While the U.S. military and private sector scramble to establish a comprehensive strategy for operating in cyberspace, its adversaries are already mobilizing organized online campaigns to disrupt the economies and governments of other nations.
Rear Adm. Timothy White, commander of U.S Cyber Command’s Cyber National Mission Force, said U.S. adversaries including China, Russia, Iran and North Korea “are doing more things and they’re doing them in more places,” White said.
Nation states, rather than simply malicious hackers bent on economic gain, have begun organized, strategic cyber offensives, White said March 30 at the Billington International Cybersecurity Summit in Washington, D.C.
“They appear to be taking on the character of something that looks like a real campaign, the way that you would think about and design and plan a campaign at a senior service war college,” White said. “There is a very essence of national mobilization about that – integrated, coordinated, synchronized, purposeful, long-term.”
Neal Ziring, technical director at the National Security Agency’s capabilities directorate said to expect more sophisticated and data-focused attacks.
“We’ve seen that for years, but I’m talking more about attacks that are explicitly implantation of malware or overt acts like that, but more subtle attacks that work against data we expose or data that is available to adversaries,” he said.
Other trends are the challenges presented by increased automation and speed of threat actors. Most attacks are economically motivated “and like any business, the more efficient they can make it the more money they are going to make,” Ziring said.
“But that affects our defenses because adversaries are shortening their action cycle, which is going to force us to do likewise,” he said.
As defenses get better and technologies become more effective as detecting and repulsing cyberattacks, Ziring said to expect attacks to become distributed and encompass multiple small steps instead of large-scale, devastating breaches.
James Trainor, senior vice president of cyber solutions at the global risk management firm Aon and the former assistant director of the FBI’s cyber division, said to expect more attacks on “data aggregation points” instead of single businesses or agencies. He suggested that attacks on law firms with weak security on their networks could be targeted for the potentially damaging data they have on multiple high-power clients or businesses.
Another example is the recent attack on Amazon Web services where the target was not Amazon’s [AMZN] business but the computer stacks it hosts that took down a significant portion of the Internet.
“I think they will be focused on places that have a greater impact because bad actors, from a criminal perspective, can monetize those things in a great way, and state actors can have a greater impact as well,” he said.
Thomas Donahue, research director at the Cyber Threat Intelligence Integration Center (CTIIC), said cyber security becomes increasingly more difficult a task as more of the economy becomes automated and as more devices – from microwaves to televisions and toys – become connected to the Internet. Donahue said cyber security subscribes to Moore’s Law of exponential technological advancement, that it “becomes twice as bad each year.”
“We often talk about the sophistication of our adversaries but we need to remind ourselves that they often start out as something very simple,” Donahue said. “What really distinguishes more sophisticated adversaries is persistence. It’s the really sophisticated ones that are really hard to get out. In fact, sometimes we can never get them out.”
There are currently six billion devices connected to the Internet. Estimates put that number at 20 billion within three years, each of which is a potential “attack vector,” he said.
This presents a “lot of opportunities to steal data,” Donahue said. “We are dealing with a fundamental problem that makes this possible, which is we are expanding connectivity and concentrating assets without understanding or mitigating the business risk.”
“If you think in terms of the scale of the events we have seen in last few years, when you think of the scale of disruptions we are now seeing in terms of entire government entities being knocked offline and then when you think in terms of the criticality of systems that are being knocked offline … what we see is that the destruction of one entity is leading to the destruction of many entities,” Donahue said.
CTIIC is part of the Office of the Director of National Intelligence.