Cyber threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact. The ranges of cyber threat actors, methods of attack, targeted systems, and victims are also expanding. Overall, the unclassified information and communication technology (ICT) networks that support US Government, military, commercial, and social activities remain vulnerable to espionage and/or disruption. However, the likelihood of a catastrophic attack from any particular actor is remote at this time. Rather than a “Cyber Armageddon” scenario that debilitates the entire US infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.
A growing number of computer forensic studies by industry experts strongly suggest that several nations—including Iran and North Korea—have undertaken offensive cyber operations against private sector targets to support their economic and foreign policy objectives, at times concurrent with political crises.
Risk. Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come. In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed. Moreover, the risk calculus employed by some private sector entities does not adequately account for foreign cyber threats or the systemic interdependencies between different critical infrastructure sectors.
Costs. During 2014, we saw an increase in the scale and scope of reporting on malevolent cyber activity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information (PII) compromised, or remediation costs incurred by US victims. For example:
- After the 2012-13 distributed denial of service (DDOS) attacks on the US financial sector, JPMorgan Chase (JPMorgan) announced plans for annual cyber security expenditures of $250 million by the end of 2014. After the company suffered a hacking intrusion in 2014, JPMorgan’s CEO said he would probably double JPMorgan’s annual computer security budget within the next five years.
- The 2014 data breach at Home Depot exposed information from 56 million credit/debit cards and 53 million customer email addresses. Home Depot estimated the cost of the breach to be $62 million.
- In 2014, unauthorized computer intrusions were detected on the networks of the Office of Personnel Management (OPM) as well as its contractors, US Investigations Services (USIS) and KeyPoint Government Solutions. The two contractors were involved in processing sensitive PII related to national security clearances for Federal Government employees.
In August 2014, the US company, Community Health Systems, informed the Securities and Exchange Commission that it believed hackers “originating from China” had stolen PII on 4.5 million individuals.
Attribution. Although cyber operators can infiltrate or disrupt targeted ICT networks, most can no longer assume that their activities will remain undetected. Nor can they assume that if detected, they will be able to conceal their identities. Governmental and private sector security professionals have made significant advances in detecting and attributing cyber intrusions.
- In May 2014, the US Department of Justice indicted five officers from China’s Peoples’ Liberation Army on charges of hacking US companies.
- In December 2014, computer security experts reported that members of an Iranian organization were responsible for computer operations targeting US military, transportation, public utility, and other critical infrastructure networks.
Deterrence. Numerous actors remain undeterred from conducting economic cyber espionage or perpetrating cyber attacks. The absence of universally accepted and enforceable norms of behavior in cyberspace has contributed to this situation. The motivation to conduct cyber attacks and cyber espionage will probably remain strong because of the relative ease of these operations and the gains they bring to the perpetrators. The result is a cyber environment in which multiple actors continue to test their adversaries’ technical capabilities, political resolve, and thresholds. The muted response by most victims to cyber attacks has created a permissive environment in which low-level attacks can be used as a coercive tool short of war, with relatively low risk of retaliation. Additionally, even when a cyber attack can be attributed to a specific actor, the forensic attribution often requires a significant amount of time to complete. Long delays between the cyber attack and determination of attribution likewise reinforce a permissive environment.
Politically motivated cyber attacks are now a growing reality, and foreign actors are reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile. In addition, those conducting cyber espionage are targeting US government, military, and commercial networks on a daily basis. These threats come from a range of actors, including: (1) nation states with highly sophisticated cyber programs (such as Russia or China), (2) nations with lesser technical capabilities but possibly more disruptive intent (such as Iran or North Korea), (3) profit-motivated criminals, and (4) ideologically motivated hackers or extremists. Distinguishing between state and non-state actors within the same country is often difficult—especially when those varied actors actively collaborate, tacitly cooperate, condone criminal activity that only harms foreign victims, or utilize similar cyber tools.
