Of course, we play this game as well.
It's pretty well accepted that the U.S. was behind the Stuxnet attacks that took out the nuclear reactors in Iran and delayed their ability to produce weapons significantly, said Williams.
3. They're operating on a longer timescale
Criminals and vandals are after quick payoffs.
"When you steal someone's credit card, the time period that that's a valuable asset is very short," said Carl Wright, general manager at San Mateo, CA-based security firm TrapX. "At some point, the credit card company cancels that credit card and the consumer is issued a new card."
A foreign government, by comparison, could have unlimited patience.
"They might get in and sit there for a while and not try to do a whole lot until they feel the time is right," said Ben Johnson, chief security strategist at Waltham, Massachusetts-based Bit9, Inc.
In fact, he said, they might actually patch vulnerabilities they find in order to keep anyone else from getting in and setting off alerts.
"If they think they tripped up a defense, they might lay low for a little bit," he said. "Or, on the flip side of that, if they think they're about to be kicked out because the company is killing off the user accounts, they might grab data as fast as possible."
4. They might never be discovered
According to this year's Verizon breach report, 84 percent of the reported attack discoveries were made by third parties.
This is particularly the case of credit card data, said D.J. Vogel, a partner in the security and compliance practice at Naperville, Ill.-based professional services firm Sikich LLP.
When payment data is stolen, there are numerous third-parties involved that might sound the alert, he explained. The individual consumer, for example, who finds unusual charges on her bill. The payments processors and credit card companies who monitor transactions for unusual patterns. Law enforcement agencies eavesdropping on illegal credit card number auctions.
But when it comes to the theft of trade secrets, it could be years before the victim finds out -- if they find out at all, he said.
"The industry as a whole is less likely to identify state-sponsored attacks, he said. "It's much easier to fly under the radar, and not be undetected."
And even if a company discovers that it's been attacked and data was stolen, that's still not the whole story.
"The million-dollar question becomes what the heck they're doing with it?" asked Dodi Glenn, senior director of security intelligence and research labs at Clearwater, FL-based ThreatTrack Security, Inc. "Are they trying to design another apple iPhone and sell it cheaper? Or are they trying to tap into an iPhone with some vulnerability that they'll never disclose? They don't make it known what they do with the data. We can only infer what they're targeting."
Sign up for CIO Asia eNewsletters.