Countering Nation State Cyber Attacks in the Private Sector

From the founding of our country until recently, American companies could rely on the US government to defend them from nation state attacks. No company was expected to go it alone or to buy an air defense system for protection. The few companies targeted for their role in national security received training, information, and protection from the US government they served.

The advent of cyber threats has disrupted that arrangement. Companies far removed from national security are now targets – and victims – of cyberattacks, often perpetrated by nation states or their proxies.

The FBI concluded that North Korea directed its military cyber capability against Sony Pictures in 2014, in retaliation for a movie Sony released that cast North Korea in a negative light. The attack inflicted about $35 million in damages. There was no loss of life, but there was damage to careers when corporate secrets were released.

Had North Korea bombed a Sony building, inflicting similar financial losses, would the US government have been as sanguine in its response? Would the US military have allowed foreign weapons into US territory?

Governments and companies sometimes have symbiotic relationships for security. Until recently it was easy to determine which companies had a national security nexus. If a company made a missile guidance system, it was easy to bring it under the umbrella of government security. But what about companies that make products or generate data outside the realm of traditional national security issues, but could be used against the nation’s security?

Many companies are targets of nation states, often without realizing it. Some companies may value and protect their IP only in terms of fair market value. However, some nation states might value that IP at far higher levels due to how they plan to employ it. A company defending its information from competitors might not consider the extremes to which a nation state might go to secure their information.

Many companies have created technologies that aren’t designed for national security but have national security implications. Most companies understand the importance of protecting customer data, but weak security and feckless penalties for losing control of massive troves of customer data haven’t been enough to reform security standards. What should happen when companies lose control of data that could be used against our national security interests?

Consider medical information or sensitive social data such as dating preferences. In the wrong hands, this could be used to blackmail or compromise government officials. Often, even if consumers are careful to use false names or handles to register for services, their data can be aggregated to point to their real-world identity. Who should be required to pay the delta between the commercial value of sensitive data and the national security value of those data?

Clearly, we’re in a new era of conflict. Companies face new threats. The old ramparts will no longer hold. The military’s cyber defense barricades largely extend only to military networks. This is roughly akin to forts on the western plains in the 1800s only defending themselves.

Congress is largely out of the business of making laws. With fewer substantive bills being passed every year, in the best of times it couldn’t pass laws quickly enough to keep ahead of the rapidly emerging cyber threats.

The recently created Cybersecurity & Infrastructure Security Agency (CISA) is making steps in the right direction. It has strong leadership, some of the best cybersecurity thinkers available, and their cybersecurity guidance has been top notch. Unfortunately, they have no regulatory power – no action arm to prevent or respond to cyber threats against individual companies.

The Committee on Foreign Investment in the United States (CFIUS) has staff with national security expertise. As important, they have the authority to review and intervene when foreign involvement in US companies could have a negative impact on national security. But like the cop on a beat, they cannot be everywhere.

For most companies facing cyber threats, there is no cavalry. There is no substantive cyber law and order. There is a time for thinking, but for US companies in an era of unprecedented cyberattacks, this is a time for doing.

What are the options for new defenses? Right now, US companies are largely on their own when it comes to defending against cyber threats that range from troublesome amateurs to nation state actors. Corporate leaders must think not only about traditional competitive threats, but also think like the national security targets they are.

The best exemplar for this new mindset is the intelligence operative. Operatives are keenly aware of the possibility of nation states seeking to collect information on their activities as they conduct clandestine meetings. But they’re also aware of how a myriad other actions they take, even innocuous ones, might attract unwanted attention or become an attack vector.

Companies must therefore adopt this same spy mindset to fully protect themselves in the current threat environment.