In 2022, cybersecurity took center stage. In the midst of the Russian invasion of Ukraine, monumental domestic and international efforts to combat cybercrime, and a volatile economic backdrop, the growing dynamism and influence of cyber activities was striking. Three prominent developments stand out: first, cyber threats are multiplying, drawing increasing attention from professionals across multiple economic sectors; second, assumptions about the benefits of technology-driven transparency seem increasingly tenuous; and third, a growing consensus about the range of cyber threats is breathing new life into efforts at cyber capacity building.
A Diversifying Cyber Threat Landscape
In 2022, incident responders, companies, and regulators worked to keep up with the exploding number and sophistication of cyber threats. As experts worked to understand the changing nature of cybersecurity, public attention began to catch up to the impacts of cyber vulnerabilities.
Cybercrime-focused threat actors in 2022 started shifting their operations away from more frequent malicious activity like double-extortion style ransomware toward cyber extortion (REF). This shift may be a response to the increased focus on disruptive action taken by private sector entities and law enforcement against groups operating within the traditional ransomware ecosystem.
2022 also saw increasingly pointed expert accounts of the dangers posed by cyber threats and the “real world” impacts they can have. Panelists at events like IST’s Ransomware Task Force Anniversary event in May and Brunchcon, a cybercrime-focused conference following CYBERWARCON in November, took note of the shift away from ransomware attacks and voiced concerns about new trends including cyber threats to supply chains and cloud security. The growing awareness was not limited to experts; members of the public also took note. Some voiced concerns about cyber threats and lax cybersecurity as cyber attacks made the news.
Throughout 2022, the conflict in Ukraine mixed conventional military operations, cyber espionage, and hacktivist activities. The use of destructive malware attributed to state-sponsored Russian actors was repeatedly employed to disrupt Ukrainian organizations at an unprecedented rate. In tandem with destructive attacks, domestically aligned hacktivist groups from Russia (Killnet) and Ukraine (ITArmy) have leveraged DDoS attacks and data-leak operations as a means of keeping international attention trained on the conflict and disrupting adversary infrastructure.
Tensions Surrounding Technology-Driven Transparency
While the cybersecurity community continues to push for reciprocal information sharing between the public and private sectors, technology-driven transparency, like that offered by a blockchain’s immutable ledger, has become increasingly contentious.
2022 saw heightened tensions between proponents of anonymity-increasing tools and actors in the public sector and civil society who are pushing for regulatory oversight of these technologies. Scandals like the alleged FTX fraud raised questions about the risks of cryptocurrency technologies built for pseudonymity: Who is pseudonymity for? How does it impact cybersecurity? Given the absence of a third party intermediary, when liquidity crises hit, who protects companies and customers from harm? Meanwhile, other use cases showed the benefits of privacy-preserving technologies. Benefits to voting was a notable argument: blockchain technology could verify vote-counting, increase voter access with secure online portals, and streamline voting operations all while protecting voter privacy.
Experts at events like the World Economic Forum Annual Meeting on Cybersecurity and CYBERWARCON debated the best path forward. The crux of the tension revolves around a desire by some to skirt regulatory oversight and cut development corners at the technological level. Adding to the problem, regulators’ expertise lags behind the rapidly-changing ecosystem, impeding the design of effective regulatory frameworks. The 2023 National Cyber Strategy reportedly reflects this tension by taking a position in favor of oversight rather than anonymity; it is said to advocate for a move from promotion of increased cybersecurity–through incentives like incident reporting–to a regulation-based approach.
Sharing the Burden: Cyber Capacity Building
Underscoring the above trends was the tradition of underinvestment in the cybersecurity ecosystem. The cyber workforce is stretched particularly thin, making cyber defense increasingly difficult as new and more sophisticated threats emerge. In 2022, many cybersecurity specialists pressed to make the business case for cybersecurity investment at the C-Suite level. While 2022 saw a growing consensus within governments and some industry entities that a focus on cybersecurity is critical, tech startups and other small- and medium-sized businesses have tended to operate on shoestring budgets, and cybersecurity is not always top of mind.
Furthermore, proposed solutions to issues like insecure open-source software place an enormous burden on the cyber workforce, without sufficient financial and operational support from government and the companies that employ this software in their products. As a result, going into 2023 we remain relatively cyber insecure at the national level, indicating the need for better incentives to adopt cyber best practices and potentially stronger regulation.
Going into 2023, IST kicked off an effort to help secure open-source software, work to further understand and disrupt the ransomware payment ecosystem, aid in developing effective incident information sharing, and collaborate to develop business-cases for cybersecurity best practices. IST will also continue our efforts to understand the evolving nature of the cybersecurity environment. By bridging the gap between governments and industry we will produce relevant, applicable ideas in 2023 and beyond.