I’m Afraid You Have “State Actor”
There is an old joke stating that if you’re sick and start searching for symptoms you experience online, you will inevitably find that you “have cancer”. In recent years, a similar phenomenon is starting to occur when organizations try to determine who was behind a breach.
According to information security provider Radware, in 2018, 19% of organizations believed that they had been targeted by a state actor. In 2019 that number has risen to 27% among those polled and a staggering 36% among North American organizations.
We fully expect this upward trend to hold over the coming years.
The psychological factors in play with false cancer self-diagnosis
Two factors play into the common false self-diagnosis of cancer: The extreme awareness of cancer among the general population and the fuzziness of the symptoms.
Awareness is not rationally linked to importance. While cancer is among the most common reasons for death in the developed world, it is by far not one of the most common illnesses. The average person has dozens of minor or medium illnesses during their lifetime and may struggle with one or more chronic conditions. But since cancer is usually the illness that deals the deadly blow to a person, it looms large in our collective consciousness. Thus, a person experiencing a strong headache is much more likely to worry about cancer than - for example - an aneurysm.
Secondly, cancer is a large group of related conditions that can collectively result in almost any symptom. While illnesses like the common cold have relatively clearly defined symptom lists (runny nose, fever, cough, muscle soreness), the list of potential symptoms for all cancers is virtually endless.
So when someone starts researching their symptoms online, they will inevitably find “cancer” as one of the afflictions which may cause said symptoms. And since the awareness of cancer is out of proportion when compared to the actual incidence among all illnesses, the reader is inclined to retain that information. The rest is selection bias.
What does this have to do with state actors?
State actors in the world of information security and cancer in the world of healthcare share the two main characteristics listed above.
Since they received extensive media coverage, awareness for state actors is extremely high at this point in time. Needless to say, when state actors strike, the results are usually catastrophic and tend to dominate the news cycle for days or weeks. In some cases - like the 2016 US election interference - attacks can have long-lasting political and cultural impact. Like cancer, the gravity of a state actor attack is high, they are poorly understood and there is no clear line of defense that can be taken.
At the same time, while a specific tool or even hacking team can usually be identified based on the way they attack a target, symptoms of a state actor attack could literally be anything. Custom malware, zero-days, social engineering, physical infiltration and much more are literally on the table. So any abnormal behavior any organization notices could potentially be a sign of a state actor attack.
Combined with increasingly harsh government regulations causing the infosec equivalent of a health scare, many organizations thus convince themselves that they must have been targeted by a state actor. Confirmation bias is especially strong in this case because organizations may be blamed for not updating their servers properly, but almost no-one is seriously expected to withstand a state actor attack.
A differentiated look
To be absolutely clear: Cancer and state actor attacks happen at frightening rates. They are extremely real and extremely severe things. Neither should be taken lightly and suspicion of either should always be investigated with the proper specialists.
However, just like 36% of the population are not currently sick with cancer, 36% of organizations are most likely not currently under attack by state actors. And hysterics are at best ineffective and at worst harmful to the cybersecurity of an organization. While state actors do attack targets all the time, the vast majority of breaches still happen due to weak passwords, account sharing, out of date software, badly configured systems and all of the other mundane, embarrassing reasons. The risk is that out of fear of state actor attacks and an inability to defend against them, organizations do not take the actually possible steps to protect their infrastructure against the threats much more likely to hit them.
Cancer is real, frequent and terrible. But if it’s December and you have a sore throat, you likely have a cold.
State actors do attack organizations and there is almost no defense. But statistically speaking, if you get breached it’s because of criminals or automated tools.