The survey targeted over 500 director-level or above executives from businesses in Asia-Pacific, Europe & the United States, familiar with their organization’s cybersecurity strategy and representing a wide range of industries, led by IT and technology, retail and consumer goods.
A majority of businesses surveyed for a study by the Economist Intelligence Unit (EIU) and the Cybersecurity Tech Accord released today, see state-led and sponsored cyber attacks as a major threat. They are concerned about catastrophic reputational and financial consequences and call for greater international political cooperation to mitigate these threats.
The survey was conducted between November and December 2020, before the pernicious cyber attack on software company SolarWinds came to light. That attack was a moment of reckoning for many organizations about the challenges posed by state-led and -sponsored cyberattacks but, as the survey reveals, many businesses have long been aware of the escalating threat.
In recent years, cyberattacks led or sponsored by states have transformed cyberspace. This escalating conflict online has been accelerated by the wide-reaching consequences of COVID-19. In fact, almost 8-in-10 respondents say the pandemic has increased the likelihood of a state-led or -sponsored cyberattack on their organization.
Results show private sector leaders expect cyber threats by state actors to increase in the years ahead and want governments to implement effective policy solutions at the national and international level. In further detail, the key study findings are:
- State-led and -sponsored cyberattacks are a source of major concern for private organizations. 80 percent of respondents are concerned about their organization falling victim to a nation-state cyberattack, with the majority saying that this concern has increased in the past five years.
- Companies expect cyber threats from nation-state actors to increase in the next five years and will be second only to that of organized crime. This would be a grave development, given that states have significant resources and advanced tools and technologies, which can later be repurposed by other attackers.
- There is a false sense of security. 68 percent of executives feel their organizations are “very” or “completely” prepared to deal with a cyberattack. Charles Carmakal, senior vice president and chief technology officer at FireEye and one of the experts interviewed by the EIU, suggested that most organizations don’t have tangible experience dealing with such threats because they are rarely the primary targets of these attacks. The recent SolarWinds hack may compel more organizations to think about how they mitigate risk.
- Increased corporate investment in cybersecurity is crucial but government action, nationally and internationally, is needed. 6-in-10 executives say that their country only offers a medium or low level of protection and that stronger international economic and political cooperation is essential to address the challenges, and to cultivate a more secure and stable online environment.
“Recent state-led and -sponsored attacks serve as a powerful reminder of an escalating problem that is too big to ignore,” said Brad Maiorino, executive vice president and chief strategy officer, FireEye. “There needs to be a fundamental shift in security planning beyond the efforts of any one organization, and this shift requires proactive and cooperative action from government and industry.”
“Although cyberattacks are a silent threat, they can have devastating and long-lasting effects on our society. Given the recent escalation of tensions in cyberspace, cooperation between governments is becoming increasingly complicated as political systems differ and technological competition rises,” said Marietje Schaake, president of the CyberPeace Institute. “This survey is an important call to action for democratic governments to step up and think more inclusively about the kind of cyber assistance they provide to protect companies in key sectors, and ultimately civilians.”
Since its inception, the Cybersecurity Tech Accord has highlighted this troubling situation, inviting governments to protect the online environment and refrain from using the internet as a domain of conflict, directly or through third parties. As an industry voice and staunch advocate for responsible behavior in cyberspace, the Cybersecurity Tech Accord has consistently called on governments to do more to defend against cyber-threats online, uphold international law, and implement international cybersecurity norms.
“As a coalition of over 150 global technology companies, we are greatly concerned by state-sponsored cyberattacks, which are becoming ever more frequent and sophisticated. Something needs to be done and soon,” said Annalaura Gallo, secretariat of Cybersecurity Tech Accord. “This survey shows that businesses see state-led and -sponsored cyberattacks as a pressing issue that demands governments act nationally and internationally. We need agreement at the United Nations and the involvement of business and civil society through multi-stakeholder forums, such as the Paris Call for Trust and Security in Cyberspace. We hope these survey results will be the start of a larger, global conversation around this important topic.”