World Economic Forum Warns of “Gathering Cyber Storm”
As we enter 2023, the world is on edge. Governments are nervous, markets are jittery, and trigger fingers are itchy. The current global anxiety is also influencing cybersecurity risk perceptions and the threats that shape them. During the recent World Economic Forum held in Davos, Switzerland, a warning of an unpredictable time ahead for cybersecurity is prompting calls for more action to protect an increasingly digitised and interconnected world. The Global Cybersecurity Outlook 2023 report launched at the forum has placed geopolitical instability at centre-stage, highlighting fears of potentially catastrophic cyberattacks over the next two years. The report indicates that 93% of cyber leaders and 86% of business leaders are of the opinion that global instability will likely be the root cause of a catastrophic cyber event in the near future. The report also states that the geopolitical instability will be a key influencer in the review of cyber strategies, as will the recognition that the entire cyber supply chain is only as strong as the weakest link. These assessments are also causing a shakeup of the way organisations do business. Organisations are reviewing the levels of trust they will extend to third party providers who have access to their environments and data and are reconsidering which countries they intend to do business with. In addition, a disconnect between the views of business and security leaders is emerging, where the former foresees a safer path with in-house security solutions, while the latter gravitate towards secure partnerships. One might consider this disconnect to be a mirror of the international reactions to the rise in instability, with increasing nationalism on one side, and a desire for security through international partnerships on the other. The abrupt change to the geopolitical zeitgeist in the past 12 months is also altering the nature and character of cyber threats. These threats are evolving, with an increased likelihood of attacks aimed at creating business disruption and reputational damage. Strategies, therefore, appear to be shifting on both sides of the digital conflict. According to the US Cybersecurity and Infrastructure Security Agency (CISA), industrial control system patch management is inconsistent at best and non-existent at worst. The 2022 SANS ICS/OT Cybersecurity survey found that security patching in ICS environments occurs on an average of every 1.25 months. More interesting is that around two-thirds ICS operators rely on third-party providers or device manufacturers to perform patching. Risky Version of Swings and Roundabouts Digital transformation projects in recent years were largely triggered by a risk of an entirely different type. There are very few organisations that were unaffected by the pandemic pressures which changed the way society lives and works. Security practitioners had to reimagine much of the security paradigm as organisations migrated north to the cloud. Now further dramatic events are shaking up the digital world, with external circumstances that were unimaginable only a short time ago once again dictating these changes. Digital transformation, which has barely had time to rest and enjoy the fruits of the labour, is being re-examined in response to the way the threat environment and technology is changing. The Global Cybersecurity Outlook 2023 report suggests that the major factors influencing cyber strategies going forward will include embracing Artificial Intelligence (AI), increased adoption of cloud technologies, and changes to identity and access management. A key lesson learned by those who rushed into pandemic-induced digital transformation projects was this: haste leads to oversights that create avoidable vulnerabilities and breaches. Although new technologies may be intended to reduce risk exposure, additional complexity in any environment brings another set of potential risks. In the past, less well-resourced entities have often opted to take the wait-and-see approach, where the new technologies and models embraced by their more well-resourced siblings are observed and assessed with keen interest. However, if the current fears are well-founded, such a strategy may prove ineffectual for individual businesses and the cyber-ecosystem as a whole. The adoption of new technologies in this latest iteration of ‘unprecedented times’ will hopefully balance urgency with exactness, lest what is gained on the swings be lost on the roundabouts. Cloudy With A Chance of No Trust When anxiety abounds, control is craved. In cybersecurity’s current state of unease, Zero Trust Network Access (ZTNA) looks increasingly enticing. In part 3 of Sapien’s December 2022 roundup of ICS security, we discussed the concept of Zero Trust Network Access (ZTNA) and its implications for identity and access management. ZTNA utilises granular permissions that are based on user ID, device ID and type, device health state, and geographic location. Unlike traditional authentication methods, ZTNA is not one-time authentication to provide access, but rather continuously applied authentication based on a range of variables, with permissions being continually verified. However, ZTNA is no panacea, particularly when it comes to critical infrastructure. As we discussed in our December blog series, there are constraints that may make the deployment of ZTNA across Industrial Control System (ICS) networks untenable. Much like many other IT principles and practices, ZTNA methods that work in enterprise security simply do not translate well to industrial security. For example, the very nature of many ICS devices, some of which do not even have basic authentication or logging capabilities, make securely verifying their identity impossible. However, despite being in its infancy for ICS networks, it seems likely that ZTNA will eventually become more widespread as confidence in its deployment in the Operational Technology space grows. On the whole, it is likely that ZTNA is here to stay and will continue to be embraced more broadly, much like cloud computing. The shift by many organisations to cloud models has been ongoing for several years now, and while this strategy can lessen organisational cybersecurity risk, it can also create new risks if implemented improperly. These risks include poor cloud strategy, poorly defined roles and responsibilities, lack of technical skillsets to manage cloud security, and the challenges of change management. There are also technical factors to consider, especially in regard to poorly envisioned architecture and integration of on-premises and cloud technologies, as well as ensuring cloud solutions meet agility, availability, and security requirements. Many organisations that