Nation-state attackers are attempting to undermine trust in critical services -- so how do we go about stopping them?
While cyber-attacks focusing on stealing email or other data are still very much part of the threat landscape, some of the most advanced hacking operations are focusing on grander goals.
Some of these groups -- almost all nation-state backed -- are turning their attention to critical infrastructure including utilities firms and power plants, while others are attempting to manipulate public attitudes and even elections through the use of fake news and other social media propaganda.
"It's not so much an attack on critical infrastructure, but rather an attack on the confidence and psychology of a nation," said Chris Inglis, former deputy director of the National Security Agency, speaking at World Cyber Security Congress event in London.
Attacking critical infrastructure and spreading disinformation is a powerful combination: after all, the reason that governments exist is to make sure the citizens of a country remain safe. Such tactics have been tried out in Ukraine over the last few years.
We've now got a nation-state actor which is effectively holding at risk the Ukrainian power grid, who's managed to affect it and disrupt it twice at a time and place of their choosing -- and it could've been a lot worse," said Pete Cooper, non-resident senior fellow in the Cyber Statecraft Initiative at the Atlantic Council, a think-tank focusing on international affairs.
"We're really starting to see adversaries at nation-state level and down who are attacking trust in our critical services."
Similar tactics are being used outside of Ukraine too. Last December, hackers intentionally used malware to shut down a critical infrastructure firm in the Middle East. Researchers at FireEye said this sort of approach has previously been carried out by Russian, Iranian, North Korean, US, and Israeli nation-state actors.
Not every attack that undermines confidence is necessarily a targeted one. Last year's WannaCry ransomware outbreak wasn't a direct attack on the UK's National Health Service, but hospitals and GP surgeries ended up becoming some of the most severely impacted victims, with doctors forced to cancel patients' operations and appointments as a result of the attack. It arguably undermined the public's trust in the resilience of the healthcare system.
"We've really got to think about the fact our adversaries are attacking more than just our technology. Our adversaries are now starting to critically undermine the trust that our stakeholders have," said Cooper.
There are many in the cybersecurity industry who would argue that technology alone can solve this problem -- protect systems with the relevant tools to keep them safe from attacks. But this is perhaps ignoring the wider issue: there isn't an antivirus product to protect against declining faith in big institutions, or to defend against fake news.
"The bigger system, that's the thing we have to defend, not just the technology. While we're focusing on protecting the technology, our adversaries are focused on attacking the system. And by attacking the system, they're critically undermining the trust in that system," said Cooper.
In order to achieve that, it can't just be about "looking for our technology comfort blanket," he said, adding: "we're going to find it lacking".
The very nature of this form of cyberwarfare means it is often hard to attribute an attack to a particular group or state. However, governments are putting more effort into attribution as one way to shame -- and deter -- attackers. In some cases, researchers and law enforcement have been able to identify the culprits behind attacks: for example, WannaCry was attributed to North Korea.
Meanwhile, the finger has also been pointed at Russia for attempting to meddle in the 2016 US presidential election, and it has also been blamed for NotPetya, which initially targeted Ukraine but spread to infect organizations around the world, causing billions of dollars of damage.
"You take a look at what the North Koreans in spring 2017 [WannaCry]. Unless that behavior is checked, we can expect a recurrence of that in 2018, 2019, 2020. It's a not a question of if, but rather a question of when," said Inglis.
The answer, he said, is some sort of reaction with "consequences" in retaliation to these attacks, otherwise the likes of Russia and North Korea will repeatedly launch campaigns to disrupt and undermine the West.
Governments should be in charge of any reaction. "They can impose consequences; there can be collective action against other nation-states and entities that look like nation-states."
But while the US has introduced additional sanctions on Russia for launching "the most destructive and costly cyberattack in history" in the form of NotPetya, it's beyond doubt that we haven't seen the last of attacks against critical infrastructure.