Cyber espionage boosts risk factors

By Erin Ayers on February 25, 2015

cyber-hacker-200x200 As government action on cybersecurity ramps up, it has become clear that the threats posed by cyber risk to economic and national security go well beyond the now-traditional data breach. With revelations by security researchers about a fresh new batch of evidence of state-sponsored hacking, the world of cyber risk offers obstacles that require policymakers to address the ethical murkiness that comes about when the hackers are close to home.

According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, cybercrime universally is undergoing an evolution, one that could jeopardize more than consumer credit card numbers.

“For many years, cyber-criminal gangs focused exclusively on stealing money from end users. An explosion of credit card theft, hijacking of electronic payment accounts or online banking connections led to consumer losses in the worth hundreds of millions of dollars,” he stated in a blog post. “Maybe this market is no longer so lucrative, or maybe the cybercriminal market is simply overcrowded, but it now seems like there is a struggle being waged for ‘survival’. And, as usual, that struggle is leading to evolution.”

The message – hackers know that state secrets are going to sell just as well if not better on the black market than a data dump of credit card numbers and email passwords. Approaches to cybersecurity should begin to reflect that the debate includes not only consumer privacy and identify theft protection, but also cyberespionage and its effects.

Kaspersky Labs’ Russian unit this week made headlines with the announcement that they’d discovered a decade-long cyberespionage operation – with the unspoken suggestion that it is likely arising from the United States government and showing similarities to the destructive Stuxnet malware of 2008.

“The group is unique almost in every aspect of their activities: they use tools that are very complicated and expensive to develop, in order to infect victims, retrieve data and hide activity in an outstandingly professional way, and utilize classic spying techniques to deliver malicious payloads to the victims. To infect their victims, the group uses a powerful arsenal of ‘implants’ (Trojans) including the following that have been named by Kaspersky Lab: EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Without a doubt there will be other ‘implants’ in existence,” the firm commented in its briefing on the topic.

Advanced persistent threats (APTs) like these attacks lurk in computer systems, stealthily gathering data, rather than the smash-and-grab malware attacks looking to score quick financial information. And, in late 2014, researchers at McAfee predicted cyberespionage would represent then next biggest threat.

“We are seeing a general trend of less sophisticated state- and non-state actors increasingly using cyber warfare and cyber espionage tactics traditionally exclusive to sophisticated state actors,” Ryan Sherstobitoff, principal security researcher for Intel’s McAfee Labstold Advisen.

For the insurance industry, the evolving nature of cyber risk suggests a need for clearly defined policy language and an understanding of whether cyberespionage would be covered. No courts have yet suggested it has been tested, but case law surrounding insurance exclusions for war and terrorism could indicate that cyberespionage may remain outside the scope of a cyberliability policy unless expressly included.

However, attribution of hacks remains problematic. Security experts raised numerous doubts, but the Sony hack, for example, is now commonly attributed to North Korea by the U.S. government. The revelation of these new threats prompted calls from privacy advocates for additional transparency from all governments and questions from the public and the press whether any hardware or software should be considered truly safe.

“This report once again demonstrates how important it is that all companies take concrete steps to protect consumer privacy and prove that they are not exposing their customers to surveillance. Some hard drive vendors, asked for comment by the press, pronounced their products completely safe and immune to tampering—even as Kaspersky showed that those same products were actively being exploited,” noted the Electronic Frontier Foundation in a blog post. “We hope those vendors will reconsider that overconfidence and get to work improving the safety of their products.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].