Breaching the fortress: the rise of cyber espionage

20 years ago I led an offensive military operation against the national defence headquarters of a hostile country. The operation was conducted on behalf of allied intelligence agencies. We captured operational data and detailed evidence of various nefarious activities and international crimes.

It wasn’t a subtle affair. We were successful thanks to surprise, speed, controlled aggression, and the rather unconventional employment of armoured vehicles. Today, such operations are rather less “crash-bang-wallop” in nature. Hostile actors are seizing the operational data of allied governments and their defence and intelligence agencies much more covertly.

Cyber espionage is conducted to obtain secrets and information from individuals, competitors and governments for economic, political or military advantage. It is on the rise and cyber mercenaries threaten the stability of cyberspace. There is a growing industry of private companies developing and selling advanced tools, techniques and services to enable their clients (often governments) to break into networks and devices.

In 2023, Russia has stepped up its espionage attacks, targeting organizations in at least 17 European nations, mostly government agencies. 74 countries have been targeted by Russian threat actors alone in the last 12 months. Other nation states including China, Iran, and North Korea are also extremely active. Since September 2022 successful cyber attacks have been conducted against defence contractors, military or diplomatic entities in Chile, Mexico, El Salvador, Columbia, Peru, Latvia, Italy, the US and Canada.

63% of nation state attacks outside Ukraine have targeted government entities, defence organizations and IT services. Russian actors have been successful in a third of the attacks they have mounted, and the vast majority of victims were operating ‘on-premise’ and had not yet migrated to the cloud. Successful attacks gain access to data within 1 hour and will move laterally through a network within 2 hours. Within 14 days a vulnerability will be made broadly available to other criminals. Even when intrusions have been discovered 78% of devices remain unpatched 9 months after a patch is released.

So what can be done?  At the strategic level Microsoft believes that the international community urgently needs a consistent, global framework that prioritizes human rights and protects people form reckless state behaviour online, to bring stability to cyberspace. Governments should agree upon norms and rules for state behavior in cyberspace and working with the broader multistakeholder community to address emerging gaps.

Tactically, governments can take 3 actions:

1.      Adopt a zero-trust approach where they assume breach, explicitly verify permissions, and grant least privilege access to systems and data.

2.      Migrate to the cloud and secure their multi-cloud environments appropriately through identity and access management, end point protection and take appropriate network security measures.

3.      Address their technical debt challenges and address their talent gaps. Overcome legacy mindsets that conflate data location with security.

Clearly there is no longer a requirement to physically breach the walls of a national defence headquarters to seize operational data. Today such breaches happen more frequently, much more subtly, and can be far more damaging. By keeping data in ‘on-premise’ systems governments and their militaries are at greater risk than they would be on the cloud.