Cybersecurity

The vulnerability of the internet is the vulnerability of modern society. However, security has mostly been an afterthought since the early days of the internet as many market-driven tech companies employed a ‘release now, patch later’ approach.

The growing use of cyberspace by state and non-state actors for malicious purposes threatens peace and security, trust in the digital economy and services, and the potential for the digital transformation of societies and economies.  Security risks for citizens, companies, and countries are interrelated.

Vulnerabilities used by criminals can easily slide into a military arsenal and vice versa. Thus, effective digital security requires a holistic approach to better tackle the interplays between security, economic development, human rights, as well as sociocultural and infrastructural aspects.  Cybersecurity is the main umbrella public policy issue. Other more specific security-related issue include:

Revisiting cybersecurity predictions for 2022

Predictions are always tricky, especially for years like 2022. As you can see from the inline comments for 2022 predictions, we got quite a few things right.

 

Risks will increase:

 

1st prediction (Jan 2022):

Supply chain will become one of the main targets, especially for state-sponsored attacks.

 

Year later (Jan 2023): 

The trend of supply chain attacks, reported clearly by Verizon in its ‘2022 Data Breach Investigations Report (DBIR)’, continued: research by BlackBerry reveals that ‘four in five (80%) IT decision-makers say their organisation was notified of an attack — or vulnerability — in its software supply chain in the last 12 months.’

In 2022, attackers aimed to obtain access to services, such as in the case of a hack of Okta, the major provider of authentication services Okta, or GitHub OAuth; they exploited widely used services like WordPress plug-ins and extensions; and compromised IT tools of vendors that have thousands of customers worldwide, like the Canadian Comm100. Cases, however manyfold, weren’t as visible and impactful as the SolarWinds hack – also due to the focus which shifted to the Ukraine war.

 

2nd prediction (Jan 2022):

Ransomware will move beyond the ‘double ransom’ trend of encrypting and threatening to release stolen data publicly, to the third element of data wiping, which we saw some early signals of in Ukraine recently.

 

Year later (Jan 2023): 

Ransomware continued to be among top concerns in 2022. Data wipers have become much more prominent: ‘Wiper malware is popping up everywhere’, confirms ArsTechnica in its 2022 coverage, naming many new and sophisticated families of wipers. 

 

3rd prediction (Jan 2022):

Cloud security will come to focus in the mid-term, due to digitalisation and transformation of the 5G networks into the cloud. The question of who is responsible for international cloud security creates a big regulatory gap, especially in the case of a major cyber incident in a global commercial cloud service.

 

Year later (Jan 2023): 

Important cases of attacks again public (and rather well known) cloud providers were recorded, with significant consequences on personal data – and thus online safety and security – of millions: attacks against and breaches into cloud services like Twitter, Uber, Revolut and LastPass dominated headlines in 2022 

 

Resilience

4th prediction (Jan 2022):

Supply chain resilience will be built on national levels. The US is moving towards internal solutions on supply chain security (including software); the EU is expected to agree on the NIS2 directive to address vulnerabilities and resilience. Other governments will likely follow with some regulatory measures, especially for the internet of things (IoT). The international security of supply chains is weak. The Organisation for Economic Co-operation and Development (OECD) is an exception with its work on the digital security of products.

 

Year later (Jan 2023): 

Discussions on the supply chain are ongoing, but regulatory approaches are still slow and uncoordinated. EU has adopted its NIS2 directive, which imposes risk management and reporting requirements on critical entities (from cloud and data providers to social media platforms), and should be followed by an ICT supply chain security toolbox, to support entities in identifying threats scenarios and ways to address them.

 

5th prediction (Jan 2022):

The USA focuses on critical infrastructure, the EU is expected to adopt its new critical infrastructure directive (CER) soon.

 

Year later (Jan 2023): 

In December 2022, European Council adopted a directive to strengthen the resilience of critical entities (CER). To some extent, it was also pushed forward by the sabotage against the Nord Stream pipeline and the perceived risks brought by Russia’s aggression against Ukraine. CER directive covers critical entities in a number of sectors, such as energy, transport, health, drinking water, waste water and space, and will require member states to develop related strategies and review the implementation regularly.

 

Cyber-conflict a.k.a. ‘state-sponsored attacks’

 

6th prediction (Jan 2022):

Cyber detente between the USA and Russia is likely to go ahead on a small scale (signalling), with no substantive breakthroughs. This is due to broader geopolitical tensions between two countries, especially around the crisis in Ukraine. 

 

Year later (Jan 2023): 

Reality was grimmer due to the outbreak of a war in Ukraine. Cyber detent died with the Ukraine war. Yet, state-sponsored attacks – particularly in the context of the war in Ukraine – remained live and enhanced. 

 

7th prediction (Jan 2022):

In digital relations between the USA and China, cybersecurity has a less prominent position compared to the protection of intellectual property, free flow of data, e-commerce, and others. However, its importance may rise. 

 

Year later (Jan 2023): 

No real progress in the US-China relations, nor in the emphasis of cybersecurity particularly related to risks from China. Focus remained on core technologies like semiconductors. Yet, boosting of cyber resilience in the US and the EU, in response to the war in Ukraine and risks from Russian cyber-attacks, also signalled changes in the cyber posture to China. An additional political signal from the US was the establishment of the Cyber Bureau of the State Department – with one of its three pillars being cybersecurity, and the appointment of the new (and first) US Cyber Ambassador, as well as increased diplomatic engagement with Asean countries like Japan, South Korea and India. On the side of China, cybersecurity was more prominent on the agenda of the Shanghai Cooperation Organisation meeting in Samarkand. 

 

8th prediction (Jan 2022):

USA-China: Cyberattacks attributed to China will continue; overall relations will likely deteriorate, also due to broader context. Although, the USA is slowly decreasing its dependency on China thanks to its new open approach to 5G, which means less reliance on Huawei, and moving its semiconductor productions from Taiwan Semiconductor Manufacturing Company (TSMC) to US factories.

 

Year later (Jan 2023):

War in Ukraine overshadowed other strained cyber relations; it looks like it has taken by surprise both the US and China, and that they decided to calm down their cyber-relations (for a while). Though there were attacks attributed by the US security services to certain China-related hacking groups, countrary to predictions there were no major cyber-attacks attributed to China by the US in 2022. 

 

9th prediction (Jan 2022):

The crisis in Ukraine and other hot spots will also have cyber dimensions and impact. 

 

Year later (Jan 2023): 

Unfortunately, it happened with the outbreak of the Ukraine war.