CSEC 302: Nation-State Actors and Critical Infrastructure

This course shifts from poverty-driven cybercrime to state-sponsored cyber operations. The attackers here are not desperate individuals seeking to feed their families—they are intelligence agencies and military units seeking strategic advantage. Their targets are not individual bank accounts but critical systems: government databases, energy grids, healthcare networks, and the private sector.

A Different Kind of Adversary

While our empathetic framework still applies—we seek to understand motivations rather than simply condemn—the appropriate response to nation-state cyber operations is fundamentally different from the response to poverty-driven scams. These actors are not coerced by desperate circumstances. They are strategic, well-resourced, and persistent. The root-cause solution here is not economic development but improved diplomacy, international norms, and deterrence.

CASE STUDY: The Sony Pictures Hack (2014)

On November 24, 2014, a group calling itself the “Guardians of Peace” infiltrated Sony Pictures Entertainment’s network using destructive malware. The attackers stole employee emails, salary data, unreleased films, and personal information of over 47,000 employees and contractors, rendering thousands of computers inoperable. The FBI attributed the attack to North Korea, motivated by Sony’s planned release of The Interview, a comedy depicting the assassination of North Korean leader Kim Jong-un. The attack demonstrated that a nation-state was willing to inflict massive economic damage on a private company over what it perceived as a cultural insult. Sony’s security practices were found to be woefully inadequate: a PricewaterhouseCoopers audit conducted months before the attack had flagged weak internal security, and sensitive data was stored on unencrypted spreadsheets. The estimated cost to Sony exceeded $35 million in remediation alone. Source: FBI Press Release, December 19, 2014; Wikipedia, “2014 Sony Pictures hack.”

CASE STUDY: The OPM Breach (2015)

The Office of Personnel Management (OPM) data breach, attributed to a state-sponsored advanced persistent threat believed to be affiliated with China, compromised approximately 22.1 million records—including the detailed 127-page SF-86 security clearance forms of millions of current and former federal employees. These forms contain information about family members, foreign contacts, financial history, psychological evaluations, and other deeply personal data. The attackers operated inside OPM’s network for over a year, exfiltrating data gradually. The breach was particularly damaging for national security: the stolen data could be used to identify covert intelligence officers, blackmail government employees, or map relationships within the U.S. national security apparatus. A Congressional investigation found that OPM had been warned repeatedly about its inadequate cybersecurity—the agency’s Chief Information Officer acknowledged that Social Security numbers were not encrypted because of “insufficient capabilities of outdated systems.” Source: U.S. House Oversight and Government Reform Committee Report, September 2016; Wikipedia, “2015 Office of Personnel Management data breach.”

Healthcare, Utilities, and Critical Infrastructure

The course also examines attacks on healthcare systems (such as the WannaCry ransomware attack that disrupted the UK’s National Health Service in 2017, attributed to North Korea’s Lazarus Group), energy infrastructure (the Colonial Pipeline ransomware attack of 2021, and the 2015 Ukraine power grid attack attributed to Russian state actors), and other critical infrastructure. Learners analyze how the interconnection of digital systems creates cascading vulnerabilities—and how the consequences of a cyberattack on a hospital or a power grid are measured not in dollars but in lives.

Diplomacy as Defense

The course concludes with an examination of international efforts to establish norms for state behavior in cyberspace, including the Tallinn Manual on the International Law Applicable to Cyber Operations and the UN Group of Governmental Experts reports. Learners engage with the argument that while technical defenses are necessary, the long-term solution to nation-state cyber threats is diplomatic: building international agreements, establishing credible deterrence, and creating mechanisms for attribution and accountability.