A new report from the Bipartisan Policy Center looks to understand the top cybersecurity risks facing individuals, companies, and governments in 2023. The report identified eight “macro risks” likely to represent the biggest threats in cyberspace this year, including an evolving geopolitical environment; a global cyber arms race; vulnerable critical infrastructure; a lack of needed investments in cyber preparedness; regulatory uncertainty; a shortage of cyber talent; insufficient corporate governance; and economic uncertainty.
I wanted to highlight this passage from the coverage in NextGov:
Jamil Farshchi, executive vice president and chief information security officer at Equifax, said that “roughly 85% of the things that are on [the report] aren’t novel”—such as ongoing risks to critical infrastructure and lagging governance concerns—but added that the inability to rectify these issues remains a constant source of concern for the public and private sectors.
“The most surprising thing to me is that a lot of the risks that we’ve highlighted here are the same risks that, I think, could have been on this list had we done it five years ago, or maybe even ten years ago,” Farshchi said. “And so, in some ways, it’s predictable, somewhat. But in other ways, it’s discouraging because we as a community, we as a country, have not advanced the ball effectively enough to be able to mitigate or even draw down some of the risks that we’ve highlighted.”
It’s not the only warning about underestimating cyber threats. Mandiant found the same thing about organizations and their understanding of potential attackers. The survey found that 67% of cybersecurity decision-makers believe their leadership teams underestimate cyber threats posed to their organizations. Only 53% said they could prove to their leadership team that their organization “has a highly effective cybersecurity program.” That said, 91% said they had confidence in their organization’s preparedness to defend against financially motivated attacks like ransomware.
In other research from Avanan, phishing actors are using Geo Targetly — a tool deployed by businesses to customize advertising based on a recipient’s location. The key element – the phishing email is correctly localized to the language, and the content will be relevant to the victim’s region, including the appearance of the local government.
An update to CISA’s investment in state and local cybersecurity, the agency is reporting that those new funds are now making their way to the state offices. All but two of the 56 states and territories eligible for the program have applied. Florida and South Dakota did not. Any money that might’ve gone to those states will be redistributed evenly across the states and territories that are participating.
Rather than make this all gloom and doom, there’s some good news. It’s gotten a lot easier for hackers to report bugs. Austin Hackers Anonymous (AHA!) has joined the CVE reporting program as the first unorganized hacker collective in the country to be a CAN. This gives anyone who presents at one of the group’s meetings a clear way to register, report and publish the vulnerabilities they uncover.
Why do we care?
On the back end, we are getting better at managing cyber. Government funds are moving into place, and systems to allow the good guys to coordinate better. We are failing to rally those not in the industry to the cause effectively. We know what to do, we just aren’t doing it.
I don’t have an answer, but I hope we start asking better questions. Suppose the definition of insanity is doing the same thing over and over again and expecting different results. In that case, the same security answers don’t create the change we want. What can we do differently? Those that answer this are going to find a new path.
