As if digital threats from the main U.S. cyberspace adversaries weren’t enough, U.S. officials and researchers are increasingly worried about hacking dangers posed by a slew of other nations including Vietnam, Qatar and the United Arab Emirates.
The fears are upending a half decade during which U.S. cybersecurity worries focused on four main adversaries — Russia, China, Iran and North Korea. And they’re signaling that cyberspace is about to get far more complicated and dangerous.
“The threshold for entry to have a cyber program has dropped so low because you don’t need to figure out how to build your own program. You can just buy it as a service and that worries me,” a senior FBI cybersecurity official told reporters during a roundtable discussion.
In some cases the nations are developing hacking capabilities in-house, such as in Vietnam, where government-backed hackers are reportedly stealing information from rival governments and companies in key sectors including the auto industry to gain a competitive advantage. In other cases, as with Qatar and the UAE, they’re contracting with private companies that sell hacking tools and services to law enforcement, and using them to spy on journalists and dissidents.
The most obvious problem is that more nations hacking leads to more hacking victims — including in the United States.
A lawsuit Facebook filed against the Israeli spyware company NSO Group in October described more than 1,400 victims spread across 20 countries that NSO helped government clients hack using a newfound bug in the WhatsApp messaging service. Some of those victims were inside the United States, according to a Reuters report.
The proliferation of hacking capabilities could also make it tougher for law enforcement to figure out who’s behind an attack — especially if multiple nations are buying tools from the same company or if one nation is trying to shield its culpability by posing as another.
“Being able to determine the nation-state actor using what traditionally might be a criminal tool on traditionally criminal infrastructure in an attempt to enter at a cheaper price or obfuscate their activity, that causes an additional dilemma for us,” the FBI official said.
The official stopped short of condemning companies that sell hacking tools to governments but issued a stark warning.
“I’m certainly concerned with groups that advertise their services to conduct illegal activity,” the official said. “If you’re attacking U.S. citizens on U.S. infrastructure and conducting intrusion activities, that’s a crime.”
There's also a far greater chance of inexperienced nations launching cyberattacks that are far more damaging than intended, or of a digital conflict between two nations escalating out of control.
And, because it’s tough to tell who’s who in cyberspace or to limit how far an attack spreads, that raises the chances of innocent victims being harmed.
Even Russia, which is among the most skilled nations at hacking adversaries, has had trouble containing its attacks. The 2017 NotPetya malware attack, which U.S. officials have attributed to Russia, appeared aimed at crippling computers in Ukraine but ended up spreading damage across dozens of nations.
“More and more nations have cyberoffensive capabilities, and because cyberattacks can be done without clear attribution there's a risk that we can have attacks and counterattacks in a very damaging and escalating situation where citizens … are the victims,” John Frank, vice president for European Union affairs at Microsoft, told me recently.
Microsoft is part of a coalition led by French President Emmanuel Macron that’s pushing governments and companies to adopt a slate of commitments aimed at making cyberspace less volatile. The commitments, dubbed the Paris Call, have been endorsed by three U.S. states and numerous cities but not, so far, by the federal government.
Yet it will get far harder to enforce those commitments if more and more nations are violating them, Frank warned.
“The number of nations with cyberoffensive capabilities, including cyber espionage, is growing dramatically,” he said. “And everything is connected to the Internet these days...so the potential disruption, both to our economy and to our safety, is profound.”
The Hollywood Reporter sparked outrage among cybersecurity researchers when it marked the five-year anniversary of the Sony Pictures Entertainment breach — one of the most destructive cyberattacks at that time, which U.S. intelligence agencies and cybersecurity companies nearly unanimously attributed to North Korea — with a retrospective casting doubt on the Hermit Kingdom's role.
It didn’t help that the article primarily quoted former Sony executives and actor-director Seth Rogen, whose gross-out comedy The Interview allegedly sparked the attack, rather than government officials and cybersecurity experts.
The article also hit a raw nerve. North Korea’s hack-and-release operation against Sony bears similarities to Russia’s 2016 cyberattack against the Democratic National Committee and the Clinton campaign — which President Trump and Republican lawmakers have recently been casting doubt on.
Here’s John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye:
Hey @THR when you publish conspiracy theories on these hacks you undermine our democracy - the reason irreverent movies are made and you can publish anything. Talk to an expert. Do better.— John Hultquist (@JohnHultquist) November 25, 2019
And Jon Bateman, a cybersecurity fellow at the Carnegie Endowment for International Peace:
New doubts about 2014 #Sony attribution are extremely weak. "That didn't seem like North Korea's M.O.," says noted— Jon Bateman (@JonKBateman) November 25, 2019
cyber expert Seth Rogen.
But don't shoot the messenger: @THR has documented a real and troubling trust gap. When 179-pg indictment isn't enough, we have a problem. https://t.co/9clkFnrO2K
Some cybersecurity reporters also commented. Here’s the Wall Street Journal’s Dustin Volz:
The amount of bad and genuinely irresponsible cybersecurity journalism out there is increasingly contributing to the pernicious idea that there is no objective reality—that nothing in our hyperdigital world can be known for certain. This is as depressing as it is dangerous.— Dustin Volz (@dnvolz) November 25, 2019
And a lighter take from Forbes’s Thomas Brewster:
The truth is close to being out there. Bigfoot hacked Sony. pic.twitter.com/ccWjwPkj2n— Thomas Brewster (@iblametom) November 25, 2019
PINGED, PATCHED, PWNED
PINGED: The Chinese government pledged to “intensify” intellectual property protections on Sunday as Chinese IP theft has become a major stumbling block in trade talks with the United States, The Hill’s Maggie Miller reports.
The pledge came in a government directive that noted “strengthening [intellectual property rights] protection is…the biggest incentive to boost China's economic competitiveness.”
“Some of the key priorities in the directive are for China to curb IPR infringement and the costs associated with protecting intellectual property by 2022, and for Chinese ‘social satisfaction’ around IPR protections to ‘maintain a high level’ by 2025,” Maggie reports.
PATCHED: European police agencies have knocked offline numerous servers used by the Islamic State to recruit new members, spread propaganda and communicate internally, Reuters’s Stephanie van den Berg reports from The Hague.
The European police agency Europol and police in 11 nations knocked about 26,000 items offline last week including numerous communications channels.
“They have disappeared from an important part of the Internet,” Belgian prosecutors’ spokesman Eric Van Der Sypt said at a news conference.
The messaging app Telegram helped force Islamic State users off its service, officials told Stephanie, though Telegram didn’t respond to a request for comment.
PWNED: Personal information about hundreds of Facebook and Twitter users may have been improperly shared with third parties when those users used their accounts to log into certain Android apps, CNBC’s Kate Rooney and Salvador Rodriguez report.
A software service called One Audience improperly gave third-party developers access to the users' personal data, including email addresses and usernames, Kate and Sal report.
The bug could also have allowed hackers to take control of users’ accounts, but there’s no evidence that happened.
— Cybersecurity news from the the public sector:
— Cybersecurity news from the private sector:
— Coming up:
The Senate Committee on Foreign Relations will examine the future of United State policy towards Russia at 9:45 a.m. on December 3.