Experts: Countries make dangerous cyber adversaries

When other countries launch cyberattacks, the United States should expect to see more robust ways to crack systems and more dangerous methods to manipulate them, two cybersecurity experts said yesterday.

Countries have many resources and can attack at least as effectively as independent cybercriminals can, said Matthew Devost, president and chief executive officer of the Terrorism Research Center.

China, North Korea and Russia already use cyberattacks to advance their interests, Devost said, speaking on a panel at the Black Hat Federal conference in Arlington, Va.

Cyberattacks from countries can be difficult to investigate because analysts may not be able to tell if a given country is launching the attack or if other organizations are attacking through the country’s resources, he said.

Not much unclassified information is available about how countries attack one another electronically, Devost said.

Cyberattacks often augment physical attacks, not replace them, Devost said. Countries can use them to make an “attempted one-two whammy of cyber- and physical” attacks or to spearhead economic attacks, he said.

Countries can also use cyberattacks to attack supporting infrastructure, such as medical resources, telecommunications and utilities, he said. They can also attack complementary private-sector infrastructures, such as financial systems.

Countries and terrorist organizations can have a different perception of time than other cyberattackers do, Devost said. They can wait years, performing reconnaissance and placing agents inside target organizations to find vulnerabilities, he said.

After an attack, countries are more likely to have more sophisticated technology than is available to the public to maintain control of attacked systems, Devost said. The technologies can subvert firewalls, trusted computing technologies and even the BIOS software.

Low-hanging fruit for cyberattacks include the large number of older systems and those that run supervisory control and data acquisition, Devost said.

Preparation is important to stopping attacks from other countries, said Tom Parker, security research group manager at MCI. Organizations must anticipate their adversaries’ actions and look at all data, attack profiles and threat types, he said.

Holistic risk management is essential to effective defense, Parker said. Many public/private relationships fail to characterize threats and attackers’ capabilities as granularly as possible, which is as important to do as preparing a holistic risk management, he said. The granularity makes effective risk management possible, he said.

“The inability to characterize is a vulnerability, and the ability to characterize is a deterrent,” because if you can characterize a threat, you can attribute it to an attacker, Devost said.

Organizations need automated early anomaly detection and the ability to fuse intelligence with real-world events, Parker said. They need to plan for incidents in advance and have disaster-recovery plans ready to go.