Russia. Russia’s Ministry of Defense is establishing its own cyber command, which—according to senior Russian military officials—will be responsible for conducting offensive cyber activities, including propaganda operations and inserting malware into enemy command and control systems. Russia’s armed forces are also establishing a specialized branch for computer network operations.
Computer security studies assert that unspecified Russian cyber actors are developing means to access industrial control systems (ICS) remotely. These systems manage critical infrastructures such as electric power grids, urban mass-transit systems, air-traffic control, and oil and gas distribution networks. These unspecified Russian actors have successfully compromised the product supply chains of three ICS vendors so that customers download exploitative malware directly from the vendors’ websites along with routine software updates, according to private sector cyber security experts.
China. Chinese economic espionage against US companies remains a significant issue. The “advanced persistent threat” activities continue despite detailed private sector reports, public indictments, and US demarches, according to a computer security study. China is an advanced cyber actor; however, Chinese hackers often use less sophisticated cyber tools to access targets. Improved cyber defenses would require hackers to use more sophisticated skills and make China’s economic espionage more costly and difficult to conduct.
Iran. Iran very likely values its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence. Iranian actors have been implicated in the 2012-13 DDOS attacks against US financial institutions and in the February 2014 cyber attack on the Las Vegas Sands casino company.
North Korea. North Korea is another state actor that uses its cyber capabilities for political objectives. The North Korean Government was responsible for the November 2014 cyber attack on Sony Pictures Entertainment (SPE), which stole corporate information and introduced hard drive erasing malware into the company’s network infrastructure, according to the FBI. The attack coincided with the planned release of a SPE feature film satire that depicted the planned assassination of the North Korean president.
Terrorists. Terrorist groups will continue to experiment with hacking, which could serve as the foundation for developing more advanced capabilities. Terrorist sympathizers will probably conduct low- level cyber attacks on behalf of terrorist groups and attract attention of the media, which might exaggerate the capabilities and threat posed by these actors.
Integrity of Information
Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data- deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e. accuracy and reliability) instead of deleting it or disrupting access to it. Decisionmaking by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.
3 Successful cyber operations targeting the integrity of information would need to overcome any institutionalized checks and balances designed to prevent the manipulation of data, for example, market monitoring and clearing functions in the financial sector.
We assess that the leading state intelligence threats to US interests in 2015 will continue to be Russia and China, based on their capabilities, intent, and broad operational scopes. Other states in South Asia, the Near East, and East Asia will pose increasingly sophisticated local and regional intelligence threats to US interests. For example, Iran’s intelligence and security services continue to view the United States as a primary threat and have stated publicly that they monitor and counter US activities in the region.
Penetrating the US national decisionmaking apparatus and Intelligence Community will remain primary objectives for foreign intelligence entities. Additionally, the targeting of national security information and proprietary information from US companies and research institutions dealing with defense, energy, finance, dual-use technology, and other areas will be a persistent threat to US interests.
Non-state entities, including transnational organized criminals and terrorists, will continue to employ human, technical, and cyber intelligence capabilities that present a significant counterintelligence challenge. Like state intelligence services, these non-state entities recruit sources and perform physical and technical surveillance to facilitate their illegal activities and avoid detection and capture.
The internationalization of critical US supply chains and service infrastructure, including for the ICT, civil infrastructure, and national security sectors, increases the potential for subversion. This threat includes individuals, small groups of “hacktivists,” commercial firms, and state intelligence services.
Trusted insiders who disclose sensitive US Government information without authorization will remain a significant threat in 2015. The technical sophistication and availability of information technology that can be used for nefarious purposes exacerbates this threat.
Sunni violent extremists are gaining momentum and the number of Sunni violent extremist groups, members, and safe havens is greater than at any other point in history. These groups challenge local and regional governance and threaten US allies, partners, and interests. The threat to key US allies and partners will probably increase, but the extent of the increase will depend on the level of success that Sunni violent extremists achieve in seizing and holding territory, whether or not attacks on local regimes and calls for retaliation against the West are accepted by their key audiences, and the durability of the US-led coalition in Iraq and Syria.
