State-sponsored cyberattacks: Cybersecurity Tech Accord and Economist Intelligence Unit study reveals they are a major concern for businesses

State-led and -sponsored cyberattacks have transformed cyberspace into a new domain of conflict, a development further accelerated by the far-reaching impacts of COVID-19. These attacks are becoming increasingly sophisticated and the range of targets is expanding to include government agencies, critical infrastructure, healthcare entities and even private citizens. The attack on software company SolarWinds is the most recent and devastating example, exposing the vulnerabilities of our internet infrastructure and the low-level of preparedness amongst all impacted entities, from government agencies to private organizations. 

In an effort to understand businesses’ perceptions of, and responses to, state-led and -sponsored cyberattacks and to identify effective policy solutions to mitigate the threat, the Cybersecurity Tech Accord partnered with The Economist Intelligence Unit (EIU) on a new study: Securing a shifting landscape: Corporate perceptions of nation-state cyber-threats.” The survey was conducted between November and December 2020 and targeted over 500 director-level or above executives from businesses in Asia-Pacific, Europe, and the United States. The respondents were all familiar with their organization’s cybersecurity strategy and represented a wide range of industries, led by IT and technology, retail and consumer goods. 

As the study reveals, private sector leaders and security experts across different industries around the world are concerned about falling victim to a state-sponsored cyberattack. The results are sobering and highlight the need for a fundamental shift in security planning and an increased urgency for effective policy solutions at the national and international levels. Over 80 percent of executives confirmed they are more concerned about their organization falling victim to state-led or -sponsored cyberattacks than five years ago and that COVID-19 has heightened that risk further. In addition, respondents expect that, in five years, state actors will present the gravest cyber threat to their industry after organized crime groups. This would be a dangerous development, given that states have significant resources and advanced tools and technologies, which can be repurposed later by other bad actors.

Mark Montgomery, executive director of the Cyberspace Solarium Commission and one of the experts interviewed as part of the study said, “The risk is growing significantly because adversaries’ access to tools and interconnectivity of our systems are going up exponentially. The only risk mitigator is our investment in cybersecurity defense, and that’s generally linear.”

State-led and -sponsored cyberattacks are becoming a problem too important to ignore, and greater cooperation is the biggest challenge. While company investments in cybersecurity defenses are fundamental, the survey reveals an increasing number of organizations see government action, nationally and internationally, as crucial to this objective. 6-in-10 executives say that their country only offers a medium or low level of protection and that stronger international economic and political cooperation is essential to address these challenges and to cultivate a more secure and stable online environment. Such findings align with the Cybersecurity Tech Accord’s call for greater action by governments in this area.

Since its inception, the Cybersecurity Tech Accord has invited governments to protect the online environment and refrain from using the internet as a domain of conflict, directly or through third parties. As an industry voice and staunch advocate for responsible behavior in cyberspace, we have consistently called on governments to do more to turn the tide on escalating state threats online, uphold international law, and implement cybersecurity norms. We have been following closely the ongoing discussions on responsible state behavior in cyberspace held at the United Nations and have regularly contributed our thinking to the UN Open-Ended Working Group on International ICT security. 

Further, we have advocated for broader inclusion and involvement of the multi-stakeholder community to ensure that the perspectives of industry and civil society organizations are considered in discussions. More than anything else, solutions will require cooperation across stakeholder groups to help set and enforce meaningful expectations. We must ask companies to think more expansively about their roles and governments to think more inclusively about theirs. As more companies become aware of the threat posed by state actors in cyberspace, we expect this multi-stakeholder community to grow and its demand for a safer cyberspace to become more pressing. The growing community of signatories to the Paris Call for Trust and Security in Cyberspace, a set of nine principles to protect the internet, demonstrates the increasing support for this cause. 

We hope that these survey results will be the start of a larger, global conversation around this important topic. For a summary of key takeaways from the report, see the infographic, and for full details, read the paper.