The top cyber risks to watch out for in 2023

Welcome to The Cybersecurity 202! Saving you a click: No, SNL is not only funny when everyone breaks character. In fact, it’s almost never funny when someone breaks character.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: Israel’s leading technology university was reportedly hacked on Sunday and some Pentagon staffers are using unauthorized apps on government-issued devices. First:

The biggest risks in cyberspace in 2023 could come on defense, offense and the economy

The top cyber risks of 2023 range from growing geopolitical tensions to insufficient corporate leadership attention and the scarcity of cyber personnel, according to a new report from the Bipartisan Policy Center, a Washington think tank.

This year’s other top cybersecurity risks, according to the report, include technological advancement fueling a cyber arms race; economic uncertainty; lackluster preparation for cyberattacks; a patchwork of regulations; and vulnerable infrastructure.

Cybercriminals this year have already targeted schools and hospitals, as well as high-profile organizations like U.K. postal service Royal Mail. Those cyberattacks came after a 2022 that saw cyberattacks out of the war in Ukraine, a flurry of major ransomware attacks and some newer groups, like a group of teenagers who hacked major companies.

The Bipartisan Policy Center report drew on the expertise of a working group made up of state government officials, former federal government leaders, and representatives from civil society groups and corporate giants like Bank of America and Comcast. Equifax provided support for the project.

I’m moderating a panel today at 10 a.m. Eastern at the Bipartisan Policy Center headquarters to discuss the report. Until then, here’s a rundown of some of its conclusions.

Offense-oriented risks

“Evolving geopolitical environment”

Rising international conflict and protectionism are driving risk, the center found. Russia’s war in Ukraine is the biggest factor, with the potential for cyberattacks to spill out of the borders of that conflict. But conflicts between China and Western nations, as well as conflict in the Middle East, are other drivers of risk.

“Accelerating cyber arms race”

Decades-old attacks can still be effective, but innovation causes problems for cyberdefense, the report observes. “Rapid and continual advancements in offensive and defensive capabilities require defenders to keep pace in an environment that disproportionately favors attackers,” it states. “Advances in artificial intelligence simultaneously offer great opportunity and danger, the democratization of advanced attack techniques, and unprecedented automation/scalability.”

Defense-oriented risks

“Vulnerable infrastructure”

Critical infrastructure will always be an attractive target for hackers, particularly smaller operators, the Bipartisan Policy Center noted. At particular risk are smaller operators who rely on state and local agencies or third-party suppliers.

“Lack of investment, preparedness and resilience”

Neither governments nor businesses have adequately invested in preparing for disastrous cyberattacks, including ransomware, according to the report. A lack of preparedness, and reliance on third-party suppliers, also increases the risk of data breaches and loss of confidential information.

Economy-oriented risks

“Global economic head winds”

Stock market volatility, inflation and the chances of a recession stand to affect cyber risk in a number of ways, the report states. Chief among them is entities putting off cybersecurity to shift money to other priorities, but a recession also could lead investors to avoid putting money into cybersecurity start-ups.

“Lagging corporate governance”

Large firms have made “modest headway” toward adding cyber expertise to corporate boards and senior leadership, but too many still haven’t, the Bipartisan Policy Center concluded. Small- and medium-sized businesses have a particular lack of expertise. The Securities and Exchange Commission has proposed amendments to its rules that would require public companies to report periodically on management and board of directors expertise.

“Overlapping, confusing and subjective regulations”

“In the United States, and internationally as a consequence of their global nexus, companies navigate the complex patchwork of required cybersecurity, data security, and privacy regulations implemented by national, state, and local authorities, with varying prescriptive requirements,” the report reads.

Governments need to come to conclusions about things like deciding what level of confirmation of a cyberattack triggers requirements for a victim to report it to the government, according to the center. Some critics of strict notification requirements say that swift notification mandates can hamper responses to an incident, or lead to companies passing along useless, unconfirmed information.

“Talent scarcity”

Fortune 100 companies were less likely last year to report they had sufficient cyber talent — just 1 percent of them did — than in 2020, when 10 percent said they had enough. “The influence of COVID-driven educational attainment gaps that have yet to manifest might further contribute to the cybersecurity talent shortage,” the report says.

The rest

The Bipartisan Policy Center pointed out some smaller strategic and operational risks, with white-collar cybercrime (such as intellectual property theft) an example of the former and the commercialization of malware (such as dark web hacking kits) an example of the latter.