4 Sunni violent extremists have taken advantage of fragile or unstable Muslim-majority countries to make territorial advances, seen in Syria and Iraq, and will probably continue to do so. They also contribute to regime instability and internal conflict by engaging in high levels of violence. Most will be unable to seize and hold territory on a large scale, however, as long as local, regional, and international support and resources are available and dedicated to halting their progress. The increase in the number of Sunni violent extremist groups also will probably be balanced by a lack of cohesion and authoritative leadership. Although the January 2015 attacks against Charlie Hebdo in Paris is a reminder of the threat to the West, most groups place a higher priority on local concerns than on attacking the so-called far enemy—the United States and the West—as advocated by core al- Qa‘ida.
Differences in ideology and tactics will foster competition among some of these groups, particularly if a unifying figure or group does not emerge. In some cases, groups—even if hostile to each other— will ally against common enemies. For example, some Sunni violent extremists will probably gain support from like-minded insurgent or anti-regime groups or within disaffected or disenfranchised communities because they share the goal of radical regime change.
Although most homegrown violent extremists (HVEs) will probably continue to aspire to travel overseas, particularly to Syria and Iraq, they will probably remain the most likely Sunni violent extremist threat to the US homeland because of their immediate and direct access. Some might have been inspired by calls by the Islamic State of Iraq and the Levant (ISIL) in late September for individual jihadists in the West to retaliate for US-led airstrikes on ISIL. Attacks by lone actors are among the most difficult to warn about because they offer few or no signatures.
If ISIL were to substantially increase the priority it places on attacking the West rather than fighting to maintain and expand territorial control, then the group’s access to radicalized Westerners who have fought in Syria and Iraq would provide a pool of operatives who potentially have access to the United States and other Western countries. Since the conflict began in 2011, more than 20,000 foreign fighters—at least 3,400 of whom are Westerners—have gone to Syria from more than 90 countries.
WEAPONS OF MASS DESTRUCTION AND PROLIFERATION
Nation-states’ efforts to develop or acquire weapons of mass destruction (WMD), their delivery systems, or their underlying technologies constitute a major threat to the security of the United States, its deployed troops, and allies. Syrian regime use of chemical weapons against the opposition further demonstrates that the threat of WMD is real. The time when only a few states had access to the most dangerous technologies is past. Biological and chemical materials and technologies, almost always dual-use, move easily in the globalized economy, as do personnel with the scientific expertise to design and use them. The latest discoveries in the life sciences also diffuse rapidly around the globe.
Iran Preserving Nuclear Weapons Option
We continue to assess that Iran’s overarching strategic goals of enhancing its security, prestige, and regional influence have led it to pursue capabilities to meet its civilian goals and give it the ability to build missile-deliverable nuclear weapons, if it chooses to do so. We do not know whether Iran will eventually decide to build nuclear weapons.
We also continue to assess that Iran does not face any insurmountable technical barriers to producing a nuclear weapon, making Iran’s political will the central issue. However, Iranian implementation of the Joint Plan of Action (JPOA) has at least temporarily inhibited further progress in its uranium enrichment and plutonium production capabilities and effectively eliminated Iran’s stockpile of 20 percent enriched uranium. The agreement has also enhanced the transparency of Iran’s nuclear activities, mainly through improved International Atomic Energy Agency (IAEA) access and earlier warning of any effort to make material for nuclear weapons using its safeguarded facilities.
We judge that Tehran would choose ballistic missiles as its preferred method of delivering nuclear weapons, if it builds them. Iran’s ballistic missiles are inherently capable of delivering WMD, and Tehran already has the largest inventory of ballistic missiles in the Middle East. Iran’s progress on space launch vehicles—along with its desire to deter the United States and its allies—provides Tehran with the means and motivation to develop longer-range missiles, including intercontinental ballistic missiles (ICBMs).
