The Cyber Theory website has posted its annual report on 2021. The full report is at https://cybertheory.io/wp-content/uploads/2022/01/Annual-Security-Report-2021;pdf; here are the highlights:
- 2021 was "the year of complexity" - more and more difficult attacks, convergence of competing devices across multiple entities, accelerated growth of "smart" devices and shortened development cycles have combined to create a perfect storm of vulnerabilities.
- Ransomware continued to increase.
- The Biden administration issued executive orders requiring businesses to address security rules. While well intentioned they are not effective.
- More personal data was exposed and is available on the dark web.
- Critical infrastructure is vulnerable. 71% of vulnerabilities are classified as high or critical.
- Although 83% of organizations suffered an operational technology cybersecurity breach in the last 36 months, 73% of CIOs and CISOs are "highly confident" their organizations will not suffer a breach next year.
Cyber Theory's expectations for 2022:
- Physical security attacks with serious outcomes.
- Double-extortion ransomware attacks will continue.
- Open source supply chain attacks will continue to grow.
- The use of open source data base management systems will accelerate.
- Web app attacks skyrocket.
- Active Directory will continue to be the most powerful Trojan.
- Windows and O365 will remain the most vulnerable targets.
- Complexity will continue to increase.
- The skills gap will widen.
- The geo-political stage will be dominated by cyber attacks.
To close the skills gap, Cyber Theory director Steve King recommends a taxpayer supported National Security Master's Education program to create "cyber warriors" who can take the fight to the enemy. This should be supplemented by online cybersecurity education and training programs. A National Cybersecurity Service should be mandatory for all college graduates.
If we do nothing to change the course of events, the cybersecurity landscape will only get worse. to reverse course we must
- Change the reporting rules and prevent companies from reporting their cyber vulnerabilities.
- Apply controls over Chinese owned venture capital firms.
- Stop using Chinese products and services.
- Develop and apply rigorous cyber hygiene.
- Share between public and private sectors.
- Modernize cyber laws to enable offensive security.
- Mandate zero trust.
- Create and enforce national security mandates.
- Create the equivalent of a Manhattan Project for artificial intelligence and machine learning.
- Mandate cyber insurers to match coverage with a standardized NIST framework.