Emerging Cyber Threats: No State Is an Island in Cyberspace

The U.S. intelligence community (IC) recently unveiled its new Annual Threat Assessment, identifying the top cyber threats to national security and the predominant nation-state actors—China, Russia, Iran, and North Korea. Surprisingly, the IC’s 2022 report only offers character vignettes of each country’s individual cyber programs, but is silent on the potential of these actors working together to amplify disruptive effects. Why is this puzzling?

Because understanding the interstitial connection between these nation-states is just as important as understanding the individual risks. For example, just as U.S. Cyber Command uses a “defend forward” strategy to protect U.S. networks and cultivate multilateral partnerships for security and stability, it also benefits security design to understand how adversaries are forming partnerships. Defending forward means confronting threats “before they reach their targets” according to the U.S. Cyber Strategy Summary, and has two core elements: the strategic persistent engagement of adversaries and working with allies and partners to promote security. For these reasons, it is striking that the IC’s report did not at least raise concerns about how adversaries may combine capabilities and skills to harm the United States and its allies—especially as the crisis in Ukraine unfolds.

Q1: So, which actor poses the top cyber espionage threat to the U.S. government and the private sector?

A1: China.

China is the leading threat actor for cyber espionage operations. Examples of such operations include spying on the networks and services of telecommunication companies and conducting malign influence activities to undermine the United States’ geopolitical standing. The report declares that China “leads the world” in its surveillance and censorship practices, citing how Beijing is using mass surveillance technology in the Xinjiang Uyghur Autonomous Region to monitor the region’s Uyghur population and target Turkic Muslims. Additionally, the report raises concerns about China’s ability to disrupt the United States’ critical infrastructure; warning that “China almost certainly is capable of launching cyber attacks that would disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems.” Overall, China’s approach to achieving cyberspace superiority appears to be anchored in exhausting the energy and resources of adversaries.

Q2: Which actor is most willing to “push back” and target countries with cyber capabilities stronger than its own?

A2: Iran.

The report describes Iran’s cyber operations as “opportunistic” to garner geopolitical recognition, explaining that it is “more willing than before to target countries with stronger [cyber] capabilities,” such as the United States and Israel. Focusing on Israel, the hacking group allegedly linked to Iran’s Islamic Revolutionary Guards Corps, Advanced Persistent Threat 35, attempted to use the Log4j exploit last December against seven Israeli targets in government and business. Iran has also used cyber operations to target Israeli water facilities in 2020, the United States’ electrical grid in 2020, and the British Post Office in 2019. Based on Iran’s past successful targeting of critical infrastructure, the report concludes that this reflects Iran’s “growing willingness to take risks when it believes retaliation is justified.”

Q3: Which actor was voted most likely to use cyber to shape other countries' decisions?

A3: Russia.

The Russian Federation is focused on targeting critical infrastructure like industrial control systems and underwater cables, “because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.” For example, Ukraine’s electrical grid was knocked offline by Russian hackers in December 2015—the first cyber operation targeting another country’s electrical grid. Apart from targeting critical infrastructure, Russia has also launched some of “the world’s most destructive malware to date,” according to a 2021 federal grand jury indictment of six Russian intelligence officers in the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU). The charges included several disruptive cyber attacks like the NotPetya ransomware attack in 2017, the Olympic Destroyer malware used to target the 2018 Winter Olympic Games, interfering with France’s 2017 election and also the investigations of the 2018 Novichok poisoning. But what about Russia’s potential to conduct cyber operations against the United States and its allies in response to economic sanctions? During a White House briefing on March 21, Deputy National Security Advisor Anne Neuberger announced that Moscow “is exploring options for potential cyberattacks on critical infrastructure in the United States” and emphasized the need to remain vigilant and shore up defensives across industry sectors.

Q4: Which actor had the least written about its cyber program in the IC report?

A4: North Korea.

The IC report mentions that Pyongyang is in a good position to wage “surprise cyber attacks” because of its “stealth” characteristics and previous bold targeting actions, like the North Korean military’s hacking campaign of SONY Pictures Entertainment in 2014. What about North Korea’s ability to target critical infrastructure in 2022? The state “probably possesses the expertise to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the United States.” Apart from this, North Korea’s cyber espionage operations run the gamut from targeting entities across academia, government, and business—including even Russian aerospace and defense companies. For these reasons, North Korea remains a bit of a "wild card" in waging cyber operations.

Overall, the fact that countries use cyber power to tip the geopolitical scales is unsurprising, for as James A. Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies, writes, the “internet undergirds this global connectivity, and cyberspace has become a focal point for contest.” Bearing that in mind, understanding the ecosystem of this “focal point for contest” is essential for offensive and defensive cyber operations planning—because no state is an island in cyberspace.

Zhanna L. Malekos Smith is a senior associate (non-resident) with the Strategic Technologies Program and the Aerospace Security Project at the Center for Strategic and International Studies (CSIS) in Washington, D.C., and an assistant professor in the Department of Systems Engineering at the U.S. Military Academy at West Point. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s) and not those of CSIS, the Department of Defense, or the U.S. government.

Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.

Zhanna L. Malekos Smith
Senior Associate (Non-resident), Aerospace Security Project, and Adjunct Fellow (Non-resident), Strategic Technologies Program