The U.S. by far has been hit harder than any other country in the world with 156 “significant” cyberattacks since 2006, according to new data from the U.S.-based think tank Center for Strategic and International Studies (CSIS) that chronicles major hacks up until last month.
The U.K. finished second with 47 significant attacks, which is defined by CSIS as cyberattacks on government agencies, defense and high-tech companies or economic crimes that rack up losses of more than a $1 dollars.
India ranked third with 23 such large-scale attacks, and Germany fourth with 21 attacks. Interestingly, Russia only had eight attacks during and North Korea five, while other nation states with substantial resources devoted to cyber security, such as China and Iran (both at 15) and North Korea only five attacks. Meanwhile, the latter’s bordering nation, South Korea, had 18.
Analysis from Specops Research shows that the U.S. suffered 11 very serious attacks each year since 2006. Yet China, Iran and Saudi Arabia have each experienced only 15 significant cyber attacks during the same period.
“Whilst some countries have had to deal with more cyber attacks classified as significant than others,” Specops security expert Darren James said in a release, “it’s an important reminder for those in notable positions of power the role they can play in providing the public sufficient and continual governance on what online best practices they can implement to prevent their IT estate from being exploited by opportunistic cybercriminals.”
Chris Morales, head of security analytics at Vectra took issue with CSIS providing information to the U.S. government.
“[CSIS] do not receive data from the nations they are measuring. That means the only way to glean information is from what is shared publicly or what they acquired from source,” Morales said, adding he doesn’t consider that reliable data.
But McAfee Chief Scientist Raj Samani disagreed, praising CSIS’s methodology as typically “rigorous,” and maintaining the report demonstrated the global nature of offensive cyber operations. He added that the ranking should not be a surprise to anyone.
“We have to consider that any such studies into victim or indeed attribution is based on information that is not readily available since the natural inclination of victims is to not to openly share details related to the impact of an attack,” said Samani, noting telemetry analysis of the most targeted major campaigns in the U.S. is often based on available information
“These findings should not come as a surprise,” he said. “As we look more widely where victims of targeted campaigns, typically Western Europe does rank relatively high on the list of targeted countries although other countries that are lower in that list are often targeted just by virtue of bordering nations that appear to be leveraging more offensive cyber operations,” Samani said.
Morales pointed out the countries on the lists, outside of Israel, are not known to be very forthcoming on exposing any incidents they might have had. “Basically I question if we even know the real numbers,” he said, noting that most of the [presumably aggressive] countries listed target the U.S. and western nations. “They do not target themselves.”
His Vectra colleague Tim Wade, technical director, CTO Team, added: “The difference between U.S. policy on transparency and Chinese, Russian, Iranian and North Korean policy on transparency are not even the same sport, let alone in the same ball park.”
Wade drew a distinction between democracies and totalitarian regimes. In the former, where the press takes the role of safeguarding the free flow of information, rather than acting as the mouthpiece of the local agents of influence, disclosure of sensitive events such as successful cyberattacks will be more widely publicized and acknowledged,” he pointed out, citing the devastating and egregious failures of the 2015 U.S. Office of Personnel Management data breach.
In that case, attackers were disclosed to be operating on behalf of a foreign intelligence service that had access to the sensitive personal records identifying 21.5 million U.S. personnel, including those associated with security clearances.
“It is not surprising that countries generally considered to be sources of major hacking or cybercrime activity would show up so low in this ranking,” commented Brandon Hoffman, CISO, head of security strategy at Netenrich.
Hoffman pointed out that in many of these “hotbeds” of cybercrime, the nefarious activity is not considered illegal, “assuming it is not perpetrated against the self-same country (or people/business in that country).”
As nation-state adversaries leverage more and more commodity cybercrime tooling, or perpetrate cybercrime funding activity, Hoffman said it makes sense they would not carry out that activity in the country they claim to be protecting.