14 AUG 2021
Attacks on information and communications technology infrastructure are becoming more common, as the recent spike in ransomware attacks affecting supply chains and the integrity of core information infrastructure has demonstrated.
In fact, according to numerous reports, 2020 was a record-breaking year for cybercrime. The FBI’s Internet Crime Complaint Center reported a 69 percent increase in submissions to its hotline last year. The UK experienced a 31 percent increase in cybercrime from May to June 2020, a trend replicated globally.
While the rise in reporting is disturbing and requires immediate action, there are long-term developments that are worrying cybersecurity experts. Cyberattacks are becoming increasingly sophisticated, and the range of targets has expanded to include government agencies, the defense industry and critical-infrastructure providers. But the most destabilizing trend is the surge in cyber operations carried out by nation-states and groups sponsored by governments.
Since 2006, the Center for Strategic and International Studies has been recording significant cyber incidents—those affecting government, defense and high-tech companies, or occurrences resulting in a loss of over US$1 million. In the first four months of 2021 alone, 50 significant incidents were recorded. But this is just the tip of the iceberg. The majority of cyber incidents remain under the radar, as only the most significant attacks are reported in the media.
To understand whether businesses are aware of this growing threat and their susceptibility to cyberattacks for political–military intelligence or economic theft and coercion, the Cybersecurity Tech Accord partnered with the Economist Intelligence Unit in 2020 on a study titled Securing a shifting landscape: corporate perceptions of nation-state cyber-threats.
The Cybersecurity Tech Accord, a leading alliance of over 150 technology companies dedicated to increasing cybersecurity, recognizes the critical role of private industry as the first respondents to significant cyber incidents, and as the front line for protective measures. The survey included responses from 500 director-level or above executives from businesses in Asia–Pacific, Europe and the United States.
The study, completed before the most recent high-profile attacks ignited media reporting on the issue, found that cyberwarfare has indeed become part of corporate consciousness. The survey revealed that private-sector leaders and security experts are concerned about falling victim to a state-sponsored cyberattack, irrespective of their industry and location.
Across all regions in the survey, 87 percent of executives said they were ‘concerned’ or ‘very concerned’ about their organization falling victim to state-led or sponsored cyberattacks.
They are rightly concerned. More and more states have significant resources at their disposal that greatly exceed most of the budgets that go into individual companies’ cybersecurity defenses.
Moreover, advanced tools and technologies developed by states frequently find their way into the hands of organized crime to be repurposed or are leveraged by other state actors and state-sponsored groups.
But it’s important to recognize that motivations driving state actors tend to differ from the monetary incentives that drive criminal actors. The survey respondents viewed the leak of confidential materials and loss of crucial information as a top potential consequence. Nation-state actors, however, may have a broader intent that could include degrading and destroying infrastructure—and that can change the risk-management calculations. These concerns were particularly high among Chinese executives, at 20 percent more than the global average.
The results highlight the need for a fundamental shift in cybersecurity planning to ensure these considerations become central to any IT deployment and a core part of broader risk-management functions. This holds true even though roughly 74 percent of respondents in the Asia–Pacific region also felt their organization was ‘very prepared’ or ‘completely prepared’ to deal with a nation-state attack. Indian executives were even higher than the average at 90 percent.
Unfortunately, these results are likely expressing quite a false sense of security. Even when some may believe they wouldn’t be a target for a state-led cyber operation, they can still be faced with the impact in the form of collateral damage such as reduced public trust and confidence, disruptions in the supply chain, or increased costs of patching and insurance.
The impact can go beyond individual companies, because their investments in cybersecurity defenses form a key part of national cyber resilience. The survey confirmed this view, which also recognized that more organizations now see government action, nationally and internationally, as crucial to increasing the long-term security of the online environment.
Sixty per cent of executives said their country only offered a ‘medium’ or ‘low’ level of protection from state-led cyberattacks. These numbers were particularly low in China and Japan, where only 30 percent of respondents felt their country provided adequate protection.
Company executives also expressed an urge for stronger international economic and political cooperation. Many mentioned the need for an international treaty to rein in dangerous actions by states and cultivate a more secure and stable online environment. The one exception in the region was Japan; only 17 percent believed this would be a helpful path forward, and most saw stronger national cybercrime legislation as a preferable option.
These findings underscore the reality that only through multi-stakeholder collaboration can the international community preserve the internet as a global public good and enforce commitment to commonly agreed rules, norms and standards of behaviour.
Annalaura Galo is head of the secretariat for the Cybersecurity Tech Accord, an industry-led collective commitment of over 150 global companies to protect customers and users and help defend against malicious threats.