Dakota Cary is a full-time China cybersecurity researcher and consultant at the cybersecurity company SentinelOne. He also serves as an adjunct professor at Georgetown University’s Master’s Degree in Security Studies program, where he teaches Chinese Economic Espionage and Grand Strategy,. Cary supports the Atlantic Council’s Global China Hub as a non-resident fellow and has testified to the U.S. China Economic and Security Review Commission on Chinese cyber capabilities. He is a scheduled speaker on a panel about state-sponsored hacking that will be moderated by The Innovator’s Editor-in-Chief during VivaTechnology conference in Paris on June 19. He agreed to speak to The Innovator on the same topic in the run-up to the conference.
Q: Please describe how states hire and utilize hackers for strategic goals, citing specific examples
DC: States use hackers to shape the international environment that their country must navigate. Some hackers collect information to give their leaders an advantage in decision-making. Any number of reported breaches fit this bill. China’s greatest hits, like the hack of the Office of Personnel Management fall into this bucket. Other hackers are tasked to shape the environment in the event of armed conflict. Volt Typhoon’s intrusions into U.S. and allied critical infrastructure is a great example of this type of behavior. Many states hire hackers as they do any other intelligence role in bureaucracy. These are professionals that have technical skills and can pass background investigations. Other countries may use relationships with organized crime to achieve their goals–either remitting payment to, or stopping the punishment of other criminal activity, in return for actions on the state’s behalf.
Q: You have talked, in the past, about how this includes the recruitment of college students. How does that work?
DC: Most countries hire career professionals to undertake their cyber operations. China’s entrepreneurial intelligence service, the Ministry of State Security, has been observed hiring students into hacking campaigns. In the case of APT40, the Financial Times reported that one MSS front company hired students to translate stolen documents as part of their intelligence ingestion process. Another source, Intrusion Truth, found that an intelligence officer had established a front company on a university campus and was paying students for software vulnerability research, with the intent of rolling those vulnerabilities into their operations.
Q: How should nation-states under attack respond?
DC: There are plenty of non-democratic governments that rely on criminal or private sector hackers, and they don’t really care that those hackers are also engaging in profiteering. For example, China’s contract hackers have a long history of conducting ransomware attacks or ransoming gaming companies engaging in either extortion or in platform manipulation in order to get money out of the systems or launder their own money, and Russia obviously relies heavily on criminal enterprise for some of its attacks. I think that it would be wrong for democratic governments to authorize criminals to go out and do hacking on their behalf. I think it’s fine if democratic governments want to deputize or authorize private firms in an offensive fashion to go do certain things for them, and only those things, and for those companies to be held liable for violating the law if they do otherwise, but I don’t think we should form relationships with criminals in order to pursue our objectives
Q: Is AI making it harder to fight back?
DC: Too early to tell, not enough data yet. If it does, I imagine we will quickly see a spike in successful cyberattacks that impact businesses.
Q: How do you think Mythos will change the cybersecurity landscape?
DC: The good news on the cybersecurity side, is at the moment, Anthropic has limited access to Mythos to companies and researchers that they have vetted as very unlikely to be using the research for offensive purposes. Mythos has uncovered a number of vulnerabilities, I think the most in any three-month period ever recorded. In fact, I think that during the February to April period more vulnerabilities were found than in any annual aggregate ever reported, so it’s a tremendously fast rate of discovery. The good news is that right now, the hackers that would do the attacking with those vulnerabilities, don’t have access to Mythos. The problem is that Mythos indicates the direction of travel for all LLMs. This is a capability that will diffuse to open source language models and other AI systems within the next 18 months, probably, and that’s just simply because of the lag time between a frontier model like Mythos and what open source developers or open source models can get their hands on in terms of compute and resources and data, etc. So, what Mythos could do today, others will be able to do within a year to a year and a half. And access to those models will not be as constrained as access to Mythos currently is. That’s when problems are really going to hit.
Q: We know nation-states are targeting countries for geopolitical reasons. Are multinational firms also increasingly being targeted for geopolitical objectives?
DC: Multinational firms are increasingly finding themselves in the bullseye for targeting by state-backed hackers. On the one hand, corporate operations are more globalized than at any point previously, and their spread of operations necessarily means more states are interested in their activities. At the same time, companies are often in control of, and researching, cutting-edge technology and its deployment. Many countries are interested in acquiring those technologies.
Q: How do you advise companies to protect themselves?
DC: The best things that they can do are to pressure test and review their vulnerability patching management systems and then try to identify systems that allow for continuous service provision. They should be trying to come up with patch management systems that allow for continuous uptime, but also rapid patching, and that’s really difficult. Companies are probably going to need 20% to 40% additional infrastructure, so that they can try to load balance what their customers need and what they can patch simultaneously. In addition to that, they will need to have a comprehensive asset inventory up to and including the software versions on all their devices and of all their SaaS apps, because identifying the location of a particular piece of hardware or software is going to be critical in that patch management process. They absolutely need to do that in order to make this work, and those are two big projects. The first one is going to take additional money to create infrastructure so that they can try to shift the workloads as they patch simultaneously, and the second is going to take a lot of human hours to go out and catalog in an accurate and methodical way the hardware and software that is in their environment.
This article is content that would normally only be available to subscribers. Become a subscriber to see what you have been missing
