Almost every country out there ignores that its citizens are hacking, or they’re aiding that activity, or they’re engaging in it directly. And there are, for now, no risks or repercussions to the attackers.
That’s the “year in review” assessment of Kevin Mandia, founder of Mandiant and president of FireEye. Speaking at the company’s annual MirCon summit, he outlined the state of hacking in 2015, and noted that military-grade cyber-attacks have become the norm, necessitating a transition to better global cooperation by government, especially on the attribution front, and better defense strategies.
According to FireEye’s threat intelligence information, 90% of the breaches come from China or Russia; Iran is a growing presence, and North Korea appears occasionally. In all, there are 800 or 900 advanced threat groups out there (up from just 30-40 in 2011), with about 20 of them doing the majority of the hacking. But beyond these basic outlines, it’s difficult to pinpoint exactly who’s behind an attack.
Hackers rapidly evolve their infrastructure, and more and more groups are deploying nation-state-quality counter forensics. Often they use legitimate user names and passwords, or run attacks through anonymous infrastructure.
“Without attribution, there are no deterrents,” Mandia said, noting that the US has created by executive order a unit of 40 people to process threat intelligence and assess the threat actors. “And if we know who did it, we can figure out a proportional response.”
Attribution also sways public opinion when there’s a breach. Companies are either seen as being irresponsible and not doing enough to safeguard their information—which goes back to the standard of care issue—or they can be seen as victims. “Attribution to a cyber-military attack from a government will sway that,” Mandia said. “It wasn’t a 10-year-old in a basement. Instead, you’ve been targeted by some tremendous Seal Team 6-level resources. No media company is going to stand up to that.”
So, as the threat landscape evolves, so does the government’s role.
“You can’t secure the whole private sector—and there’s an ambiguous line of where critical infrastructure starts and stops,” Mandia said. “So information-sharing between the public and the private sectors and the establishment of ISACs allows the alignment of threat intelligence, primarily by industry. The next phase from there will be determining the deterrent strategy, and how much will we rely on deterrents in cyber-space versus defensive measures.”
Part of that process is the establishment of a due standard of care, he added. Right now, there is no firmly established standard of what’s expected from companies in terms of safeguarding their data and their customer information. Policy-makers are in the process of figuring out if dictating a standard to companies via regulation is the appropriate path; if legislation would be more appropriate; or if it’s best to let things play out in courts via litigation activity.
There’s also a fourth way: Let insurers step in.
“With any of these, you still end up with ambiguity in operationalizing your security program,” Mandia said. “The other way is to turn to the free market and have insurers do it. They can raise the watermark and develop benchmarks.”
Establishing international rules of engagement is another developing arena for government policy. But even with cyber-agreements in place, such as the one the US just inked with China, ambiguity persists.
“The China agreement says that intrusions will be limited to espionage activities,” Mandia said. “So universities are fair game. Whoever hacked OPM has been doing it a long time, they’re in China and they get paid for it. China may or may not be actively supporting it, but those records are useful for espionage and are fair game. Healthcare—they have information on all of us. That’s useful for espionage. So the targets remain the same. Then there will still be plenty of companies in the middle, which are victims of drive-by [cyber] shootings that build the infrastructure for carrying out the attack.”
So what’s the bottom line? “We still have anonymous attacks and few deterrents, and we need a good defense,” Mandia said. “It’s about infrastructure, data and identity. Companies need to start thinking about how someone could break in, and how they can detect that when it happens. And the good news is that heads of state for the first time are starting to discuss these issues.”