With the midterms behind us, many were relieved by the relative absence of election-focused cybercrime. Social media platforms, their minds wonderfully concentrated by the fear of stricter regulation, ferreted out and deleted fake profiles and groups created to enflame partisan feeling among U.S. voters. (Sadly, the political landscape in the U.S. doesn’t seem to need the help of foreign provocateurs to remain highly polarized.) On Wednesday, Department of Homeland Security secretary Kristjen Nielsen said that election officials had seen no evidence of any efforts to hack the midterms. So we can collectively breathe a sigh of relief — for now.
Recently, though, many analysts have been pointing out an alarming trend: more and more, cybercrime is becoming the purview not of ordinary criminals, but of criminals in uniform — either state actors, or “privatized” cybercriminals acting under the direction of state actors. In September, the CEO of enterprise-facing cybersecurity firm FireEye
This means that the level of threats is rising, since the attackers have far deeper pockets, expertise, and training than the private-sector criminals motivated purely by economics. It also means that rather than quick in-and-out attacks, more and more attacks are so-called “advanced persistent threats,” in which the attackers’ aim is to remain undetected within a network for an extended period of time, sometimes years, in order to conduct political or industrial espionage.
Analysts believe that four states are now responsible for the lion’s share of these APT attacks: North Korea, Iran, China, and Russia. Fully half of attacks originate with the last two. Predictably, each of them has somewhat different motivations:
- Russia’s focus seems to be political. As Vladimir Putin’s regime has come under continued international pressure for its military actions abroad (Syria, Ukraine, Crimea) as well as its attacks on Russian dissidents in western countries (the nerve gas attacks in the UK), it has turned to hacking in an attempt to distract and wrongfoot western powers.
- North Korea, whose hackers’ skill has increased exponentially in recent years, is focused on the money; many of its exploits involve cryptocurrency heists or the deployment of malware that covertly mines cryptocurrencies using the hash-power of target computers. They also extort ransoms from compromised companies.
- Iran has been on the receiving end of cyberespionage, suffering the notorious Stuxnet attack — allegedly a joint U.S./Israeli attack which dealt significant damage to Iran’s nuclear weapons program nearly a decade ago. Consequently the regime has concentrated on the development of cyberwarfare capabilities as a form of asymmetrical conflict in a world where it is at a conventional disadvantage.
- And finally, China is focused closely on industrial espionage, although that focus has branched out into educational institutions. This is a strategy known as “island hopping.”
“Island hopping” is one dangerous escalation in state-based cybercrime. Given the highly and chaotically networked character of political, commercial, and educational entities, attackers focus on weak links. Educational institutions such as universities are relatively soft targets,with less stringent security than government or industry. However, once inside a university, attackers can use the university network’s connections to “island hop” to more well-defended networks — and the deepening collaboration between research universities and industrial firms can offer many opportunities.
State-sponsored cybercriminals are becoming more sophisticated in a variety of ways: more effective at covering their tracks after an intrusion, more effective at camouflaging the origins of an attack by mimicking the techniques of other groups or countries, and more effective at using the dark web to recruit and train hackers as well as buy and sell information.
The dark web is also helping malware become more sophisticated, as cybercriminals trade information freely, and make use of open-source tools to create malware that’s very difficult to distinguish from legitimate implementations of the same basic source code.
In short, the election may have passed without obvious cybercrime playing a role, but the threat environment continues to escalate, particularly due to the dominance of state-sponsored actors with varied goals and objectives. In this environment, we continue to believe that large U.S. corporates will continue to devote virtually unconstrained levels of resource to cybersecurity — and public policy will continue to move towards greater regulatory pressure on social media firms which are the most vulnerable to manipulation by cybercriminals.
Investment implications: Stock valuations in general remain under pressure from rising interest rates, and in response, a rotation of uncertain duration has begun away from some of the best-performing high-multiple tech stocks, including those of major cybersecurity firms. We believe investors should be attentive to these as they drop towards more attractive valuations, since their longer-term prospects remain robust.