How Nation-State Attacks are Shaping Cybersecurity
Table Of Contents:
You might be able to defend yourself against attacks from hacktivists and even from organized criminal groups. But good luck chancing your arm against a nation-state.
Governments have more cyber resources at their disposal than an army of ransomware crooks. That includes western ones. For proof, just look at the NSA’s $1.5bn data centre in Utah, which processes exabytes of classified data. So if one of them wants to come after you, no matter which flag they’re waving, you’d better have a pretty good defence.
The U.S. government (itself no stranger to offensive operations in cyberspace) has been sounding the alarm about nation-state digital aggression for years now. January 2024 saw Congressional testimony by FBI Director Christopher Wray, in which he revealed China’s hackers outnumber FBI cyber personnel by 50:1. Statistics like that call for an increase in investment to protect national infrastructure, he warned.
In the past, infractions by foreign governments have often been economic. However, as geopolitical tensions rise, motivations are broadening. Shortly after Wray’s testimony, the Cybersecurity and Infrastructure Security Agency (CISA) warned that actors sponsored by the Chinese government were positioning themselves in western IT networks. This will enable them to disrupt or destroy critical infrastructure in the U.S. should the two countries ever come into conflict. With war over Taiwan looking increasingly likely in the next few years, this is a clear and present danger.
These are long-term initiatives, and not new. Stories of foreign actors lurking in national electricity grids have been doing the rounds for years. And a recent CISA advisory warned that Volt Typhoon had been inside target networks undetected for five years.
Salt Typhoon, another Chinese campaign that focuses on telecommunication companies, is “the worst telecom hack in our nation’s history by far”, according to Mark Warner, chair of the Senate Intelligence Committee. The attack hit up to nine U.S. telcos, including AT&T, Verizon, and T-Mobile, along with others across dozens of countries.
China isn’t the only nation-state actor with a belligerent attitude in cyberspace. North Korea is infamous for its attacks on cryptocurrency infrastructure. After all, it has to find the money for its incredible sinking warships from somewhere.
Russia has also been active with groups, including APT44 (also known as Sandworm), which was responsible for attacks on Ukraine dating back to 2015, along with 2017’s NotPetya and recent attacks on U.S. infrastructure, including a Texas water facility.
A Case For Threat-Informed Defense
Nation-state threats strengthen the case for preventive cybersecurity, which focuses on getting ahead of attackers. It calls for a move beyond purely reactive measures such as software patching towards solid threat intelligence and threat hunting based on adversaries’ tools, techniques, and processes (TTPs).
Rather than relying purely on checkbox compliance, it means that governments and the private sector alike should prioritize critical assets based on nation-state targeting patterns.
To do that, you have to know what your enemy is doing. Josh Steinman, CEO of cybersecurity Galvanic, served as a senior director of cyber policy and deputy assistant to the President during the first Trump administration. He has his eyes firmly fixed on China.
“I think the Chinese Communist Party and their military intelligence apparatus are already in a footing that we would describe as a wartime footing,” he said at a Committee on Oversight and Government Reform hearing about Salt Typhoon in April. “They believe that’s the posture that they should have 24/7, and they use language to try and communicate to us that they are not in that footing.”
Steinman also talked about offensive security, which is something that the first Trump administration encouraged by removing restrictions on military operations in cyberspace.
“By taking a more aggressive posture to go back at those attackers, we throw sand in their gears. We force them to spend time and effort to defend against our counterattacks,” he said. “Those could be managed at the national level, or they could be the prickly landing point inside the company that those cyber actors are going after.”
A Thousand Tiny Houses
Other experts at the hearing made suggestions about evasive measures that public and private sector organizations alike could take. These included investing in next-generation infrastructure rather than just patching existing vulnerabilities.
Dr. Edward Amarosa, CEO of TAG InfoSphere and a professor at NYU, was also formerly a senior VP and CISO at AT&T. “Looking for the gaps and fixing them is not the way we get out of this. I think we need to design brand new infrastructure and start finding a way to eventually transition,” he told lawmakers. “In our world, we would call that next-generation infrastructure, and I think that’s something we have to do. It may sound like a big lift, but I don’t see any other way.”
Amarosa described ‘breaking a house into a thousand pieces’, making it harder to target all at once. Although he didn’t name it directly, this maps directly to zero-trust architectural principles, which move away from the hardened perimeter approach to securing many individual assets.
Zero trust is a concept that has been officially endorsed by CISA in its Zero Trust Maturity Model, along with guidance on strengthening telecommunications networks through robust network segmentation. It advised on the latter in its response to Salt Typhoon’s telecommunications infrastructure compromise.
NIST also provides a foundational zero-trust framework with seven core tenets for nation-state defence. It also provided guidance on implementing this architecture in response to Executive Order 14028, issued during the Biden era, which mandated the adoption of zero-trust security.
Collaboration Is Key
What else can CISOs do? Implementing robust end-to-end encryption is a must, said Professor Matt Blaze of Georgetown Law, who pointed out that it makes attacks on infrastructure pointless, leaving just the endpoints to defend. However, there is always the spectre of quantum computing to consider, which nation-states will be pursuing to try and crack each other’s asymmetrically encrypted keys. Other defensive measures include using AI and advanced technologies to detect and prevent cyber threats.
Experts have also emphasized the importance of cooperation in this context. Public-private cooperation is essential, allowing companies and governments to exchange information in a more intelligence-driven security movement.
But the other kind of cooperation is the one that happens between friendly nations and which is so important when defending against a common enemy. It’s looking increasingly shaky under a highly insular U.S. administration. That weakening of U.S. ties with countries who were previously firm friends might just give the term ‘zero trust’ a new, darker meaning.
