Cyber threat reporting sits at a dichotomy. On the one hand, much furor is made of the role of non-state actors – the way in which criminal groups, proxies, hacktivists and even individuals can have an outsized impact in the threat that they pose. On the other hand, discussion of state campaigns is largely restricted to a handful or prevalent (and typically advanced) actors, with reporting focused on the usual suspects of Russia, China, Iran and North Korea. Yet, for an industry that has brought attention to both advanced state campaigns and script kiddies, the space in between remains chronically under-analyzed. This blog post seeks to redress this imbalance by exploring the emerging role of non-traditional state actors.
New kids on the block
Our understanding of state actors is set to broaden given the emerging role of other state-affiliated actors and campaigns that have operated in the shadows for too long. Vietnam-based APT 32 (also known as Ocean Lotus) provides one example of an actor that possesses an impressive capability and a willingness to target a range of entities in a manner that reflects Vietnamese state interests, but has operated largely under the radar (although firm attribution to the Vietnamese Government has yet to be established).
Similar stories will continue to arise as other ‘new kids on the block’ emerge in the coming years. Yet, merely acknowledging the rise of new state actors only takes us so far; the strategic implications that arise from such a shift, however, are an altogether more interesting question. Crucially, the rise of other state actors poses significant challenges both for the cyber threat landscape and the role of threat intelligence analysts.
At the most obvious level, the emergence of non-traditional state campaigns will create an increasingly complex threat environment. This relates not only to the number of active threat actors, but also the breadth of aims and intentions pursued through cyber campaigns. We might have assumed that a threat actor using ransomware and other financially-motivated campaigns was a criminal group only a few years ago – then North Korea emerged as a state actor turning to cyber campaigns as a means of generating funds.
Threat intelligence analysts will need to remain open-minded going forward. As more states come to the fore, they will likely use cyber campaigns to achieve a variety of ends (not all of which may be immediately obvious right now). Conversely, other emerging states might seek to directly emulate current threat actors. Similarly, destitute governments might look to North Korean cyber campaigns as a paragon for efficient government revenue raising. If a variety of states pursue similar strategies, confirmation bias will increasingly risk leading analysts down blind alleys – reinforcing the need for teams to approach intelligence questions with structured techniques and an awareness of the psychological bear traps that exist in intelligence analysis.
Figure 1: Richards J. Heuer’s Psychology of Intelligence Analysis warns of the conscious and unconscious biases that can limit good intelligence analysis
Chaos and the new cyber threat landscape
The strategic immaturity of emerging state actors also represents a serious concern. Many of the current established players have invested a lot of time thinking about questions of deterrence, norm-building, and other strategic questions, yet these issues have proved consistently awkward to resolve. Capability management provides a good example of such a challenge in practice. Despite its sophistication, the US National Security Agency (NSA) has struggled to keep its operations and capability covert (think Edward Snowden, Reality Winner and Harold Martin).
Recent exposures have gone beyond a PR headache to creating materially destructive outcomes. After all, it was the NSA toolkit that was weaponized by North Korea in the WannaCry ransomware outbreak that went on to hamper hundreds of thousands of systems worldwide, including the British National Healthcare Service. If issues such as capability management have proved a real challenge for even the most sophisticated state actors, they are certain to apply to strategically immature state groups – thereby injecting more chaos into the cyber threat landscape. Cyber threats will therefore become increasingly unpredictable as more states enter the fray.
Local, regional and global implications
Current reporting has focused largely on how non-Western states are targeting Western entities. Yet, many emerging states’ ambitions will not reach so far afield. An increasing number of cyber campaigns are likely to instead reflect local geopolitical disputes. For emerging states in regions like the Middle East or the South China Sea, cyber campaigns will often be pointed towards their neighbors. This should not belie their significance, however: with many organizations operating in global environments, regional conflicts will be just as important as their intercontinental counterparts.
What this means for the threat intelligence community
The emergence of non-traditional states will therefore put new burdens on threat intelligence vendors and analysts. This shift will demand adaptation – a need to understand more cultures, languages and local political situations. A more diverse threat landscape should be reflected in the makeup of analyst teams with a variety of perspectives increasingly important. Other communities will also represent an increasingly important resources – whether this be area studies academic centers that work with analysts to understand new contexts, or institutions including The Citizen Lab that explore state campaigns targeting the most vulnerable portions of civil society. In adapting to the arrival of the new kids on the block, the cyber security community will need to respond with what it has always needed in the face of a new challenge: a desire to learn and a strong dose of humility.
To stay up to date with the latest Digital Shadows (now ReliaQuest) threat intelligence and news, subscribe to our threat intelligence emails here.