Over the past two years, the rise of big-ticket ransomware attacks and revelations of harmful software supply chain infections have elevated cybersecurity to the top of the government’s agenda. At the same time, corporate America and even the general public have awakened to the new array of digital dangers posed by nation-state actors and criminal organizations.
It’s little surprise then that two threads running through this year’s Aspen Cyber Summit were the intricate nature of the cybersecurity threats we now face and how they may differ from the challenges we faced in the past. “We’ve got this growing complexity and growing interdependence,” Window Snyder, CEO of Thistle Technologies, said. “So, the opportunities [for threat actors] are growing faster than we’re able to mitigate them.”
Unlike 20 years ago, when even extensive IT systems were comparatively standalone and straightforward, the interdependencies of systems now make dealing with and defending against threats a much more difficult proposition. “The core problem here is complexity and our interdependence,” Snyder said. “That is something that we’re not going to move away from because that is providing us flexibility and functionality and all these other critical functions that we need. We’ve got a growing problem here.”
One new variable thrown into the digital mix is the meteroic growth of ransomware, which makes it appear that cyberattacks are getting worse. “I think that the ransomware attackers have found a perfectly successful illegitimate business model,” Rand Corporation researcher Jonathan Welburn said. “Every time there’s a large-scale attack, we see that [victims] issue a payment, and it solves the problem. It’s a really good advertisement for that business model.”
Jay Healey, a senior research scholar at Columbia University, said that at one level, cybersecurity risks are unchanged from what they were two decades ago. “We’ve been here before,” he said. “Twenty years ago, say, from the late nineties to up to maybe 2003, it was relatively routine to see even large-scale attacks take down substantial parts of the internet.” Viruses and worms such as Nimda, Code Red, SQL Slammer, Melissa, and I Love You were major existential threats during those days.
Since then, “Microsoft has made big changes. Others have made big changes, but a lot of the fundamental vulnerabilities are still there,” Healey argued.
Even if some major tech players such as Microsoft have improved their security postures, Snyder pointed to what she considers the overall stasis of the cybersecurity industry as “the biggest monster under the bed.” Since those early days when worms and viruses were poised to cripple significant portions of the web, “we just didn’t do anything as an industry,” she said. “We didn’t implement better technologies. We didn’t get better at mitigating these strategies. We didn’t reduce our attack surface. We didn’t work on memory corruption issues.”
Moreover, the attack surface today is not only far more extensive than it was before, but it also includes internet-of-things (IoT) devices that, unlike mainframe computers and laptops and even mobile devices, are difficult to update from a security perspective. “A lot of these devices don’t have the amount of memory or storage or CPU capabilities” needed to accommodate security updates, Snyder said. “It’s a huge opportunity for attackers. It’s very difficult for the people who manage these devices to be able to even inspect [them] and recognize whether they are actually compromised or are using the code that we intended for them to run at deployment. That’s the big, hairy monster under the bed for me.”
Healey said that today’s almost ubiqitous interconnection of critical infrastructure sectors with digital networks does pose a darker threat than the early Trojans and viruses. “Twenty years ago, the worms were only taking down things made of silicon and things made of ones and zeros because that’s all that was really on the internet. Right now, you’re also taking down concrete and steel. I think we’re going to look back at the 2000s and the 2010s as the golden age when no one was really dying from this stuff.”
Another significant change from 20 years ago is the shifting nature of cybercrime, Kevin Mandia, CEO of FireEye, said. “When you look at the criminals, I think probably 20 years ago they had to be very technical.” Now the barriers to cybercrime entry are low and cybercrime is becoming a service. Moreover, unlike in the past, more nation-states are entering the cybercrime arena. “And that to me is concerning in itself,” he said.
Today’s most lucrative cybercrime activity is ransomware, which fosters more dangerous threats and the need for more innovative collective defenses. “We’re seeing increasingly fuzzy relationships between nation-state actors and criminals,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy at the Department of Defense, said. “We’re particularly worried about those nation-states that create a safe haven and a comfortable environment for the criminal actors to operate in. That is something that we have to start addressing directly with those nations.”
Given all the rapid changes in the threat landscape, the real challenge is understanding the risk. “Right now, I don’t think the government has the ability to understand the risks,” Sean Joyce, global and US cybersecurity, privacy and forensics leader at PwC USA, said. “And I don’t think the private sector has the ability to understand the risks. So, I think it’s important on both sides to really say, okay, the threat landscape is changing, but what does that mean for us?”
Another significant force that has rapidly altered systemic cyber risk is COVID-19. The abrupt shutdown of workplaces and the subsequent lockdown of everybody into their homes forced almost instantaneous and fundamental changes in how vast swaths of society manage cybersecurity risk. “We literally had to reconfigure the network on the fly and add capacity on the fly,” Noopur Davids, CISO of Comcast, said.
The COVID-19 crisis also suddenly attracted the attention of cybercriminals to new sectors. “We’d never been the target, the true target,” Marene Allison, vice president and CISO of Johnson & Johnson, said. “Nobody ever cared about us until the creation of vaccines. It changed the threat profile of healthcare in a second, overnight.”
Even the highly protected financial industry had to scramble to change its digital risk profile quickly, Ron Green, CSO of Mastercard, said. “We saw a massive rise in contactless payments with that second quarter” of 2020. As a result, we delivered more contactless solutions to customers than we did in the previous year [during the second quarter of 2020]. Five times more.”