North Korea Developing WMD-Applicable Capabilities
North Korea’s nuclear weapons and missile programs pose a serious threat to the United States and to the security environment in East Asia. North Korea’s export of ballistic missiles and associated materials to several countries, including Iran and Syria, and its assistance to Syria’s construction of a nuclear reactor, destroyed in 2007, illustrate its willingness to proliferate dangerous technologies.
In 2013, following North Korea’s third nuclear test, Pyongyang announced its intention to “refurbish and restart” its nuclear facilities, to include the uranium enrichment facility at Yongbyon, and to restart its graphite-moderated plutonium production reactor that was shut down in 2007. We assess that North Korea has followed through on its announcement by expanding its Yongbyon enrichment facility and restarting the reactor.
North Korea has also expanded the size and sophistication of its ballistic missile forces, ranging from close-range ballistic missiles to ICBMs, while continuing to conduct test launches. In 2014, North Korea launched an unprecedented number of ballistic missiles.
Pyongyang is committed to developing a long-range, nuclear-armed missile that is capable of posing a direct threat to the United States and has publicly displayed its KN08 road-mobile ICBM twice. We assess that North Korea has already taken initial steps toward fielding this system, although the system has not been flight-tested.
Because of deficiencies in their conventional military forces, North Korean leaders are focused on developing missile and WMD capabilities, particularly building nuclear weapons. Although North Korean state media regularly carries official statements on North Korea’s justification for building nuclear weapons and threatening to use them as a defensive or retaliatory measure, we do not know the details of Pyongyang’s nuclear doctrine or employment concepts. We have long assessed that, in Pyongyang’s view, its nuclear capabilities are intended for deterrence, international prestige, and coercive diplomacy.
China’s Expanding Nuclear Forces
The People’s Liberation Army’s (PLA’s) Second Artillery Force continues to modernize its nuclear missile force by adding more survivable road-mobile systems and enhancing its silo-based systems. This new generation of missiles is intended to ensure the viability of China’s strategic deterrent by providing a second strike capability. In addition, the PLA Navy continues to develop the JL-2 submarine-launched ballistic missile (SLBM) and might produce additional JIN-class nuclear-powered ballistic missile submarines. The JIN-class submarines, armed with JL-2 SLBMs, will give the PLA Navy its first long- range, sea-based nuclear capability. We assess that the Navy will soon conduct its first nuclear deterrence patrols.
Russia’s New Intermediate-Range Cruise Missile
Russia has developed a new cruise missile that the United States has declared to be in violation of the Intermediate-Range Nuclear Forces (INF) Treaty. In 2013, Sergei Ivanov, a senior Russian administration official, commented in an interview how the world had changed since the time the INF Treaty was signed 1987 and noted that Russia was “developing appropriate weapons systems” in light of the proliferation of intermediate- and shorter-range ballistic missile technologies around the world. Similarly, as far back as 2007, Ivanov publicly announced that Russia had tested a ground-launched cruise missile for its Iskander weapon system, whose range complied with the INF Treaty “for now.” The development of a cruise missile that is inconsistent with INF, combined with these statements about INF, calls into question Russia’s commitment to this treaty.
WMD Security in Syria
In June 2014, Syria’s declared CW stockpile was removed for destruction by the international community. The most hazardous chemical agents were destroyed aboard the MV CAPE RAY as of August 2014. The United States and its allies continue to work closely with the Organization for the Prohibition of Chemical Weapons (OPCW) to verify the completeness and accuracy of Syria’s Chemical Weapons Convention (CWC) declaration. We judge that Syria, despite signing the treaty, has used chemicals as a means of warfare since accession to the CWC in 2013. Furthermore, the OPCW continues to investigate allegations of chlorine use in Syria.
