US cybersecurity from malicious nation states


Beating back cyber threats from nation-states

All complex systems have inherent security vulnerabilities, and the sheer size and scale of modern networks makes it impossible to make them 100 percent impenetrable. However, the key in defending these networks, and the confidential information they hold, lies in discovering and managing their weaknesses.

America’s critical infrastructure faces nation-sponsored cyber threats every day. The likelihood of an attack depends not only on how prepared we are today, but how we continue to evolve our networks to keep pace with advanced threat actors and nation-state actors.

Sophisticated cyber adversaries are continually evolving to circumvent defensive measures. Yet regulatory requirements and re-accreditation time often creates a disincentive for enterprises to upgrade, resulting in the same systems being used for long periods. With that in mind, the probability of an attack is highest for any segment of U.S. infrastructure where investment and focus on cybersecurity has deteriorated.

Government and industry must first recognize that nation-state cyberattacks are not a point-in-time problem. They are a constantly growing, strategic threat to our country. State-sponsored cyber threats can either be destructive or seemingly benign when they appear to make minor alterations to influence the systems they’ve compromised. However, because of the complex nature of modern economies, influence is sometimes strategically more desirable than complete destruction.

For instance, a nation-state might infiltrate U.S. manufacturers to steal confidential information, rapidly gaining knowledge that came from extensive research and significant investment. That adversary could then manufacture the product and sell it in the international or U.S. market, undercutting the original manufacturer. A nation-state could also introduce a bug in a financial trading system to cause small fluctuations that give an advantage to certain investors. While these examples may seem highly unlikely, both are close to real events recently in the news.

In 2014, U.S. attorneys indicted Chinese personnel for cyber espionage campaigns against the U.S. Steel and Westinghouse Electric. One reason cited for the attack on the Westinghouse network was to find out its negotiating strategy with a China-based company. Also in 2014, Navinder Singh Sarao was arrested for causing a “Flash Crash,” illegally manipulating the U.S. stock market. Sarao was not linked to a nation-state sponsor, but both events demonstrate that sophisticated cyberattacks can be “non-destructive” and have significant impacts.

As a result, infrastructure owners and policy makers alike must work to continuously expand their policies and technologies to keep up with these evolving threats. Organizations need solutions that can look for smaller, individual attacks as well as broad campaigns. To achieve continuous improvement, companies need to fully invest in cybersecurity programs, and government agencies need congressional funding to ensure they receive the technical and human resources to keep pace with the rapidly advancing threat landscape.

The bottom line is that to sufficiently protect sensitive information, all public- and private-sector organizations must understand who has access to networks and data; from where they can access it and for how long they can access it. It is paramount that organizations are able to answer these questions so they can better understand what information or network areas are most vulnerable.

To answer these questions, IT leaders must have complete visibility into their systems.  Comprehensive analytics can help organizations shift cybersecurity from a responsive activity to a proactive program that supports the daily network health. Real-time response capabilities are critical to address breaches when they occur, but preventative measures and procedures can be equally as important in stopping malicious actors. 

The primary motivation of a nation-state actor is to gain strategic advantage for itself or its allies and influence geopolitical affairs to its benefit. This benefit may be immediate, compromising a financial trading system, or long term, stealing data from a defense contractor to improve weapons. All of these attacks are ultimately aimed at weakening U.S. capabilities in the battlefield or at the negotiation table.

Infrastructure operators and their regulatory bodies need to look beyond destructive cyberattack scenarios and view cybersecurity as a strategic process that doesn’t have a finish line. All networks have vulnerabilities. Constantly striving to identify and manage those vulnerabilities will result in an environment where an organization can operate its business and deliver its mission priorities.

About the Author

Monzy Merza is Splunk's head of security research.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected