I had a rare experience whilst in the pub with some friends over Christmas. When exchanging the usual pleasantries with someone in our group who I was meeting for the first time, I said that I worked in IT security. Rather than the standard “smile and nod” reaction, they immediately shot back:
“So did they do it?! The North Koreans!”
Say what you will about the North Korea’s alleged antics, the idea of nation states on the cyber offensive is certainly one which captures the popular imagination.
Last week the Danish Defence Intelligence Service announced that it was to invest in $75 million on an “offensive” cyber division, so that by 2017 it would be in a position to not only better defend itself from hackers, but to also attack hostile targets. This is in response to a number of sophisticated “state-sponsored” attacks on Danish companies over the last few years – blamed on the Chinese, naturally.
State-sponsored cyberattacks are nothing new, with USA fears of Chinese cyber-espionage dating all the way back to 1999. The infamous Stuxnet attack (2010) brought this this phenomenon to the IT security industry’s attention with some aplomb, followed 2 years later by the Flame revelations.
What is still pretty novel is countries actually admitting to this! In September 2013 the UK became the first state to publicly declare that they were developing an offensive cyber-security capability and now Denmark is following suit. Does this development point to a future cyber arms race to be played out in public? Or does a statement such as this from Denmark only highlight how much they are playing catch-up to nation states such as USA, Russia and China who are widely believed to have been at this for years!
The impact of a “me too” response by nation states going on the cyber-offensive needs to be considered. Nation states are clearly best placed to fund sophisticated attacks and the development of zero-day threats- typically for a specific target and for a distinct objective. However, as soon as these new threats are publicly disclosed the speed at which these become commoditized and found in common cybercrime toolkits can be head-spinning.
Public bravado on offensive cyber security capabilities is likely rise dramatically as this trend gathers momentum. Here’s hoping that common sense prevails and the lion’s share of public-sector investment and energy is directed at defensive capabilities and cooperating with the private sector on improving cyber resilience across the nation.