly limited to the United States, Russia and China. As more cyber-sparks become cyber-fires elsewhere, the odds increase for a serious cyber-conflict in a relatively large number of places in the world.
Earlier this year, for example, South Korea’s spy agency told government lawmakers that the number of North Korean cyberattacks had doubled in only one month. That was February—versus January. North Korea unsuccessfully tried to hack into the railway control system and computer networks of financial institutions in South Korea.
South Korea’s National Intelligence Service also accused North Korea of trying to hack into the smartphones of 300 South Korean foreign affairs, security and military officials, successfully penetrating 40.
Fear of a “cyber-Pearl Harbor”—mentioned by former U.S. Secretary of Defense Leon Panetta and other high-level officials—is not new. Policymakers have fretted over the possibility that nation-state hackers might blow up oil pipelines, shut down parts of the U.S. power grid, contaminate the water supply and send airplanes on collision courses by hacking air traffic control systems.
Cyber Attacks Not Yet Deemed Grave
So far, apparently none of this has occurred in America and, in fact, the severity level of cyber-incidents so far has been ranked an average of 1.65 on a scale of 5, according to The Washington Post. Level 5 is reserved for a threat to infrastructure, government stability or American lives. The real threat of cyberattacks today is roughly akin to the practice of North Korea regularly launching missiles that could be outfitted with nuclear weapons—disturbing, yes, but well short of imminent danger.
How the U.S. government has been reacting to nation-state attacks underscores, in part, that they are serious but not grave.
More than a year ago, the Obama administration determined that it must retaliate in some way against China for the theft of personal information from OPM. But it struggled to decide what it could do without sparking an escalating cyber-conflict. It isn’t clear what, if anything, the government ultimately did. Whatever it might have been was insufficient to warrant media coverage. Recent news reports suggest that similar hand-wringing has begun over a response to Russia’s hacking of the DNC.
Gravity of Attacks Could Worsen
None of this should suggest that the state of nation-state cyber-conflicts may not get much worse—and relatively quickly. Battles oversees have shown that high-level cybersecurity provides an edge in the battlefield. At home, the United States has entered a race with China and Russia to build destructive cyber-weapons that could seriously damage the infrastructure of other nations, according to Scott Borg, head of the U.S.Cyber Consequences Unit, a non-profit cybersecurity advisor to the U.S. government and businesses.
Borg has also said that all three nations have built arsenals of sophisticated computer viruses, worms, Trojan horses and other tools to inflict damage on one another or others. Borg and others have said that the U.S., for example, could shut down the electrical grid of a smaller nation if it so desired.
Separately—and even more worrisome—senior Pentagon and intelligence officials told Congress in March that China and Russia are preparing to attack and disrupt U.S. military and intelligence satellites in a future conflict with missiles, laser attacks and cybersecurity tools. “They (China and Russia) understand our reliance on space, and they understand the competitive advantage we derive from space,” John Hyten, commander of the Air Force Space Command, told a Congressional subcommittee.
Iranians Also Attacking the U.S.
More serious nation-state cyberattacks aren’t just theoretical. Consider, for example, an Iranian cyberattack in 2013—reported earlier this year—on a small dam 25 miles north of New York City in an attempt to infiltrate its computerized controls. The target was a small dam and the attack was unsuccessful. But it was nonetheless noteworthy because Iranians were seeking to control an operation, not merely steal information, potentially magnifying the impact of the attack.
The significance was not lost on New York Senator Chuck Schumer. “They (the Iranians) were sending a shot across the bow,” he said. “They were saying that we can damage—seriously damage—our critical infrastructure and put the lives and property of people at risk.”
The seven hackers involved, members of Iran’s Islamic Revolutionary Guards Corps, also breached or paralyzed several financial institutions, including the New York Stock Exchange. They didn’t get away scot-free; they were indicted by Attorney General Loretta Lynch. Iran itself, however, paid no price—and that is the sort of thing the government must begin to correct.
Alberto Yépez is managing director of Trident Capital Cybersecurity and a former serial cybersecurity entrepreneur.