Nearly every country on the planet now has a program to exploit digital vulnerabilities, a top National Security Agency cyber official said Wednesday, and while most are focused on espionage, more are beginning to experiment with more aggressive techniques.
Rob Joyce, director of cybersecurity at the NSA, said there’s a lot of focus on China, Iran, North Korea and Russia, but those countries, which he described as the “big four,” are not the only nations weaponizing technology.
“Almost every nation in the world now has a cyber exploitation program. The vast majority of those are used for espionage and intelligence purposes,” Joyce said at the Aspen Cyber Summit. “There is interest in dabbling in offensive cyber and outcomes.”
Even some smaller nations have proven to be advanced, Joyce said. It’s just that they’re usually more confined in how they pursue their national interests, by things like the amount of money they can spend, the number of people they can devote to cyber and how far they reach across the globe.
China, by contrast, is “off the charts,” he said: “The amount of Chinese cyber actors dwarfs the rest of the globe combined.” U.S. agencies warned this summer of China’s voracious appetite for intellectual property, and the U.S. government blamed China for exploiting Microsoft Exchange Server vulnerabilities that paved the way for a ransomware spree. In recent weeks there have been reports of Chinese hackers allegedly infiltrating Indian organizations.
Russia places an emphasis on being disruptive in a way the U.S. cannot tolerate, Joyce said. For instance, “We’ve seen evidence of pre-positioning against U.S. critical infrastructure,” he said.
The proliferation of nations mounting cyber programs stands to further complicate the work of those who try to suss out who’s behind specific attacks.
That landscape has changed considerably over the past 10 years, said Kevin Mandia, CEO of FireEye, as hackers get craftier about changing tactics to fool investigators. Mandia, speaking at the same conference, said his company keeps databases of information that help them identify who’s behind the thousands of attacks they’ve been asked to respond to by clients.
In 2010, “Everything we were responding to went nice and neatly into 40 different buckets,” Mandia said. “‘Oh it’s these guys from China, oh it’s the Russian FSB again’ or whatever it was. And now we’re up to like 2,900 buckets.”
“It may really only be 40, but everybody’s changing so fast that the evidence we see today from the same hacker group is different than three months ago,” Mandia said.
Joyce, who began in his current role in April, said his first goal is to make sure to distribute threat intelligence that can help protect U.S. targets like critical infrastructure. That includes things like Tuesday’s guidance about virtual private network security, which he said was a warning not about a specific threat but meant to disrupt hackers as much as an offensive operation.
One vehicle for that is the NSA’s Cybersecurity Collaboration Center for working with the private sector. He said that in joining forces with the defense industry and leaning on the NSA’s own intelligence collection, the agency “has had some really awesome activities over the course of the last nine months, where we’ve been behind some pretty big activities to disrupt at scale” by spreading information to other industry sectors.
He’s also “laser-focused” on protecting Department of Defense weapons and systems.
“These things are often wings with computers strapped to them, floating computers, flying computers, exploding computers, and we haven’t always treated them like things we need to protect like computer networks,” Joyce said.
And another focus is quantum-resistant cryptography, to protect against high-tech quantum computers that U.S. adversaries might use to penetrate classified networks.
“It’s a question of when that computer will arrive,” he said. “For those of us that have to secure classified information for decades, we’re already in that window that … the potential for one emerging could put information at risk that we want to protect.”