adimas - Fotolia
Enterprise cybersecurity professionals tend not to think about nation-state cyberattacks unless they work in government or the defense industry.
Nation-state cybersecurity attacks, or cyberwarfare, refer to events sponsored by governments or quasi-governmental organizations. But, even so, enterprise cybersecurity professionals need to worry about them for several reasons.
First, enterprises are targets of nation-state cyberattacks more often than they realize. Companies ranging from financial services and logistics firms to hospitality and entertainment companies, along with major universities, have been targets. American enterprises have downplayed the risks because, until now, the majority of nongovernmental targets have been outside the U.S. However, nation-states have actively and officially targeted the U.S. Since the goal of these attacks is to exert power and sow chaos, attacks on nongovernmental businesses and not-for-profits are likely to increase.
Moreover, certain technologies -- including IoT, which 67% of organizations have deployed today, according to Nemertes Research -- make an enterprise particularly vulnerable. The not-for-profit defense research organization Mitre Corporation recently launched an initiative to track industrial control system attacks, and the list of known attacks and attackers is sobering.
Finally, nation-state attackers are beginning to explore attack vectors that apply to enterprises. The FBI recently alerted cybersecurity professionals about two compromises to U.S. municipalities that exploited SharePoint vulnerabilities, specifically CVE-2019-0604, which permits hackers to take over SharePoint servers.
Nation-state attacks offer view of the future
Understanding enterprises can be victims of nation-state cyberattacks leads to another point about why enterprises should be concerned about them: These attacks are often the most sophisticated. Relatively speaking, attackers have vast amounts of resources. Even if the ultimate attack targets are government entities, attackers often hone their skills on other organizations, including enterprises.
Following the activities of nation-state attackers by reviewing Mitre's information, for example, often provides an excellent look into the future. What nation-states are doing to governments now, run-of-the-mill attackers will be doing tomorrow to everyone.
These attacks typically fall into a handful of categories. First are denial-of-service attacks. In 2012, a nation-state attack took several U.S. banks offline for several hours. As noted above, nation-state infections of physical systems -- including security cameras, manufacturing systems and other IoT networks -- are on the rise.
Infections can be passive, involving just data exfiltration, or they can be active and take actions that affect the physical world. For example, the Stuxnet virus, which has been attributed to the U.S. and Israel, although neither country has admitted to it, reportedly ruined more than 20% of Iran's nuclear centrifuges in 2010. And, in 2012, the U.S. Department of Homeland Security disclosed a breach in which cybercriminals managed to penetrate the thermostats of a state government facility and a manufacturing plant in New Jersey. In December 2014, hackers massively damaged a steel mill in Germany by manipulating and disrupting control systems to such a degree a blast furnace could not be properly shut down.
Updating enterprise nation-state cyberattack policies
The bottom line is that cybersecurity professionals need to have nation-state attacks on their radar. The following tips can help with that:
- Monitor Mitre, and plan to report at least quarterly to your board of directors on relevant nation-state cyberattacks, particularly those affecting your industry -- even if they are in other countries.
- Plan to update and revise your organization's incident response policy to accommodate nation-state attacks. At the very least, have an internal contact to connect with if you suspect an attacker's origin is a nation-state.
- Have a plan in place to connect with the appropriate law enforcement professionals.
- Plan to review your cybersecurity insurance As a rule of thumb, cybersecurity insurance doesn't cover cyberterrorism. That may or may not be accurate, depending on the policy. Either way, you'll want to know.
- Finally, plan to engage your customers and third-party partners in dialogue about nation-state attacks. If the issue isn't on their radar, you can put it there. If it is, you can plan to share best practices.