The increase of high-value ransomware assaults and discoveries of dangerous software distribution network infections in the last two years have pushed cybersecurity towards the top of the state’s priority list. Simultaneously, corporate America, as well as the public in general, have become aware of the new breed of digital threats offered by nation-state hackers and criminal groups.
It’s no wonder, therefore, that two themes ran through this year’s Aspen Cyber Summit: the complicated intricacy of the cybersecurity dangers we currently face and how they could vary from previous difficulties. “We’ve got this growing complexity and growing interdependence,” Window Snyder, CEO of Thistle Technologies, said. “So, the opportunities [for threat actors] are growing faster than we’re able to mitigate them.”
Compared to 20 years ago, when even large IT systems were relatively independent and simple, system interdependence now makes dealing with and protecting against threats a far more challenging prospect. “The core problem here is complexity and our interdependence,” Snyder said. “That is something that we’re not going to move away from because that is providing us flexibility and functionality and all these other critical functions that we need. We’ve got a growing problem here.”
Compared to 20 years ago, when even large IT systems were relatively independent and simple, system interdependence now makes dealing with and protecting against threats a far more challenging prospect. “The core problem here is complexity and our interdependence,” Snyder said. “That is something that we’re not going to move away from because that is providing us flexibility and functionality and all these other critical functions that we need. We’ve got a growing problem here.”
One new component put into the digital mix is the meteoric rise of ransomware, which gives the impression that intrusions are becoming more severe. “I think that the ransomware attackers have found a perfectly successful illegitimate business model,” Rand Corporation research expert Jonathan Welburn said. “Every time there’s a large-scale attack, we see that [victims] issue a payment, and it solves the problem. It’s a really good advertisement for that business model.”
According to Jay Healey, a research professor researcher at Columbia University, cybersecurity dangers are identical to the variant from two decades back. “We’ve been here before,” he said. “Twenty years ago, say, from the late nineties to up to maybe 2003, it was relatively routine to see even large-scale attacks take down substantial parts of the internet.” Viruses and worms like Code Red, Nimda, SQL Slammer, I Love You, and Melissa were major threats during that period.
“Microsoft has made big changes. Others have made big changes, but a lot of the fundamental vulnerabilities are still there,” Healey commented.
Vulnerable Devices: A Major Problem
Even while several large IT companies, such as Microsoft, have upgraded their security postures, Snyder sees the cybersecurity sector in a state of stagnation and considers it to be the biggest problem. Since the days when worms and viruses were set to take down large parts of the internet, “we just didn’t do anything as an industry,” she said. “We didn’t implement better technologies. We didn’t get better at mitigating these strategies. We didn’t reduce our attack surface. We didn’t work on memory corruption issues.”
Furthermore, the security risk is not only much larger than it was previously, but it now includes internet-of-things (IoT) devices, which, unlike mainframe computers, laptops, and even mobile devices, are challenging to update from a security standpoint. “A lot of these devices don’t have the amount of memory or storage or CPU capabilities” required to accommodate security updates, Snyder said. “It’s a huge opportunity for attackers. It’s very difficult for the people who manage these devices to be able to even inspect [them] and recognize whether they are actually compromised or are using the code that we intended for them to run at deployment. That’s the big, hairy monster under the bed for me.”
According to Healey, today’s nearly ubiquitous connectivity of key infrastructure sectors with digital networks poses a more serious threat than the early Trojans and viruses. “Twenty years ago, the worms were only taking down things made of silicon and things made of ones and zeros because that’s all that was really on the internet. Right now, you’re also taking down concrete and steel. I think we’re going to look back at the 2000s and the 2010s as the golden age when no one was really dying from this stuff.”
Weak Countermeasures To Cyber Crimes
Another important difference from 20 years ago is the changing form of cybercrime, according to Kevin Mandia, CEO of FireEye. “When you look at the criminals, I think probably 20 years ago they had to be very technical.” The obstacles to entry into cybercrime are very minimal, and cybercrime is becoming a service. Furthermore, unlike in the past, more nation-states are becoming involved in cybercrime. “And that to me is concerning in itself,” he said.
Ransomware is today’s most profitable cybercrime activity, which breeds increasingly serious threats and necessitates more inventive collective defenses. “We’re seeing increasingly fuzzy relationships between nation-state actors and criminals,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy at the Department of Defense, said. “We’re particularly worried about those nation-states that create a safe haven and a comfortable environment for the criminal actors to operate in. That is something that we have to start addressing directly with those nations.”
Given the danger landscape’s frequent changes, the true issue is recognizing the risk. “Right now, I don’t think the government has the ability to understand the risks,” Sean Joyce, global and US cybersecurity, privacy, and forensics leader at PwC USA said. “And I don’t think the private sector has the ability to understand the risks. So, I think it’s important on both sides to really say, okay, the threat landscape is changing, but what does that mean for us?”
COVID-19 Affected Systemic Risk
COVID-19 is another important element that has significantly transformed systemic cyber risk. The unexpected shutdown of businesses, followed by a lockout of everyone into their homes, prompted nearly instantaneous and profound changes in how huge swathes of society handle cybersecurity risk. “We literally had to reconfigure the network on the fly and add capacity on the fly,” Noopur Davids, CISO of Comcast, said.
The COVID-19 problem also abruptly drew hackers’ focus to other industries. “We’d never been the target, the true target,” Marene Allison, vice president and CISO of Johnson & Johnson, said. “Nobody ever cared about us until the creation of vaccines. It changed the threat profile of healthcare in a second, overnight.”
According to Ron Green, CSO of Mastercard, even the highly protected banking industry has to hustle to modify its digital risk profile rapidly. “We saw a massive rise in contactless payments with that second quarter” of 2020. As a result, we delivered more contactless solutions to customers than we did in the previous year [during the second quarter of 2020]. Five times more.”
