Vietnam, Qatar, UAE: American officials fret about hacking by a new generation of nations
By JOSEPH MARKS | The Washington Post | Published: November 26, 2019
As if digital threats from the main U.S. cyberspace adversaries weren't enough, U.S. officials and researchers are increasingly worried about hacking dangers posed by a slew of other nations including Vietnam, Qatar and the United Arab Emirates.
The fears are upending a half decade during which U.S. cybersecurity worries focused on four main adversaries — Russia, China, Iran and North Korea. And they're signaling that cyberspace is about to get far more complicated and dangerous.
"The threshold for entry to have a cyber program has dropped so low because you don't need to figure out how to build your own program. You can just buy it as a service and that worries me," a senior FBI cybersecurity official told reporters during a roundtable discussion.
In some cases the nations are developing hacking capabilities in-house, such as in Vietnam, where government-backed hackers are reportedly stealing information from rival governments and companies in key sectors including the auto industry to gain a competitive advantage. In other cases, as with Qatar and the UAE, they're contracting with private companies that sell hacking tools and services to law enforcement, and using them to spy on journalists and dissidents.
The most obvious problem is that more nations hacking leads to more hacking victims — including in the United States.
A lawsuit Facebook filed against the Israeli spyware company NSO Group in October described more than 1,400 victims spread across 20 countries that NSO helped government clients hack using a newfound bug in the WhatsApp messaging service. Some of those victims were inside the United States, according to a Reuters report.
The proliferation of hacking capabilities could also make it tougher for law enforcement to figure out who's behind an attack — especially if multiple nations are buying tools from the same company or if one nation is trying to shield its culpability by posing as another.
"Being able to determine the nation-state actor using what traditionally might be a criminal tool on traditionally criminal infrastructure in an attempt to enter at a cheaper price or obfuscate their activity, that causes an additional dilemma for us," the FBI official said.
The official stopped short of condemning companies that sell hacking tools to governments but issued a stark warning.
"I'm certainly concerned with groups that advertise their services to conduct illegal activity," the official said. "If you're attacking U.S. citizens on U.S. infrastructure and conducting intrusion activities, that's a crime."
There's also a far greater chance of inexperienced nations launching cyberattacks that are far more damaging than intended, or of a digital conflict between two nations escalating out of control.
And, because it's tough to tell who's who in cyberspace or to limit how far an attack spreads, that raises the chances of innocent victims being harmed.
Even Russia, which is among the most skilled nations at hacking adversaries, has had trouble containing its attacks. The 2017 NotPetya malware attack, which U.S. officials have attributed to Russia, appeared aimed at crippling computers in Ukraine but ended up spreading damage across dozens of nations.
"More and more nations have cyberoffensive capabilities, and because cyberattacks can be done without clear attribution there's a risk that we can have attacks and counterattacks in a very damaging and escalating situation where citizens . . . are the victims," John Frank, vice president for European Union affairs at Microsoft, told me recently.
Microsoft is part of a coalition led by French President Emmanuel Macron that's pushing governments and companies to adopt a slate of commitments aimed at making cyberspace less volatile. The commitments, dubbed the Paris Call, have been endorsed by three U.S. states and numerous cities but not, so far, by the federal government.
Yet it will get far harder to enforce those commitments if more and more nations are violating them, Frank warned.
"The number of nations with cyberoffensive capabilities, including cyber espionage, is growing dramatically," he said. "And everything is connected to the Internet these days...so the potential disruption, both to our economy and to our safety, is profound."