Bad actors can exploit at will. Think Equifax, Yahoo, Sony or Target.
Prey to an active threat landscape, executives have to consider whether their company's security can withstand the onslaught.
Cyberattacks are more commonplace and the majority are financially motivated. But breaches are increasingly driven by espionage targeting sensitive information, which impacts some sectors more than others, according to a 2018 Verizon analysis of more than 2,200 data breaches and 53,000 security incidents.
Largely executed by outsiders, half of breaches stem from organized crime, while nation-state or state-affiliated actors were responsible for 12% of breaches, according to Verizon.
With more indications of nation-state cyber activity, fears of full-scale cyberwar arise. And businesses witnessing the sophistication of cyberattacks have cause for concern.
Though it appears the internet is becoming a battlefield, an active cyberwar is not underway.
"War has to be declared," said Kathie Miley, chief operating officer at Cybrary, in an interview with CIO Dive. "If nothing else, we're certainly in a heavy-duty war reconnaissance period where we have a lot of nation-states and a lot of [organized] crime looking for weaknesses in the infrastructure." When the time comes, those bad actors can exploit previously-identified flaws at will.
However, cyber is the next battle space domain. Countries establishing standalone cyberwarfare units legitimize the conversation around escalation.
The U.S., too, has changed its approach to cybersecurity. In May the federal government elevated the U.S. Cyber Command to a "combatant command," making the head of Cybercom a direct report to the secretary of defense.
"We've legitimized nation-states' actions, and the more you see it, the more you're going to get it."
Managing director and cyber lead for Accenture Federal Services
Now the U.S. Cyber Command serves as one of 10 areas of responsibility for U.S. commanders, a domain akin to the U.S. Africa or European Command. Its role is to "direct, synchronize and coordinate cyberspace planning and operations" as part of the defense and promotions of U.S. cyber interest.
One of the biggest concerns, however, is how little recourse for — or an inability to attribute — nation-state attacks. With few options, businesses are caught in a near cyberwar, left as casualties when cyberattackers are pitted against one another.
"We've legitimized nation-states' actions, and the more you see it, the more you're going to get it," said Gus Hunt, managing director and cyber lead for Accenture Federal Services and former CTO for the CIA, in an interview with CIO Dive. "It becomes the norm," which puts more pressure on organizations' cyberdefense.
The race to attribute
Seemingly random cyberattacks can follow patterns.
"Any time that there's a rise in international conflict, like we're seeing with recent military actions, there's always going to be a mirrored rise in malicious activity on the internet," said Alexander Heid, chief research and development officer at SecurityScorecard, in an interview with CIO Dive.
The international geopolitical landscape can have a direct impact on cyberspace. Take, for example, the dissolution of the Iran nuclear deal earlier this month.
Following the U.S. withdrawal, cybersecurity firm CrowdStrike observed an offensive cyberoperation associated with Iran targeting U.S. allies' foreign affairs offices and telecommunications companies, according to Adam Meyers, VP of intelligence at CrowdStrike, in an email statement provided to CIO Dive.
If U.S. sanctions against Iran are reinstated, retaliatory cyberattacks conducted by Iran may occur, according to Meyers.
"Any time that there's a rise in international conflict ... there's always going to be a mirrored rise in malicious activity on the internet."
Chief research and development officer at SecurityScorecard
Even with ongoing international conflicts, ascribing attribution and motive is a challenge. Following fallout from cyberattacks, some businesses are quick to accuse nation-state actors, such as known U.S. adversaries like Russia and North Korea. However attribution is not just about the blame game.
"If you understand the actual source and origin of the attack, it allows us to bring additional levers of government and law enforcement things to bear," Hunt said. "If you don't know the actual source of who did it and where from and those things like that, then who do you go after?"
But to really attribute an attack, malicious actors have to be caught in the act.
Hacking "is a type of intelligence tradecraft and the obfuscation of your origins and who you are is part of that," Heid said. "So a lot of the coverage saying, 'oh this malware is definitely state sponsored Russian actors.' Well that malware is public, anyone can use it. It happened to have been written by a Russian group a long time ago and there's no way to tell what country did it."
Lowering the bar to attack
The most startling change to the cyberthreat landscape is the ease of execution for attacks. "The bar's been lowered," said Heid. With a simple click of a button, businesses could become the next victim.
Malicious actors are taking advantage of advanced hacking tool kits, such as those made available in 2016 following Shadow Broker's release of the National Security Agency's hacking tools. Human error coupled with a constant stream of emerging exploits and the introduction of more hardware and IoT devices helps weave a vast, insecure internet landscape.
Universities and government organizations are usually the least secure "simply because they're the first people who used the internet," said Heid. Those sectors have the oldest systems with lurking vulnerabilities that existed long ago and persist because of the size and nature of the industry.
1 in 5 cyberattacks against the education sector are motivated by espionage, propelled by the sometimes sensitive nature of institutional research, according to the Verizon report. The public sector too marks espionage as a major concern and the motive behind 44% of breaches.
While the government's security posture has improved, vulnerabilities remain.
Script kiddies and credential stuffers aside, the increase in nation-state activity and the threat of cyberespionage has begun to plague organizations across sectors. Businesses face the threat of lost intellectual property and damaging breaches, which could cripple reputations and halt production while system errors are remedied.
With data breaches exposing emails and passwords, experts expect an increase in credential stuffing, where stolen account credentials are used to access different sites.
While malicious actors sometimes use it to gain free access to Netflix accounts, there is a threat of compromised corporate credential use for more nefarious access to business systems carried out by nation-state actors and organized cybercriminal groups.
Protect the crown jewels
The age old advice for businesses concerned about cyberattacks and breaches is to add protection and practice the basics: stay up-to-date on system patches.
The advice only goes so far for businesses protecting critical infrastructure, which is particularly prone to cyberattacks and would negatively impact quality of life if not maintained.
Crisis would emerge if companies were rendered unable to deliver core services such as healthcare, telecommunications or electricity, said Miley. Businesses "should be mortally afraid of nation-state attackers, especially if they're critical infrastructure."
Lacking regulations, such as those found in the heatlhcare industry, businesses don't have mandates about how to protect an organization, said Miley. The absence of regulation works to the detriment of the cybersecurity sector as a whole.
"We really do need to come together much more effectively to deal with the threats because of the increasing velocity and the growing nature of obvious nation-state attacks," said Hunt.