Cyberattacks against US business, the ‘perfect asymmetric weapon’

CERT-LatestNews ThreatsStrategic

Hacker with laptop initiating cyber attack

Geopolitical tensions across the globe expose US companies to as they are viewed as elements of US national power. According to experts speaking at Advisen’s Cyber Risk Insights conference in New York last week, these countries consider cyberattacks the “perfect asymmetric weapon.”

“In a sense being an American company does unfortunately carry a great risk from nation-state attacks because they [nation states] see the strength of the US economy underpinning the larger military and political power of the United States,” said Haris Shawl, Manager, PwC Cyber Threat Operations.

The risk is real for all segments of the US economy. There is often a flawed assumption that only the government, government contractors, and the largest of companies are targets of nation-state cyberattacks. But the panelists agreed that small and midsize companies are equally, if not more, at risk.

“In the SME space there tends to be a belief that if we’re not Lockheed, L3, GM or Google, we won’t be attacked,” said Reid Sawyer, SVP, credit, political & security risks, JLT Specialty USA.  “But the problem with that is most of the innovation occurs on the periphery. Small emerging tech firms are working on some of the most cutting edge aspects of technology, business processes and IT systems. So the extraction of that value for a nation state, or the disruption of those attacks, is more significant.”

Sawyer continued:  “And second to that, in the SME space they don’t have the same amount of dollars to spend on IT defense and on the systems to protect themselves, so they themselves become the softer target.”

Many of the softer SME targets are business and supply chain partners of larger corporations. As a result, nation-state actors often use them as entry points into the more valuable targets.

A recent example is the NotPetya ransomware attack where it is believed a nation state compromised Ukrainian software accounting program M.E. Docs and pushed an update to all the Ukrainian government organizations which were required by law to have the software.