U.S. companies are under increasing threat from hacks at the direction of foreign countries — but few are taking that threat seriously, according to a new report from cybersecurity research firms Ponemon Institute and CounterTack.
The researchers surveyed 639 IT practitioners, from technicians to senior executives. Thirty-five percent were certain their company had been the target of a "nation-state attack," and three-quarters said they expected to be impacted by one within the next five years. Seventy-five percent admitted they are unprepared, unable to detect or combat such attacks — yet only half reported taking measures to prevent or deter them.
"The world has really changed," Larry Ponemon, the Institute's founder, told NBC News. "Companies are doing a good job — but attackers, and not just nation-states, but all attackers, they're becoming more sophisticated, strategic and just nastier. The gap is growing."
Major breaches have brought widespread attention to cybersecurity in the past year, and there has been a steady stream of smaller hacks at universities and private companies. It's notoriously difficult to pinpoint the origin of cyberattacks with certainty. Cybersecurity researchers have traced many attacks to China — despite protestations by the country's president, Xi Jinping, that it does not engage in such behavior. North Korea, Iran, Russia and Syria have also been implicated in intrusions.
Hackers: basement-bound no more
There's a common perception of "hackers" as tech-savvy troublemakers looking to embarrass corporations or steal identities. But while such lone wolves surely do exist, there is a growing population of hackers who work for or are otherwise funded by rival countries to quietly pursue a campaign of sabotage and counterintelligence.
In fact, said Mike Davis, CTO of CounterTack, lone wolves and nation-state hackers may even help each other out. "Nation-state attackers can leverage other groups to get the initial beachheads," he said. "But once they're in there they use very different tools. The strategy is different."
Hacks like those at Sony, JP Morgan and the federal Office of Personnel Management show not only that large entities like corporations and government agencies are highly vulnerable, but also that all kinds of data are potentially at risk.
Ordinary hackers looking to make a quick buck take aim at credit card databases and the like, things they can quickly sell, even if the price isn't particularly high. China and Russia, however, don't care about cash rewards. But contracts with the Defense Department, engineering plans for an oil pipeline, financial data not disclosed publicly — these could be very useful.
"Take the OPM breach," said Davis. "There's a reason they wanted information on who had classified access. That may be a key data point for some other data set that they have. This is an arm of a bigger campaign — these attackers have their own big data databases."
U.S. intelligence officials have said China is the "leading suspect" in the massive OPM breach, a charge Beijing denies.
Protecting the "crown jewels"
Almost anything could be a target, which makes it difficult for companies to decide where to spend money on security.
"A lot of organizations are having a hard time understanding, 'What are the crown jewels?'" said Ponemon. "It's a big question and there's really no great answer. Value is in the eye of the beholder."
Respondents reported that concern among their companies' leadership about state-sponsored attacks jumped following last year's devastating hack at Sony, which this week agreed to pay several million dollars to settle a lawsuit filed on behalf of current and former employees. The hack was embarrassing to the company's leadership, and exposed the company's private, internal processes and secret projects to the scrutiny of competitors worldwide.
Yet despite having witnessed such incalculable damage, few other executives are taking direct action, the report found. Half the respondents to the Ponemon survey are taking a "wait and see approach" instead of instituting proactive measures — a strategy that might save them money in the short term, but may well put the companies and their customers at risk down the road.
"Newer companies have baked security into their processes," said Davis. "But you take a company that's been around for 50 years, with four mainframes and 18 different operating systems — it's like the Wild West out there."
There is some good news in the report: Nearly two-thirds of companies reported they are, at the very least, increasing their IT/security budgets.