Executive Perspective: Cybercrime vs. Cyberterrorism

As cybercrime increases around the world, it is also evolving. Motivations for threats are changing, crossing in some extreme cases from cybercrime to cyberterrorism. These attacks pose an even greater potential risk to organizations and can cause critical damage or even put people’s lives at risk, as they target hospitals, utilities, law enforcement and other essential functions. 

Dr. Adrian Mayers, VP and CISO at Premera Blue Cross and a member of the NightDragon Advisor Council, is passionate about this topic and helping organizations empower themselves to defend against this new wave of threats. NightDragon recently sat down with him to discuss this evolving threat dynamic from his point of view, as well as discuss what CISOs can do about it.

Here’s an excerpt from our conversation: 

What is the difference between cybercrime and cyberterrorism? Why is that distinction importantin today’s threat landscape

When I think of these two definitions, cybercrime is the idea of cyber criminals leveraging illegal activity conducted through the internet or digital means to exploit networks, systems or data, often for personal or financial gain. Cyberterrorism differs because it refers to using cyberattacks to create large-scale disruption, fear or harm for political, ideological or religious reasons. You often see it used to destabilize governments, including influencing a political agenda or disrupting critical infrastructure. While the motivations behind the attacks may differ, the two categories are convergent in the tactics, techniques and procedures and in how attackers leverage the cyber domain to effectuate their desired results or outcomes. 

We are increasingly seeing cyberterrorism take place worldwide, with geopolitical crises leveraging the cyber domain for political or ideological purposes. Those of us in critical sectors, like healthcare, are caught in the middle.

What’s the impact of cyberterrorism on a company

We’ve seen devastating and heartbreaking examples of cyberterrorism in action. One example that really gets to me is when ransomware affects hospitals, especially children’s hospitals, and threatens the care of patients who need it. But we’re also seeing the impacts on other areas. Small businesses, for example, have been hit and gone out of business entirely. Police and entire cities are being shut down. It’s tough to see.  

One of the biggest challenges here is the imbalance between actors at play. In traditional warfare, if another country attacks a nation, you have a defense apparatus and can typically drive clear attribution. In cyberterrorism, private sector organizations are often on the front lines of these cyberattacks, disinformation, or influence operations, which can be driven by national agendas or even threaten national security. That can lead to a mismatch in defense capabilities in terms of the scale of actors at play. 

As we start to think about cybercrime evolving into cyberterrorism, how are you thinking about the impact of AI

On one hand, AI is enabling attacks to be more sophisticated and advanced through automation and other techniques. That’s not necessarily something new, but it is undoubtedly occurring more in our world of AI. However, it’s also helping us significantly as defenders. We’re seeing a lot more collaboration and intelligence in the industry, which I think is really helping move the needle. New AI tools are also available to allow us to work faster, smarter, and more efficiently with our talent across nearly every facet of the cybersecurity stack. The result is a bit of an AI arms race, but I’m hopeful we, as defenders, can win. 

How do you see legal or compliance teams thinking about the definition of cybercrime or cyberterrorism? Does that influence how they approach cyber insurance policies? 

Cyber coverage continues to evolve – perhaps not as quickly as the threats in the wild, but it is still becoming increasingly part of the conversation. We’re seeing public and private sectors working to better understand these dynamics to underwrite risk and understand coverage needs. In some cases, we’re starting to see insurance brokers looking to get a more in-depth and holistic picture of the company’s profile, including technical capabilities, vertical risk, how you are running your business, and more, as tools to underwrite effectively. While that may feel intrusive in some respects, it also helps positively impact companies concerning their security posture and data sharing to make them safer. 

How can an organization defend itself against cybercrime and rising cyberterrorism instances? 

An ounce of prevention is worth a pound of cure. Many companies wait until an attack has already happened and they’re in the midst of incident response to get serious about cybersecurity. My best advice is to not wait until after the fact. 

As we learn more about who these people and bad actors are perpetuating these crimes, we also need to begin to apply pressure to shape and change behavior – just as we would with terrorists or crime gangs in the physical world. We can also consider if we need additional measures, such as repercussions for nations harboring these cyber terrorists. We can do that by engaging public and private (FBI, intelligence communities, DHS, etc.) together in a true partnership around this topic going forward. That’s evolving, but we’re starting to see some progress. 

Business is not going to be able to sustain this threat long term. We have to start asking some different questions and taking different tactics to get different answers. This is a whole of nation effort now. The stakes are higher than ever – our way of living, our children, our families, friends, and organizations are all at stake. It is going to take all of us leaning in in the private sector and collaborating with the public sector and with individuals to combat this. We have to continue to coalesce and galvanize those efforts.