Over the past two years, the increase in high-cost ransomware attacks and revelations of harmful software supply chain infections have put cybersecurity high on the government’s agenda. At the same time, American businesses and even the general public have become aware of the new array of digital dangers posed by nation-state actors and criminal organizations.
So it’s no surprise that two discussion threads run through this year Aspen Cyber Summit were the complex nature of the cybersecurity threats we currently face and how they may differ from the challenges we have faced in the past. “We have this growing complexity and growing interdependence,” said Window Snyder, CEO of Thistle Technologies. “Thus, the opportunities [for threat actors] are growing faster than we can mitigate them. “
Unlike 20 years ago, when even large IT systems were relatively self-contained and simple, system interdependencies now make managing and defending against threats much more difficult. “The central issue here is complexity and our interdependence,” Snyder said. “It’s something we’re not going to walk away from because it gives us flexibility and functionality and all those other critical functions that we need. We have a growing problem here. “
A new variable added to the digital mix is the metric growth of ransomware, making it look like cyber attacks are getting worse. “I think the ransomware attackers have found a perfectly successful illegitimate business model,” said Jonathan Welburn, researcher at Rand Corporation. “Whenever there is a full-scale attack, we see that [victims] issue a payment, and that fixes the problem. It’s a very good advertisement for this business model. “
Jay Healey, a senior researcher at Columbia University, said that on one level cybersecurity risks are unchanged from what they were two decades ago. “We’ve been here before,” he said. “Twenty years ago, say, from the late 1990s until maybe 2003, it was relatively common to see even large-scale attacks destroying substantial parts of the Internet.” Viruses and worms such as Nimda, Code Red, SQL Slammer, Melissa, and I Love You were major existential threats during this time.
Since then, “Microsoft has made big changes. Others have made big changes, but a lot of fundamental vulnerabilities are still there,” Healey explained.
Unsecured devices “the big hairy monster under the bed”
Even though some major tech players such as Microsoft have improved their security postures, Snyder pointed to what she sees as the cybersecurity industry’s overall stasis as “the biggest monster under the bed.” From the early days when worms and viruses were on the verge of crippling large parts of the web, “we just haven’t done anything as an industry,” she said. “We haven’t implemented better technologies. We haven’t improved our ability to mitigate these strategies. We haven’t reduced our attack surface. We haven’t worked on corruption issues. memory.”
Additionally, today’s attack surface is not only much larger than before, but it also includes Internet of Things (IoT) devices which, unlike mainframes and laptops and even mobile devices, are difficult to update from a security perspective. . “A lot of these devices don’t have the amount of memory or storage or the processor capacity” needed to support security updates, Snyder said. “It’s a huge opportunity for the attackers. It is very difficult for the people who manage these devices to be able to even inspect [them] and recognize if they are actually compromised or if they are using the code that we expected them to run during deployment. He’s the big hairy monster under the bed for me. “
Healey said the nearly ubiquitous interconnection of critical infrastructure sectors with digital networks poses a darker threat than early Trojans and viruses. “Twenty years ago, worms were only removing things made of silicon and things made of ones and zeros because that’s all that was really on the Internet. Right now you’re also removing concrete and steel. I think we are, I’m going to look at the 2000s and 2010s as the golden age where nobody really died from that stuff. “
Barriers to cybercrime are low
Another significant change from 20 years ago is the changing nature of cybercrime, said Kevin Mandia, CEO of FireEye. “When you look at the criminals, I think probably 20 years ago they must have been very technical.” Now the barriers to entry for cybercrime are low and cybercrime is becoming a service. In addition, unlike in the past, more and more nation states are entering the cybercrime arena. “And that for me is worrying in itself,” he said.
The most lucrative cybercrime business today is ransomware, which promotes more dangerous threats and the need for more innovative collective defenses. “We are seeing increasingly blurred relationships between nation-state actors and criminals,” said Mieke Eoyang, deputy defense secretary for cyber policy at the defense ministry. “We are particularly concerned about nation states that create a safe haven and a comfortable environment for criminal actors. This is something we need to start addressing directly with those nations.”
With all the rapid changes in the threat landscape, the real challenge is understanding the risk. “At the moment, I don’t think the government has the capacity to understand the risks,” said Sean Joyce, global and US head of cybersecurity, privacy and forensics at PwC USA. “And I don’t think the private sector has the capacity to understand the risks. So I think it’s important on both sides to really say, okay, the threat landscape is changing, but what? does this mean to us? “
COVID-19 altered systemic risk
COVID-19 is another important force that has rapidly changed systemic cyber risk. The abrupt closure of workplaces and the subsequent lockdown of everyone in their homes forced almost instantaneous and fundamental changes in the way large swathes of society manage cybersecurity risks. “We literally had to reconfigure the network on the fly and add capacity on the fly,” said Noopur Davids, CISO at Comcast.
The COVID-19 crisis has also suddenly drawn the attention of cybercriminals to new areas. “We had never been the target, the real target,” said Marene Allison, vice president and CISO of Johnson & Johnson. “No one ever cared about us until the vaccines were created. It changed the threat profile of healthcare in a second, overnight.”
Even the highly protected financial sector has had to scramble to quickly change its digital risk profile, said Ron Green, CSO of Mastercard. “We have seen a massive increase in contactless payments with this second quarter” of 2020. As a result, we have provided more contactless solutions to our customers than in the previous year. [during the second quarter of 2020]. Five times more. “