The current threat scenario involves nation-state agents as well as intruders who aim to showcase their abilities or generate income. During the ISC2 Security Conference hosted in Las Vegas, insights were shared by CISA advisor and former cybersecurity journalist from the New York Times, Nicole Perlroth. She delved into the transformations witnessed in cyber warfare over the last 10 years. Her session marked the culmination of the conference, which took place from Oct. 13-16.
Nation-state threat actors search for ‘target-rich, cyber-poor’ preys
Perlroth illustrated a timeline of nation-state incursions she investigated across her career in journalism, spanning from 2011 to 2021. The barriers for entry for attackers have escalated since she set foot in this field, with ransomware-as-a-service maturing into “a proficient economy.” The CrowdStrike incident highlighted the detrimental effects a widespread attack could have on operations.
While it was once believed that the United States’ geopolitical positioning shielded it from several threats, Perlroth debunked this notion by stating that “those boundaries no longer exist” in the realm of cyber threats. Similarly, the digital “periphery” has morphed into the domain of cloud, software as a service, and hybrid workforces.
According to Perlroth, “The new frontier is the people, it resides in the endpoints.”
Threats encountered in this new era could manifest in the form of deepfakes targeting CEOs or nation-state assaults on vital infrastructure. Perlroth chose to center her dialogue on Chinese state-sponsored attacks on U.S. infrastructure and enterprises, such as the 2018 cyber incident involving the Marriott hotel chain.
Hotels like Marriott or Change Healthcare were environments that were “target-rich, cyber-poor,” according to Perlroth. These setups might lack extensive, specialized cybersecurity units but house valuable data such as the personal details of government employees who might have utilized the healthcare system or stayed at a hotel.
Another cyber-fragile environment, filled with rich targets but lacking in cyber defenses as per Perlroth, is water treatment. Regional water treatment facilities might not employ designated cybersecurity experts, but any incursion by an adversary in water utilities could spell disaster.
“The code has now become the critical infrastructure, a realization we neglected to acknowledge,” said Perlroth.
Russia, China explore cyberattacks aligned with military ventures
In view of broader geopolitical repercussions, Perlroth mentioned that cybersecurity professionals should remain vigilant about Russia’s military drive and China contemplating a potential move into Taiwan by 2027. Threat actors might choose to impede U.S. military movements or employ social manipulation to influence public opinion. Although the U.S. holds a defense pact with Taiwan, China perceives the U.S. as exhibiting vacillation in defending Ukraine, as stated by Perlroth.
Perlroth remarked that geopolitical analysts anticipated more cyber attacks from Russia in sync with the assault on Ukraine. Conversely, significant cyber assaults transpired around Ukraine including DDoS attacks and the disruption of commercial ViaSat service just before the commencement of the conflict. According to Perlroth, PIPEDREAM, a malware affiliated with Russia, could have been devised to target U.S. infrastructure.
SEE: Crafting an Efficient Cybersecurity Awareness Initiative (TechRepublic Premium)
Generative AI revamps the playing field
“The principal evolution in cybersecurity has been AI,” emphasized Perlroth.
Perlroth mentioned that AI empowers firms and threat actors to concoct zero-day attacks and retail them to governments. Attackers can generate fresh code employing AI techniques. Correspondingly, defenders equipped with AI can minimize the expenditure and timeframe needed to counter major assaults. She foresees that the next major corporate breach, akin to the SolarWinds breach, will have its origins in systems related to generative AI.
Cybersecurity professionals should delve into methods to ensure secure interactions of employees with generative AI systems, as per Perlroth’s recommendation.
How can cybersecurity professionals brace for large-scale assaults?
“We should commence cataloging sector-wise details to identify the Change Healthcare equivalents in each sector,” remarked Perlroth. “Since we are aware that our adversaries are in pursuit of them, it would be beneficial if we could reach there before them.”
Perlroth affirmed that a positive aspect is the heightened awareness of cybersecurity professionals regarding threats. Cyber professionals understand how to sway the top management on security issues for the overall well-being of the organization. CISOs have transitioned into a form of business continuity officers, as per Perlroth, who have devised strategies for swift business resumption if an assault does occur.
Perlroth recommended cybersecurity professionals to account for aspects like culture, administration, finances, HR, education, and awareness within their organizations besides technical expertise. The pivotal questions cybersecurity professionals must pose themselves are still “What constitutes our vital assets and how do we safeguard them?”
While her discourse accentuated the expanse and pervasiveness of threats, Perlroth clarified that her aim wasn’t to instill fear—a tactic often employed to market security products. Nevertheless, cybersecurity professionals must strike a balance between sustaining confidence in existing systems and elucidating the tangible existence of threats, including nation-state threats. Instances like the disruption due to the PIPEDREAM attack should “instill immense hope,” according to Perlroth.
In her closing remarks, she expressed, “We have gleaned valuable insights on what we can achieve collaboratively in the government and private sectors when we unite for the cause of cyber defense.”
Disclaimer: The ISC2 covered my air travel, lodging, and some meals for the ISC2 Security Congress event conducted from Oct. 13-16 in Las Vegas.
About Author
