A majority of businesses surveyed for a study by the Economist Intelligence Unit (EIU) and the Cybersecurity Tech Accord, see state-led and sponsored cyberattacks as a major threat. They are concerned about catastrophic reputational and financial consequences and call for greater international political cooperation to mitigate these threats.
The survey was conducted between November and December 2020, before the pernicious cyberattack on software company SolarWinds came to light. That attack was a moment of reckoning for many organizations about the challenges posed by state-led and -sponsored cyberattacks but, as the survey reveals, many businesses have long been aware of the escalating threat.
Cyberattacks led or sponsored by states transforming cyberspace
In recent years, cyberattacks led or sponsored by states have transformed cyberspace. This escalating conflict online has been accelerated by the wide-reaching consequences of COVID-19. In fact, almost 8-in-10 respondents say the pandemic has increased the likelihood of a state-led or -sponsored cyberattack on their organization.
Results show private sector leaders expect cyber threats by state actors to increase in the years ahead and want governments to implement effective policy solutions at the national and international level. In further detail, the key study findings are:
- State-led and -sponsored cyberattacks are a source of major concern for private organizations. 80 percent of respondents are concerned about their organization falling victim to a nation-state cyberattack, with the majority saying that this concern has increased in the past five years.
- Companies expect cyber threats from nation-state actors to increase in the next five years and will be second only to that of organized crime. This would be a grave development, given that states have significant resources and advanced tools and technologies, which can later be repurposed by other attackers.
- There is a false sense of security. 68 percent of executives feel their organizations are “very” or “completely” prepared to deal with a cyberattack. Charles Carmakal, SVP and CTO at FireEye and one of the experts interviewed by the EIU, suggested that most organizations don’t have tangible experience dealing with such threats because they are rarely the primary targets of these attacks. The recent SolarWinds hack may compel more organizations to think about how they mitigate risk.
- Increased corporate investment in cybersecurity is crucial but government action, nationally and internationally, is needed. 6-in-10 executives say that their country only offers a medium or low level of protection and that stronger international economic and political cooperation is essential to address the challenges, and to cultivate a more secure and stable online environment.
“There needs to be a fundamental shift in security planning beyond the efforts of any one organization, and this shift requires proactive and cooperative action from government and industry.”
“Although cyberattacks are a silent threat, they can have devastating and long-lasting effects on our society. Given the recent escalation of tensions in cyberspace, cooperation between governments is becoming increasingly complicated as political systems differ and technological competition rises,” said Marietje Schaake, president of the CyberPeace Institute.
“This survey is an important call to action for democratic governments to step up and think more inclusively about the kind of cyber assistance they provide to protect companies in key sectors, and ultimately civilians.”