In its report, the think tank stops short of making recommendations to address the risks.

“We intentionally focused on identifying risks, not solutions, because various stakeholders may need to take different approaches,” the report states. “There are no one-size-fits-all fixes. Rather, these top risks must be considered individually by companies and collectively by the nation.”

The keys

Israeli cybersecurity officials plans to help top university recover from reported breach

One of Israel’s top technology universities, the Technion, was apparently breached by a new hacking group calling itself DarkBit, the Jerusalem Post’s Yonah Jeremy Bob reports.

The group is asking for 80 bitcoins, equal to around $1.7 million, to end the attack. It also said it would increase the ransom by 30 percent if the university does not pay the payment within 48 hours.

The Israel National Cyber Directorate has already reached out to the university. The agency said it plans to assist with resolving the incident and will study its consequences to help defend institutions from these kinds of hacks, although it doesn’t have the authority to enforce cyber standards on schools.

“The field of higher education has been a central target for cyber attackers, with the INCD identifying 53 [serious] incidents of such attacks in 2022, most of which were prevented,” the agency added.

It’s not clear what caused the attack, but the university said that classes would resume as normal, with the only exception being that students’ devices must be disconnected from the Technion’s network.

Hackers interrupt Iranian president’s TV speech

Anti-government hackers briefly interrupted a televised speech by Iranian President Ebrahim Raisi on Saturday, which marked the 44th anniversary of the country’s revolution, CNN reports.

The incident lasted for about a minute, with a logo appearing on the screen representing the “Edalate Ali” or “Justice for Ali” hacking group. In Tehran’s Azadi Square, where Raisi was delivering the speech, a voice shouted “Death to the Islamic Republic” during the interruption. Last year, hackers briefly disrupted state television.

The incident comes as young people and others continue to protest across the country and call for the removal of Raisi’s administration. After Mahsa Amini, 22, died in September while in the custody of Iran’s morality police, sparking a massive protest movement, “security forces have responded with a deadly crackdown to the protests, among the strongest challenges to the Islamic Republic since the 1979 revolution ended 2,500 years of monarchy,” CNN reports.

Pentagon staffers found installing dating apps, games on government phones

Defense Department staffers are using unauthorized apps on government-issued devices, including apps for dating, video streaming, messaging and fantasy football, according to an inspector general’s report released Thursday, PC Magazine’s Michael Kan reports.

The report falls short of naming the specific apps that were able to be installed on Pentagon smartphones, but said that it is a major issue because a lot of software from public app stores can collect personal data without the user’s full knowledge. In December, President Biden signed an order banning TikTok from government devices over concerns the Chinese government could pressure the app to spy on Americans. The U.S. Army banned the app on government devices in 2019.

“Many unmanaged applications routinely require access to a user’s contact list, location data and photo library that could reveal sensitive DoD locations and information,” the inspector general said.

It blamed the Defense Department’s lack of “a comprehensive mobile device and application policy” for the unauthorized app use. In addition, the report alleges that some military departments offer no training to staff on appropriate app use.

Pentagon officials responded to the report, writing to the watchdog that they agreed with some of the report’s findings.

Daybook

The Bipartisan Policy Center holds a meeting with experts to discuss cybersecurity risks that companies, governments and individuals will face this year at 10 a.m. today. Your Cybersecurity 202 anchor, Tim Starks, will be hosting the event.
The House Judiciary Committee holds a hearing to discuss protecting children online on Tuesday at 10 a.m.
The Senate Banking, Housing and Urban Affairs Committee will hold a meeting to examine why financial system safeguards are needed for digital assets on Tuesday at 10 a.m.
The Future of Privacy Forum holds its 13th annual privacy papers for policymakers summit and awards ceremony on Thursday at 5:30 p.m.
The National Association of State Election Directors holds its winter conference in D.C. Thursday through Saturday.
The Intelligence and National Security Alliance holds its annual achievement awards on Thursday at 6 p.m. in Arlington, Va.

Secure log off

Puppy Bowl Competitors Hide Under Couch During Terrifying Halftime Fireworks Display https://t.co/1aH9xoVsB2 pic.twitter.com/ly69p5GF9x
— The Onion (@TheOnion) February 12, 2023

Thanks for reading. See you tomorrow.