Steve King reviews the first 90 days of 2021 on the Cyber Theory website. If you are not concerned about cybersecurity now, this article should convince you.
The full article can be found at https://cybertheory.io/a-2021-first-quarter-review. Here are King's conclusions and some recommendations:
- We are unprepared to deal with recent breach activity which is a departure from historic norms. Our "protect and defend" cyber defense technology was not designed for these threats.
- 99% of software tools are not engineered to detect or discover threat vectors like those used in the SolarWinds, Accelion and Microsoft attacks. Our laws currently prevent using offensive techniques against these threats. (In military terms, we can't fire the first shot.)
- While cyber criminals may be looking for financial gain or data extraction, attackers are more focused on intelligence gathering, disruption and dis- or misinformation.
- SolarWinds was a nation-state attack, by adversaries - I don't have to name names - who are confident in their cybersecurity skills.
- The first stage of SolarWinds was inserting a backdoor into a software update. Anyone who downloaded the update was infected.
- FireEye and Microsoft executives testified to Congress that the attack required years of preparation and at least 1,000 engineers - and we did not detect it.
- According to retired general Keith Alexander, the real objective of the attack was to gain information and do something "when the need arises" - which so far has not happened.
- The second stage compromised Microsoft's Active Directory, enabling them to create new accounts and pose as legitimate users. The attackers modified the software build process, and they could do it again. In the words of former "cyber czar" Richard Clarke, they are able to "eat the software in thousands of U.S. companies".
- The danger in manipulating computer systems is the ability to cause real physical damage. The recent attack on a Florida water system - fortunately detected before real damage was done - shows what can happen. As King states, we can live a while without electricity but we can't live without water.
- There are about 54,000 drinking water systems in the U.S., almost all relying on remote access monitoring, most unattended, underfunded and without 24/7 IT oversight.
- The Internet of Things is powering the "4th Industrial Revolution" forecast to reach $1.1 trillion by 2026. By 2025, 152,500 IoT devices will be connected every minute - almost 80 billion annually. Due in part to 5G, Ericson forecasts 3.5 billion cellular IoT connections by 2023. Digital transformation is a top strategy for 94% of executives and 85% have IT budgets, according to Deloitte. Fewer than 20% of risk professionals can identify a majority of their organization's devices. IoT devices are typically attacked within 5 minutes of entry. 55% of surveyed companies do not require third party supply chain providers to have security and privacy compliance.
- Cyber-physical systems (CPSs) are a new category of risk - systems that interact with the physical world, including humans. The Internet of Medical Things (IoMT) is a critical example - rapid growth of inventory with only cursory attention to security. Gartner predicts the financial impact of CPS attacks resulting in fatal casualties will exceed $50 billion by 2023. By 2024 liability for CPS incidents will pierce the corporate veil and directors and officers will be held accountable. (D&O policies may well exclude this risk.)
- Russian cyber operations are a real and current threat, and a major shift in defense philosophy is needed - a shift to active defense. This will require politicians and the private community to work together. Not since World War II have we faced such a threat.
- Work from home risks continue due to cybersecurity shortcuts and insufficient protection.
- The next 90 days should see more supply chain and ransomware attacks; a large scale ISC attack; slow progress toward a public-private cybersecurity defense partnership; more new cybersecurity solutions; and increased threats from Russia and China.
- The gap between trained and untrained cybersecurity personnel will continue to widen. Phishing, fileless attacks and business process compromise will increase. Edge computing will expand the attach surface. It adds up to an increase in unintended insider threat.
I urge you to read the entire article. Be afraid. Be very afraid.
My acknowledgement to Steve King for permission to summarize his article.
Since this was written, we have had the Colonial Pipeline attack.