Could You Be A Foreign Government's Next Target?

When most people think of the cyber threat posed by foreign governments, it seems distant and impersonal. You might picture a foreign government trying to hack into a US government computer for espionage, for instance. But you’re probably not thinking that a foreign government could be interested in your personal gmail account.

Think again. Individuals like you and me are becoming a more appealing target. That’s because foreign governments can now target individuals at scale, and without as much risk of blowback as they could face from targeting government computers or critical infrastructure. Thanks to recent technological advances, adversaries can now identify new targets in large tranches of personally identifiable information (PII), use refined data analytic capabilities to prioritize whom to pursue, and quickly develop customized cyber operations to harass or coerce individuals to do their bidding.

The big questions are why would a foreign government want your data in the first place? And how would it target you?

The short answer: they may not care about you, but rather about the networks and organizations of which you are a part. Imagine that a Chinese company wants to do a deal with the company you work for, and the Chinese government wants that deal to succeed. The Chinese government could cull through millions of data records that it had purchased, discovered online, or stolen to find the names of persons working for your company. With the right data, Beijing could use data analytics to prioritize which targets to pursue, perhaps based on probable position within the company, and send a malicious link to those targets’ personal email addresses.

Victims that click on the link would unknowingly download ransomware that locks their devices, rendering them useless and all the data on the devices impossible to access. Criminals have used ransomware to get money from victims, even going so far as pretending to be the FBI locking computers due to “illegal copyright infringement” and demanding a fine. In this hypothetical scenario, the Chinese government could masquerade as a US federal agency investigating the upcoming deal with the Chinese company. Beijing could allegedly lock the victim’s personal computer until the victims provide sensitive company information pertaining to deal negotiations and “exonerate” themselves. If the message appeared legitimate–displaying substantial knowledge about the deal, for example–employees may unwittingly commit corporate espionage and not tell anyone about the ransomware for fear of interfering in an investigation.

There’s another way we could imagine foreign governments targeting individuals with nefarious intentions and potentially huge national security implications: The Naval Criminal Investigative Service (NCIS) reportsthat increasing numbers of U.S. military members are falling victim to sex extortion online where a criminal pretends to be an attractive individual, entices an unwitting victim into an online sexual interaction, records the interaction and images, and then blackmails the victim for money. What if an adversarial government took that same tactic and specifically targeted military personnel, sending provocative messages to a large list of leaked military email addresses? Maybe only a few military members fall for the email, and only one or two go far enough to be in a compromising position for leverage, but a couple victims as a result of minimal amount of work would be a huge success for the adversary. Instead of demanding money as the criminals do, the foreign government could try to blackmail the service members to conduct espionage.

Unfortunately, as adversarial governments start to focus more on targeting individuals, they would be exploiting a gap in most countries’ cyber policies. Many countries have a plan in place for how to respond when other governments attempt to disrupt or damage networks or critical infrastructure. But very few have thought through what to do but when other governments target individual citizens. This policy gaps makes individuals an even more appealing and less risky target for adversarial foreign governments.

The Democratic National Committee (DNC) hack illustrates the difficulty the U.S. Government had in responding to a probable nation-state stealing and releasing a large amount of emails. In reference to the DNC hack, the former DNI National Intelligence Officer for cyber, Sean Kanuck told the Washington Post, “The ‘doxing’ [publishing private information online] of a private entity is not a national security event.” Retaliation for cyber attacks on individuals would be even more ambiguous. What’s more, governments lack bandwidth to defend each individual — many of whom may not want to report the coercion attempts.

All of this might sound bleak, but you’re not helpless in the face of these threats. The best way for you to defend yourself is to report any attempted coercion, regardless of what leverage the cyber actor claims to have over you. That’s because reporting these infringements undermines that leverage and can also warn others of the potential for a larger campaign targeting your network or organization. Chances are you’re not the only victim — and by sending up a flare, you can halt a much larger operation in its tracks.