The FBI announced last week that the now-infamous hack on
This is notable as it differs from the typical attacker/target profile. Cyber attackers can usually be broken down into one of three categories: nation-state; hacktivist; and criminal organization or individual. Criminal organizations are pretty straightforward in their intent – they are looking for money. This may involve direct theft of funds, theft of intellectual property to sell, or theft of information to use for extortion. They most often target corporations and individuals, though governments are not immune. Hacktivists typically target those they are idealogically in disagreement with, which could be corporations, individuals, or governments. Nation-states most often target other governments with the goal of gaining a strategic advantage militarily, politically, or economically. Sometimes nation-states will target corporations with the goal of stealing intellectual property to pass to that country’s corporations to secure one of those three goals.
The attack on Sony, if done by North Korea, was an attack by a nation-state upon a corporation. The goal doesn’t appear to be the theft of intellectual property for financial gain, or for military advantage, but is more in line with a hacktivist type of goal of discrediting the corporation. This would be a new turn in cyberwarfare. Typically corporations would not have to worry about nation-states perpetrating these types of attacks, which is important because nation-states can muster resources (either internal cyber attack resources or significant funds to pay outside resources) greater than most hacktivist groups, and they are not necessarily driven by the need for a return on investment as most criminal organizations are. Thus we end up with Sony, a multi-billion dollar international corporation, losing hundreds of millions of dollars because a nation state wants to expend its resources to bring Sony down.
One common comment I have heard from corporations that have been attacked is “I want you to find who did this and take down their network!”. The primary problem with this type of response is that it is illegal. To counter attack an attacker, even if the attacker is a criminal organization is in another country, is currently an illegal act in the U.S. However, if corporations begin to lose billions of dollars and face existential threats from not only criminal organizations and hacktivists but nation-states, it is possible that corporations will
It’s very unlikely that corporations would develop such a capability internally as reporting requirements would make deniability more difficult. This could result in the development of an underground market for cyber attackers aimed at a customer base of “legitimate” corporations. Such a market exists now for criminal organizations and nation-states (it appears that North Korea might have outsourced the Sony attack in such a way) but a gray market would need to be developed that would allow corporations to employ services in such a way that the corporation would have both deniability and legal justification if discovered.
Why would corporations take a risk by employing a potential illegal strategy? Survival. If governments can’t protect corporations, particularly multi-national corporations in the wild west that is the current state of cyber warfare, corporations may turn to the cyber equivalent of the mafia in the 1920s to offer the services to secure their existence.
It remains to be seen if corporations start to exercise cyber attack capabilities, but one thing is certain is that as cyber attacks reach a wider range of targets more of those targets will seek to become the attackers rather than the victims.
