In 2020, Russia’s Foreign Intelligence Service showed that it could bypass the security controls of even the most well-defended companies and government networks worldwide when it used SolarWinds’ security module to invade the software supply chains of tens of thousands of potential targets worldwide.
This fits the pattern of the less-controlled and more aggressive NotPetya incident in 2017, where Russian intelligence officers were willing to tolerate collateral damage on the order of billions of dollars to companies around the world as a side effect of a ransomware-style operation targeting Ukraine’s software supply chain via corrupted tax-filing software.
Chinese cyber actors, too, have demonstrated a tolerance for collateral damage with the early 2021 Hafnium campaign, which quickly adapted four Microsoft Exchange zero days to collect information from tens of thousands of priority servers – compromising over 30,000 in the United States alone and hundreds of thousands worldwide in the process. Beijing’s buildup of world-class cyber capability, including a string of recent zero days affecting wealthier and better protected organizations, came after years of cyber operations targeting Uighurs and religious dissidents worldwide and the people and governments among its less protected Asian neighbors.
Iran has shown it can target critical U.S. systems, from recent targeting of energy and transportation infrastructure to election infrastructure in 2020 and even the control system for a U.S. dam in 2013. Tehran’s APT42 cyberespionage group pivoted over time from targeting high-value critics perceived as threats to the regime to stealing foreign government secrets and even targeting pharmaceutical companies during the COVID-19 pandemic.
Less well-known in the U.S. outside the cybersecurity community are Tehran’s repeated, successful operations targeting Israeli transportation, energy and water systems as part of regional back-and-forth operations mostly affecting civilians – which harken back to the older 2012 Shamoon operations briefly shutting down some Saudi oil production–operations. It is conceivable that these could be adapted for use against U.S. and allied systems in the future, or turned into tactical support against further Israeli targets should the current regional conflict expand or intensify.
The cyber-poverty line
What do all of these instances have in common? In each of these cases, a foreign military or intelligence agency was able to concentrate its country’s technical, economic, intellectual and security power at large scale against a small number of outmatched defenders at each victim organization. These organizations and even countries fall below the cyber-poverty line: whatever resources they may have devoted to cybersecurity, they are less than what is optimal to protect the valuable information they store and services they provide from the top-tier actors they face.
All of society suffers when there aren’t sufficient defensive resources to bear to prevent the theft of information or disruption of infrastructure – but they alone bear the burden of providing for that defense and lack the resources to do so. Concentration of forces has always been key to military and intelligence success. But, with digital technologies, that mismatch need not happen only once, but can recur at scale thousands of times, potentially affecting us all.
The good news is that this phenomenon also works for defenders: technologies, programs, and cooperative efforts designed to help our neighbor also end up improving our own safety.
Free and democratic countries are all empowered when like-minded countries are also kept free and secure. Google’s Project Shield was originally designed to help defend news, human rights, and election-monitoring organizations from powerful nation-state denial-of-service attacks. By March of 2022, we had begun offering that same service for free to the people of Ukraine and their government. Other companies that have offered assistance to Kyiv have similar programs that have helped keep the people of Ukraine, and us all, safe. Silicon Valley and Washington have each stepped up sharing cyber-threat intelligence with network defenders in Ukraine, helping staunch some of the worst of Moscow’s cyber attacks designed to attack Ukrainian civilians and deny them access to critical services.
Secure by design
The industry-wide push for software that is secure-by-design with privacy settings that are secure-by-default is an improvement for both companies’ paying customers and the broader ecosystem who might be otherwise threatened by data breaches or software supply chain operations. As senior US Government cyber leaders Jen Easterly and Eric Goldstein pointed out in Foreign Affairs in February, the burden for flawed software falls disproportionately on the smallest and least resourced organizations, who are least able to purchase sophisticated add-on security or conduct their own incident response missions.
Basic security should be a public good, not a luxury good. Google’s approach means that all users benefit because their upstream software supply chain is more secure without them having to take extra action or pay more. Conversely, these improvements can be a budget-buster for many cybercriminal gangs who rely on an easy route into their targets for their criminal businesses to thrive at scale.
More still needs to be done–especially in providing more targeted protection for those living in emerging economies. Security companies and industry press focus on APT groups that threaten their Western customer base or speak their language. This naturally leaves sometimes large campaigns targeting Latin America, sub-saharan Africa, and parts of southeast Asia out of sight and undercovered unless there is some immediate nexus to broader, Western-targeted cyber campaigns.
This is unfair to the people living in those regions, and unwise given that these are often important origins and targets for advanced cybercriminal techniques and nation-state espionage efforts. Had there been a more objective focus by experts on these regions, early campaigns targeting mobile phones or engaging in disinformation could have been stopped and learned from years before Western journalists and elections were targeted with the same techniques.
Governments could also take more risk and lean forward to share their threat intelligence about what the most sophisticated hackers are doing to target critical infrastructure industries since these systems often use hardware with common vulnerabilities and in any event are sometimes interconnected across national borders.
All organizations have to make tough choices about how to allocate their security budgets–even the largest companies and richest countries have limits on what they can do and have to prioritize. Recent history teaches us that dedicating one’s own resources to reaching out to help overlooked targets of cyberattack – especially those below the cyber-poverty line who are targets for nation-state attacks but cannot reasonably provide for their own security – can be an important component of rational security decision-making.
Christopher Porter is Head of International Security Cooperation at Google Cloud.