Page:Worldwide Threat Assessment of the US Intelligence Community Unclassified 2016.pdf/7

 Accountability. Information security professionals will continue to make progress in attributing cyber operations and tying events to previously identified infrastructure or tools that might enable rapid attribution in some cases. However, improving offensive tradecraft, the use of proxies, and the creation of cover organizations will hinder timely, high-confidence attribution of responsibility for state-sponsored cyber operations.

Restraint. Many actors remain undeterred from conducting reconnaissance, espionage, and even attacks in cyberspace because of the relatively low costs of entry, the perceived payoff, and the lack of significant consequences. Moscow and Beijing, among others, view offensive cyber capabilities as an important geostrategic tool and will almost certainly continue developing them while simultaneously discussing normative frameworks to restrict such use. Diplomatic efforts in the past three years have created the foundation for establishing limits on cyber operations, and the norms articulated in a 2015 report of the UN Group of Governmental Experts suggest that countries are more likely to commit to limitations on what cyber operations can target than to support bans on the development of offensive capabilities or on specific means of cyber intervention. For example, in 2015, following a US-Chinese bilateral agreement, G-20 leaders agreed that that no country should conduct or sponsor cyber espionage for the purpose of commercial gain.

Leading Threat Actors
Russia. Russia is assuming a more assertive cyber posture based on its willingness to target critical infrastructure systems and conduct espionage operations even when detected and under increased public scrutiny. Russian cyber operations are likely to target US interests to support several strategic objectives: intelligence gathering to support Russian decisionmaking in the Ukraine and Syrian crises, influence operations to support military and political objectives, and continuing preparation of the cyber environment for future contingencies.

China. China continues to have success in cyber espionage against the US Government, our allies, and US companies. Beijing also selectively uses cyberattacks against targets it believes threaten Chinese domestic stability or regime legitimacy. We will monitor compliance with China’s September 2015 commitment to refrain from conducting or knowingly supporting cyber-enabled theft of intellectual property with the intent of providing competitive advantage to companies or commercial sectors. Private-sector security experts have identified limited ongoing cyber activity from China but have not verified state sponsorship or the use of exfiltrated data for commercial gain.

Iran. Iran used cyber espionage, propaganda, and attacks in 2015 to support its security priorities, influence events, and counter threats—including against US allies in the region.

North Korea. North Korea probably remains capable and willing to launch disruptive or destructive cyberattacks to support its political objectives. South Korean officials have concluded that North Korea was probably responsible for the compromise and disclosure of data from a South Korean nuclear plant.

Nonstate Actors. Terrorists continue to use the Internet to organize, recruit, spread propaganda, collect intelligence, raise funds, and coordinate operations. In a new tactic, ISIL actors targeted and released sensitive information about US military personnel in 2015 in an effort to spur “lone-wolf” attacks. Criminals develop and use sophisticated cyber tools for a variety of purposes such as theft, extortion, and