Global industry united in concern about nation-state cyberattacks
4 Aug 2021|

Attacks on information and communications technology infrastructure are becoming more common, as the recent spike in ransomware attacks affecting supply chains and the integrity of core information infrastructure has demonstrated.

In fact, according to numerous reports, 2020 was a record-breaking year for cybercrime. The FBI’s Internet Crime Complaint Center reported a 69% increase in submissions to its hotline last year. The UK experienced a 31% increase in cybercrime from May to June 2020, a trend replicated globally.

While the rise in reporting is disturbing and requires immediate action, there are long-term developments that are worrying cybersecurity experts. Cyberattacks are becoming increasingly sophisticated, and the range of targets has expanded to include government agencies, the defence industry and critical-infrastructure providers. But the most destabilising trend is the surge in cyber operations carried out by nation-states and groups sponsored by governments.

Since 2006, the Center for Strategic and International Studies has been recording significant cyber incidents—those affecting government, defence and high-tech companies, or occurrences resulting in a loss of over US$1 million. In the first four months of 2021 alone, 50 significant incidents were recorded. But this is just the tip of the iceberg. The majority of cyber incidents remain under the radar, as only the most significant attacks are reported in the media.

To understand whether businesses are aware of this growing threat and their susceptibility to cyberattacks for political–military intelligence or economic theft and coercion, the Cybersecurity Tech Accord partnered with the Economist Intelligence Unit in 2020 on a study titled Securing a shifting landscape: corporate perceptions of nation-state cyber-threats.

The Cybersecurity Tech Accord, a leading alliance of over 150 technology companies dedicated to increasing cybersecurity, recognises the critical role of private industry as the first respondents to significant cyber incidents, and as the front line for protective measures. The survey included responses from 500 director-level or above executives from businesses in Asia–Pacific, Europe and the United States.

The study, completed before the most recent high-profile attacks ignited media reporting on the issue, found that cyberwarfare has indeed become part of corporate consciousness. The survey revealed that private-sector leaders and security experts are concerned about falling victim to a state-sponsored cyberattack, irrespective of their industry and location.

Across all regions in the survey, 87% of executives said they were ‘concerned’ or ‘very concerned’ about their organisation falling victim to state-led or sponsored cyberattacks. Out of the four Asia–Pacific countries surveyed (Australia, India, China and Japan), executives from China viewed this problem with the least concern, although the number was above 70%. Similarly, 85% of executives from the region said they were ‘more concerned’ about the threat from state actors than they were five years ago, and that the coronavirus pandemic had heightened the risk further. This figure is 5 percentage points above the global average.

The respondents in the region also expected that in five years, state actors would pose the gravest cyber threat to their industry, immediately after organised crime groups. Today, most company boards still focus on the risk of individual hackers seeking financial gain or hacktivists. Australian and Japanese executives felt that in five years’ time state actors would be the biggest threat.

They are rightly concerned. Their perceptions mirror the priorities of Australia’s cybersecurity strategy and track with the Cybersecurity Tech Accord’s observation that states are increasingly seeing cyberspace as a domain of conflict.

This, coupled with the comparatively accessible price of cyberweapons, means that we’ll see the number of active state and state-sponsored groups grow over the coming years. More and more states have significant resources at their disposal that greatly exceed most of the budgets that go into individual companies’ cybersecurity defences.

Moreover, advanced tools and technologies developed by states frequently find their way into the hands of organised crime to be repurposed or are leveraged by other state actors and state-sponsored groups.

But it’s important to recognise that motivations driving state actors tend to differ from the monetary incentives that drive criminal actors. The survey respondents viewed the leak of confidential materials and loss of crucial information as a top potential consequence. Nation-state actors, however, may have a broader intent that could include degrading and destroying infrastructure—and that can change the risk-management calculations. These concerns were particularly high among Chinese executives, at 20% more than the global average.

The results highlight the need for a fundamental shift in cybersecurity planning to ensure these considerations become central to any IT deployment and a core part of broader risk-management functions. This holds true even though roughly 74% of respondents in the Asia–Pacific region also felt their organisation was ‘very prepared’ or ‘completely prepared’ to deal with a nation-state attack. Indian executives were even higher than the average at 90%.

Unfortunately, these results are likely expressing quite a false sense of security. Even when some may believe they wouldn’t be a target for a state-led cyber operation, they can still be faced with the impact in the form of collateral damage such as reduced public trust and confidence, disruptions in the supply chain, or increased costs of patching and insurance.

The impact can go beyond individual companies, because their investments in cybersecurity defences form a key part of national cyber resilience. The survey confirmed this view, which also recognised that more organisations now see government action, nationally and internationally, as crucial to increasing the long-term security of the online environment.

Sixty per cent of executives said their country only offered a ‘medium’ or ‘low’ level of protection from state-led cyberattacks. These numbers were particularly low in China and Japan, where only 30% of respondents felt their country provided adequate protection.

Company executives also expressed an urge for stronger international economic and political cooperation. Many mentioned the need for an international treaty to rein in dangerous actions by states and cultivate a more secure and stable online environment. The one exception in the region was Japan; only 17% believed this would be a helpful path forward, and most saw stronger national cybercrime legislation as a preferable option.

These findings underscore the reality that only through multi-stakeholder collaboration can the international community preserve the internet as a global public good and enforce commitment to commonly agreed rules, norms and standards of behaviour.