A New Cold War – with Many Sides There’s a lot we still don’t know about the FBI’s investigation of the data theft at JP Morgan Chase & Co. Criminal hackers based in Russia were targeting U.S. financial institutions long before Russia annexed Crimea or the West responded with sanctions. Is this truly a state-level act? Is it more than a coincidence that the attacks on our financial institutions follow a series of relatively effective sanctions against Russian financial interests? Or is it just another money-making venture by a Russian hacker network?
At some level, the truth is that it doesn’t matter. We have been in a low-grade cyber war for several years. On the U.S. side, Edward Snowden has disclosed just how extensive the country’s offensive cyber war capabilities are. In some cases, he even revealed actual U.S. infiltration of critical systems.
To date, only the Stuxnet attack on Iranian nuclear sites can be confirmed as an offensive cyberattack. Other infiltrations and probing has not yet been confirmed as active cyber warfare. We can be sure, however, that the U.S. owns systems in foreign countries that can be used to launch local offensive cyber weapons.
In the case of the Russians, there is clear evidence that the government and criminal organizations blur. It would also be naive to think that the Russians have not also developed substantial offensive cyber capabilities.
When nation states get into the cyber-attack business, we have to look at things through an intelligence filter. The Russians certainly would use criminals to execute attacks on their behalf, but at this time we don’t know if they have.
The take away is that all operators of critical infrastructure should dust off their cyber risk management plans and take a fresh look at their assessments. Are your protections and abilities commensurate with an environment of potentially escalating nation state involvement in attacks? Or are you “just good enough” for the relatively unsophisticated threats of a few years before?
We are in a period of a new Cold War. All bankers, retailers, healthcare organizations, insurers and critical infrastructure operators should already be on notice. Our adversaries are advanced, dangerous, and coming after you. If we do not engage in cyber risk management at the level justified by known global capabilities, we are only fooling ourselves. When evaluating their own businesses, executives need to begin by assuming the worst. Get a truly independent assessment now and act.