Early cybersecurity narratives emphasized threats to critical infrastructure and established cyberspace as an environment advantaging weaker actors against the strong. That vision of cyber conflict remained mostly hypothetical. Instead, the last decade saw the proliferation of targeted digital attacks from nation-state actors towards civil society institutions and individuals. Independent research centers have documented those attacks for a long time. However, commercial threat reports still focus primarily on cybercrime, economic espionage and the sabotage of critical infrastructure.
Maschmeyer, Deibert and Lindsay analyzed a dataset of 700 public reports from 2009–2018 (629 by threat intelligence firms and 71 by independent research centers) to assess the presence of potential biases in commercial threat reporting. They examined the reports according to three key selection criteria, identified from existing research and an interview with a prominent commercial firm researcher. The authors anticipated that commercial reporting would favor threats 1) exhibiting some unique characteristic 2) targeting a high-profile victim and 3) attributed to a high-profile threat actor. They accordingly examined whether these reports focused on civil society or commercial interests, their geographical distribution as well as whom they attribute threats to. The authors also analyzed in-depth three cases within the larger sample.
Only 82 out of the 629 commercial reports (13%) discuss a targeted threat to civil society. Africa and South America have not been covered in commercial reports apart from three reported operations in Egypt, in contrast to the numerous threats observed by independent researchers. Commercial reporting attributes the vast majority (88%) of targeted threats to civil society to China, Russia and Iran, which are key strategic competitors to the United States. Conversely, independent reports show that the total number of operations by “other” states is actually greater than those attributed to the “big three”.
All three case studies confirmed the expectations of the researchers based on the three identified selection biases. Despite early reports explicitly highlighting the scope of Russian hacker group APT28’s repeated attacks against journalists and dissidents, most reports on APT28 (74%) entirely omit threats to civil society. One operation against members of the Tibetan activist community in China, reported by Citizen Lab in 2018, was never mentioned in commercial reports. Commercial reports covering another campaign against the Tibetan community, involving more sophisticated attacks and a higher-profile threat actor, do not mention the targeting of civil society either.
Commercial reporting is primarily a marketing instrument to increase revenue from custom protection services, directed at the potential clients most likely to buy them: governments, military organizations and Fortune-500 firms. Since these reports constitute the largest (and often only) source of data on cyber operations, they create a distorted picture of cyber conflict for researchers and policymakers, while leaving out vulnerable civil society actors. The widespread surprise at Russia’s meddling in the 2016 U.S. election attests to this fundamental lack of awareness of the vulnerability of democratic institutions and civil society to cyber threats. This study points to the need for foundations and funders that are often the principal supporters of civil society to take notice of these targeted threats. Government-driven solutions cannot be recommended, as in many countries state security agencies are important threats to civil society.
Cybersecurity firms underrepresent threats against civil society in their reports, which distorts academic debate as well as public policy.