Discuss as:

US intelligence agencies getting better at classifying cyber-attacks

By Robert Windrem
NBC News Investigative Producer for Special Projects

When a "foreign intelligence service” hacked into  the computers of a major defense contractor in March and made off with more than 24,000 Defense Department files, the subsequent report in the New York Times understandably focused on the size of the haul.

A less-obvious but important aspect of the break-in, first reported late Thursday, is what it says about the U.S. intelligence community's increasing ability to distinguish between computer attacks by bored teenage hackers and those launched by sophisticated foreign spy agencies, according to a cyber-espionage expert.

"In general, cyber-attacks carried out by foreign intelligence services are currently easy to distinguish from the work of other groups, because of the scale of effort, the level of capabilities and the nature of the targets," Scott Borg,  director of the independent U.S. Cyber Consequences Unit, wrote Friday in an email interview. "Other groups, such as criminal enterprises and ideological militants are not, for the most part, up to mounting these sorts of attacks and wouldn't have reason to commit the necessary resources."


That was not always the case, writes Borg, whose nonprofit advises countries -- including the United States and the European Union -- and major corporations on cyber security. 

"We are now past the day when the Department of Defense could mistake an attack by three teenagers for a major effort by a foreign power, as they did with Solar Sunrise in 1998," he explained, referring to an attack on multiple Defense Department computers worldwide, later determined to have been carried out by two teenagers from California and one from Israel. 

The attack on the Pentagon contractor reported by the Times, on the other hand, required resources that "only nation-state-backed cyber attack forces currently possess," he said, while allowing that either independent hackers or organized crime groups could eventually develop such capabilities.

The ultimate value in being able to categorize cyber-attacks in a timely manner is being able to determine who carried them out and why, which would in turn help determine how to respond.

Borg's group knows about foreign intelligence services’ abilities to carry out cyber-attacks.

In 2008, he and the US-CCU tracked how the Russian military, mainly using organized crime groups, mounted a "cyber-campaign" that coincided with the Russian invasion of Georgia. The campaign first targeted Georgian media, then government sites -- including the office of the Georgian president -- business associations, educational institutions and the power grid, threatening to cause permanent damage to the country's infrastructure, the CCU reported. When the military campaign ended, so did the cyber-campaign, Borg noted.

Indeed, one of the leading suspects in the March attack is the Russian foreign intelligence service, according to U.S. officials.