SPACE AND COUNTERSPACE
Threats to US space systems and services will increase during 2015 and beyond as potential adversaries pursue disruptive and destructive counterspace capabilities. Chinese and Russian military leaders understand the unique information advantages afforded by space systems and services and are developing capabilities to deny access in a conflict. Chinese military writings highlight the need to interfere with, damage, and destroy reconnaissance, navigation, and communication satellites. China has satellite jamming capabilities and is pursuing antisatellite systems. In July 2014, China conducted a non- destructive antisatellite missile test. China conducted a previous destructive test of the system in 2007, which created long-lived space debris. Russia’s 2010 Military Doctrine emphasizes space defense as a vital component of its national defense. Russian leaders openly assert that the Russian armed forces have antisatellite weapons and conduct antisatellite research. Russia has satellite jammers and is pursuing antisatellite systems.
TRANSNATIONAL ORGANIZED CRIME
Transnational Organized Crime (TOC) is a global, persistent threat to our communities at home and our interests abroad. Savvy, profit-driven criminal networks traffic in drugs, persons, wildlife, and weapons; corrode security and governance; undermine legitimate economic activity and the rule of law; cost economies important revenue; and undercut US development efforts.
Drug trafficking will remain a major TOC threat to the United States. Mexico is the largest foreign producer of US-bound marijuana, methamphetamines, and heroin, and the conduit for the overwhelming majority of US-bound cocaine from South America. The drug trade also undermines US interests abroad, eroding stability in parts of Africa and Latin America; Afghanistan accounts for 80 percent of the world’s opium production. Weak Central American states will continue to be the primary transit area for the majority of US-bound cocaine. The Caribbean is becoming an increasingly important secondary transit area for US- and European-bound cocaine. In 2013, the world’s capacity to produce heroin reached the second highest level in nearly 20 years, increasing the likelihood that the drug will remain accessible and inexpensive in consumer markets in the United States, where heroin-related deaths have surged since 2007. New psychoactive substances (NPS), including synthetic cannabinoids and synthetic cathinones, pose an emerging and rapidly growing global public health threat. Since 2009, US law enforcement officials have encountered more than 240 synthetic compounds. Worldwide, 348 new psychoactive substances had been identified, exceeding the number of 234 illicit substances under international controls.
Criminals Profiting from Global Instability
Transnational criminal organizations will continue to exploit opportunities in ongoing conflicts to destabilize societies, economies, and governance. Regional unrest, population displacements, endemic corruption, and political turmoil will provide openings that criminals will exploit for profit and to improve their standing relative to other power brokers.
Corruption facilitates transnational organized crime and vice versa. Both phenomena exacerbate other threats to local, regional, and international security. Corruption exists at some level in all countries; however, the symbiotic relationship between government officials and TOC networks is particularly pernicious in some countries. One example is Russia, where the nexus among organized crime, state actors, and business blurs the distinction between state policy and private gain.
Human trafficking remains both a human rights concern and a challenge to international security. Trafficking in persons has become a lucrative source of revenue—estimated to produce tens of billions of dollars annually. Human traffickers leverage corrupt officials, porous borders, and lax enforcement to ply their illicit trade. This exploitation of human lives for profit continues to occur in every country in the world—undermining the rule of law and corroding legitimate institutions of government and commerce.
Illicit trade in wildlife, timber, and marine resources endangers the environment, threatens rule of law and border security in fragile regions, and destabilizes communities that depend on wildlife for biodiversity and ecotourism. Increased demand for ivory and rhino horn in Asia has triggered unprecedented increases in poaching in Africa. Criminal elements, often in collusion with corrupt government officials or security forces, are involved in poaching and movement of ivory and rhino horn across Africa. Poaching presents significant security challenges for militaries and police forces in African nations, which often are outgunned by poachers and their allies. Illegal, unreported, and unregulated fishing threatens food security and the preservation of marine resources. It often occurs concurrently with forced labor in the fishing industry.
Theft of Cultural Properties, Artifacts. and Antiquities
Although the theft and trafficking of cultural heritage and art are traditions as old as the cultures they represent, transnational organized criminals are acquiring, transporting, and selling valuable cultural property and art more swiftly, easily, and stealthily. These criminals operate on a global scale without regard for laws, borders, nationalities or the significance of the treasures they smuggle.