17 Jan A Challenging Year Ahead – Gazing into the Crystal Ball
Looking into the crystal ball
As 2024 begins it is always worth reflecting on what has been, and what is to come. January is named after the roman god Janus after all, the god of transitions and beginnings.
Politics… and hard realities
The world seems a more complex, more polarised and more risky place as we enter 2024. The war in Ukraine rages on and seems to have created a strange hybrid of sophisticated drone, missile, cyber and electronic warfare along with trench warfare sadly more reminiscent of World War 1. The Middle East seems to be on the verge of further escalation as the battles between Israel and Hamas risk spreading across the region. And in the far East tensions rise between North and South Korea, and perhaps China and Taiwan too.
While not directly cyber related, all of this sets a geopolitical context for a rise in infrastructure attacks on both military and civil targets, which itself links to increasing sophistication and adoption of operational technology, and increased exploitation of vulnerabilities in those systems. CISA warned of increasing attacks on industrial control systems by both the Iranian revolutionary guard and by the Russian SVR intelligence service in December, and we expect to see more targeting of critical infrastructure during 2024.
Regulatory concerns over threats to critical infrastructure will grow, as will the range of service coming in scope of regulation. For example, EU member states are required to implement the Network and Information Systems directive 2 (NIS 2) by October this year bringing new sectors such as space, social network services and data centre services in scope.
Supply chains… and complex ecosystems
Third party (and beyond) security and resilience concerns are growing as we move to an increasingly interconnected and inter-dependent world. In this world our supply chains both physical and digital are both more complex, but also more open to concentration risk and single points of failure. While we didn’t see a supply chain attack of the profile of the 2020 SolarWinds attack, it would be wrong to assume that supply chain attacks have gone away. The UK NCSC and Republic of Korea released an advisory in November last year detailing a campaign of supply chain attacks by North Korea, and of course we have seen cyber criminals continue to look for supply chain vulnerabilities including the exploitation of a vulnerability in MOVEit to deploy widespread ransomware in June.
Regulators are looking to extend regulations to cover supply chains whether that is through flow down of contract obligations by regulated entities, or increasingly by bringing critical third parties directly in scope of regulation. In the financial sector, the UK Treasury is consulting on its critical third party regime, EU regulators are doing the same under the Digital Operational Resilience Act (DORA), and Singapore is also looking to extend the scope of its Cybersecurity Act. 2024 will bring another tranche of supply chain regulations, as well as ongoing discussions about how to scenario test critical third parties and how to manage concentration around digital services.
We can also expect to see the EU Cyber Resilience Act entering into force shortly starting the 36 month clock for manufacturers of software and products connected to the Internet to demonstrate compliance with new cyber security standards.
Protecting the community…
Ransomware isn’t going away. But it is interesting that targeting has increasingly shifted to smaller and medium sized enterprises, as larger organisations improve their cyber security protection, detection and response measures. There is still money to be made by ransomware groups using a ransomware as a service model, but it will be interesting to watch how they re-innovate their business models. Some have speculated around more sophisticated exploitation of stolen data, and a wider range of extortion techniques than simple encryption and denial of service.
From a national perspective it is easy to focus purely on protecting larger organisations, but in doing so we ignore the economic impact of widespread compromise of smaller firms, and also ignore the fact that key parts of our infrastructure and supply chain are operated by such firms. It’s always interesting to read the annual EU NIS investments report, and note that the median number of information security professionals in EU critical infrastructure operators is five. In short, often small hard pressed information security teams (or individuals) have key roles in striving to protect against sophisticated threats.
It is no surprise then that we are likely to see further extension of national active cyber defence programmes (such as the UK’s scheme), community defence schemes such as the US’s joint cyber defence collaborative, and the proposed EU cyber solidarity act to provide the legal basis for EU collective cyber defence. The partnership model between government and major tech/service providers will be the key to success of these initiatives. Equally, we can expect to see additional regulation of managed service providers in many countries which many companies depend on for secure service provision. The UK has already signalled it’s intention to do so.
Cyber is maturing – but that brings challenges too
Across an increasing range of industries regulators and lawmakers are focussing on cyber security and privacy. With that comes growing demands for transparency around cyber incidents and data breaches. As the US moves to implement their cyber incident reporting for critical infrastructure act (CIRCIA), a US DHS report highlighted over 50 separate federal cyber incident reporting regimes in operation. The newly introduced Securities and Exchange Commission (SEC) reporting obligation also came into force last December. We can expect greater regulatory intervention around cyber incidents and data breaches in 2024.
Cyber security in general feels like a sector which is maturing quickly. So expect more rule making, more professionalisation initiatives, more litigation and risk aversion. We are already seeing regulatory action against CISOs, most recently over Solarwinds, and I expect more to come in 2024 as the accountability frameworks strengthen. Economic headwinds are also creating tightening budgets, and a sense of cyber fatigue amongst some major firms. We need to be careful to remember that cyber security is not easy, failures happen and we are dealing with agile and innovative adversaries.
Resilience is on the minds of the finance community
Operational resilience is on the agenda of many financial institutions at the moment. Most obviously in the UK as the regulatory compliance deadline approaches in March 2025 for the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) operational resilience regulations. In Europe banks are digesting the implications of DORA and the latest draft regulatory technical standards. Resilience discussions have turned to hard choices on funding as financial institutions debate severe but plausible scenarios, and just where to draw the line in terms of investment.
We can also expect regulators to focus on systemic risks as they begin to build a greater understanding of interconnectivity within the sector with the European Central Bank already signalling its intention for a cyber scenario exercise engaging 109 European banks.
AI changes everything for everybody
ChatGPT has arrived on the scene along with many cousins, and together they have changed public perceptions of artificial intelligence and large language models. 2024 will see the ethical debates spawned in 2023 continuing to develop. Who is liable for the functions and malfunctions of an AI, when an AI hallucinates what are the consequences, and what are the limits on use of copyright materials to train AIs?
We can expect legislators to play catch up. Political consensus was finally reached around the EU AI act between the EU council and parliament in December last year. This take until the end of 2024 to make it to the statute books following a “marathon” negotiation session and many adjustments to deal with general purpose generative AI models, as well as striking a political balance between innovation and regulation.
Firms will explore many potential applications of AI during 2024, and we can expect many debates around cyber security and privacy as they do. Unfortunately organised crime will also explore AI adoption and we can expect to see large scale use of AI to support targeted phishing attacks, as well as to automate aspects of vulnerability and system exploitation.
Deepfakes are here and it’s election year
Concerns over hostile state manipulation of the information space of other nations have grown. 2024 is election year with close to half of the world’s population going to the polls, not least in the US, UK, Russia and India. We can expect to see deepfakes play a growing role in election campaigns whether home grown or the work of other nations’ intelligence services. These deepfakes will erode confidence in the election system and political parties, as well as managing to successfully exploit fault lines in society in some cases with worrying results. The risk of disinformation and misinformation now ranks number 1 in the World Economic Forum global risk perceptions study, with an all too obvious link to risk number 3 on societal polarisation.
More generally deep fakes will raise fundamental questions over the ownership of personal images and identities, open up new channels for fraud, and raise challenges around the adequacy of existing legal and regulatory instruments.
So… all in all…
2024 brings a year of political uncertainty, a year of increased regulation, a year of ethical and societal challenges around emerging technologies, and a year in which the risk of infrastructure disruption is rising. It is a year when cyber security and national security will be inextricably entwined and a year when more than ever it is important to work as a community to deal with the challenges ahead.