ran into these issues are now pulling back some of their assets to on-premises solutions, causing the cumulus pendulum to settle into more practical hybrid models. It’s Okay Dave. I Can Do That: Artificial Intelligence Promises Proactive Solutions The increasing pace with which the cyber threat environment is changing requires technologies that can keep up and adapt faster than traditional reactive measures. Artificial Intelligence (AI) may offer significant benefits in this regard, including a greater ability to keep pace with new malware threats using superior predictive intelligence in comparison to traditional methods. As with any new technology, terminology can become muddied. In the field of AI, the concept of Machine Learning (ML) is often used interchangeably with AI. However, AI consists of systems that can perform human-like tasks with enhanced efficiency based on any data type, including unstructured data. ML, however, teaches machines to provide accurate results based on structured or semi structured data. A good example of this is ChatGPT, the second AI to pass the Turing test by fooling humans into believing the AI is another human. Your Netflix recommendations are based on ML. The dramatic increase in natural language processing of AI technologies will give the automation of data scaping for the latest threat intelligence a significant boost. AI will also provide advantages in tackling the growing threat of malicious bots by predicting the intent of traffic and adapting security accordingly. AI may also provide significant advances in establishing and maintaining accurate asset inventory and predictive threat exposure. Finally, AI may be a promising solution to the problem of the growth of remote endpoints, reducing reliance on signature-based threat detection. Without Diversity, Creativity Remains Stagnant Underpinning the predicted difficulties in managing the growing number of cyber threats is a shortage of the required cyber skillsets. The Global Cybersecurity Outlook 2023 report suggests that around a third of organisations are identifying skills gaps in their cyber security teams. Significantly, this problem is more pronounced in the protection of critical infrastructure sectors, such as the energy sector, where almost a quarter of the surveyed practitioners cited critical shortcomings in the requited skills. The report suggests that in order to boost the number of skilled cyber professionals, an increase in inclusion and diversity is required. The causes of lack of diversity among cyber professionals may be a result of a failure in the education system, of organisations not making diversity a priority, or industry stereotypes common in many STEM fields. Efforts to improve inclusion and diversity in cyber professions are being undertaken, but the severity of the ongoing skills shortage and the urgency of filling those gaps make the undertaking particularly difficult. Apart from filling the necessary skills gap, building a diverse and inclusive cyber workforce will also yield a more resilient, creative, and efficient security function. Diverse teams make better decisions, produce less errors, and have less staff turnover. Diverse companies have also been shown to be more profitable. Diedre Diamond, a 25-year tech industry veteran and CEO of Cyber SN and Secure Diversity asserts that “breaches [come from] all cultures, all genders, all ages, all over the world… so, in cybersecurity more than anywhere, we have to have diversity. If we don’t bridge these gaps… then we will lose the digital war.” Insecurity Breeds Support for Order The evolving threat environment appears to also be changing many minds in regard to cyber regulation. According to the report, perspectives in 2022 were largely hostile to cyber security regulation, with more than half of respondents viewing cyber and privacy regulations as ineffective in reducing cyber risks. In Australia, the introduction of critical infrastructure security legislation was met with much consternation. However, the results of this year’s survey showed a dramatic about-turn, with 73% of respondents viewing cyber regulation and the associated enforcement as effective. While regulation did not become a far more effective risk mitigator in that last 12 months, appreciation for its utility has increased. The connection between support for government intervention and perceived threat has been studied extensively, and it may well be that the lack of perceived control generated by geopolitical turmoil is the driver that is increasing support for government regulation in cybersecurity. He Said, “Do You Speak-a-My Language?” The 2023 report also suggests that cybersecurity risk awareness is increasing at the executive level. Increased executive involvement in cybersecurity mean the previous disconnects between cybersecurity professionals and the business executive are lessening. In an effort to further improve risk communication, the report urges cybersecurity professionals to reduce the amount of technical jargon in their communications and for directors to make clear the business priorities in terms of assets and processes. The report advises that “building a security-focused culture requires a common language based on metrics that translate cybersecurity information into measurements that matter to board members and the wider business.” As with most communication issues, overcoming them is frequently easier said than done. However, emphasis on a common language should help the ever-present difficulty of communicating the return on cybersecurity investment to be more clearly understood by all parties. Summary The geopolitical instability that began in early 2022 is at centre-stage, fuelling fears of catastrophic cyberattacks in the near future. The current unstable geopolitical environment has become the key influencer of current cyber strategies and is also altering the nature and character of cyber threats. External circumstances that were unimaginable only a short time ago are dictating these changes. The major factors influencing cyber strategies going forward will include embracing Artificial Intelligence (AI), increased adoption of cloud technologies, and changes to identity and access management. The adoption of new technologies in this latest iteration of ‘unprecedented times’ will need to be considered carefully. The future of cybersecurity will require focussed efforts to generate a more diverse and inclusive cyber workforce that enhances the resilience, creativity, and efficiency needed for success. Finally, the eternal struggle to communicate risk effectively is showing signs of improvement. The increasing involvement of executives in cybersecurity is making it a more accessible and appreciated part of core business practices.