From Log4J to the Russian invasion of Ukraine, the events of 2022 have demonstrated that cyber incidents are a very real threat to the functioning of critical services, and one that needs to be taken seriously. Exiger’s Bob Kolasky reviews the biggest cyber risk trends from 2022, and what this will mean for the year ahead.
1. The rise of cyber risk business impact metrics
By the end of 2022, it was almost a cliché to say that “cyber risk needs to be thought of as a business risk.” The risk that companies face from ransomware attacks has been made abundantly clear and has forced integration between network defense and business continuity planning and boardroom engagement.
Treating cyber risk as a threat to the bottom line will lead to companies spending more money on cyber security in the future. In fact, research firm CS Hub found that 63% of organizations surveyed say they are spending either slightly or significantly more than they did in FY 2021. When something gets the attention of corporate leadership, accountability increases – particularly accountability on demonstrating results linked to costs. Although there is still relative immaturity in cyber metrics used in the C-suite and associated enterprise risk management processes, there is a lot of innovation in that space. In 2023, we can expect to see movement toward more standard business-impact metrics for cyber risk.
2. Advanced cyber insurance policies
With the continued surge in claims related to ransomware attacks, the cyber insurance market was significantly stressed in 2022. As more companies recognized the need to insure against ransomware, the insurance companies increased their exposure to risk. This has led to the cyber insurance market setting conditions around insurance policies that rely on tighter cyber controls by firms; and where the firms have to respond to those conditions to get desired coverage. Despite the fear that there would not be a viable cyber insurance market, investment in cyber insurance continues to increase and better data on the effectiveness of security controls and correlation of loss shows promise in pricing risk.
In 2023, insurance claims and coverage are likely to continue to increase. With that occurring, the maturity of how the market operates will increase as well. One issue that needs to be reviewed is the exceptions by insurance providers based on “acts of cyber war” and how broadly those exceptions will be applied. High-profile court cases related to the 2017 Russian NotPetya attack have indicated that courts may not agree with the way insurance providers currently try to enforce war exclusion, which will create more exposure for those companies. There will also be continued policy debate on whether there is a need for a Federal “backstop” to protect the cyber insurance market from systemic risk. However, establishing that backstop is unlikely given the high potential for gridlock in Congress.
3. The integration of cyber operations and war
The phrase “Cyber War” has been bandied about for years, and debates over whether cyber-attacks were “acts of war” is not new. Still, 2022 was the first time we saw two countries waging a physical war, while also engaging in open cyber conflict. The Russian government clearly deployed cyber-attacks as part of their war plans – directed at Ukrainian critical infrastructure, and other command-and-control targets, as well as via social engineering means to try to undermine Ukrainian citizenry support for their government. However, Russia’s use of cyber offense operations has had limited success. While cyber-attacks can cause harm, kinetic weapons still dominate the battlefield and are significantly more dangerous. Countries are likely to continue integrating cyber operations into their warfighting plans, but they have yet to be deployed in a way that fundamentally alters warfare.
In the near future, we can expect a deeper study on how Ukrainian cyber defenses, coupled with support from allies and non-governmental organizations, performed in stymying Russian cyber weaponry. Cyber “battlefield” tactics will evolve based on lessons learned - lessons that could become particularly important if tensions continue to rise around China’s saber-rattling against Taiwan. Therefore, this is an urgent issue for the U.S. national security community.
4. “Shields Up” fatigue
In November 2021, the U.S. Government began classified-level meetings with critical infrastructure companies to alert them of concerns about Russia invading Ukraine and the potential for spillover via cyber – or other types of – attacks on U.S. interests, including critical infrastructure. By January, much of this discourse was taken out of classified settings with these warnings amplified publicly by administration officials. My then-colleagues at CISA brought back the previously-used idea of “Shields Up” to highlight the need for companies to be at their peak performance for network defense.
The consensus has been this has been effective messaging and that proactive strategic warning by the U.S. government can drive private defense practices; and that governments can de-classify intelligence for defensive purposes. However, despite the worst-case scenario not yet occurring, officials believe the risk remains and have therefore urged a kind-of permanent posture of “Shields Up” given the geo-political situation. At some point, however, this is likely to stress the cyber defense community and it will be hard to maintain high postures of security in perpetuity without surges in workforces and tools.
5. Increasing cyber requirements
At the start of this year, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act, which mandated that critical infrastructure companies report cyber incidents within 72 hours to CISA. The SEC also took actions throughout the year to require additional cyber reporting; while the Biden administration - and its European and Australian counterparts - continued to suggest that additional security requirements should be placed on critical infrastructure companies with a focus on key “lifeline” functions. It has become clear that policymakers are not going to accept a purely voluntary approach to industry cyber security, and are going to continue to look for ways to place more requirements on companies, especially those that own and operate critical infrastructure.
As I have written previously, increasing requirements only works if the requirements make sense, can be linked to measurable outcomes, and are dynamic to emerging threats. This is a high bar to clear and requires collaboration between industry and government in implementation and focus on security outcomes rather than compliance costs. In 2023 we’ll see these administrative details fleshed out and a better sense of whether cyber requirements can be effectively designed and implemented.
6. Software supply chains are the next security frontier
By no means have organizations learned to secure their core information technology and operational technology systems fully, so it seems unfair to layer a new challenge for network security. That being said, the ubiquity of third-party software use for core business operations has introduced a significant new risk to entities. Software supply chain attacks proliferated in 2022 as a backdoor into operational targeting and accounting for managing software supply chain risk is now a core part of cyber security.
Managing software vulnerabilities requires deeper knowledge of critical software, the development processes associated with that software, active vulnerability management, and the ability to automate processes. The tools to perform all of those are not widely deployed meaning that controls are likely inadequate. 2023 will be a year where initial Federal requirements for software bills of material and software development processes will come to fruition which will drive the marketplace and innovation in tooling. It remains to be seen if additional transparency will significantly reduce software supply chain risk, but it is certainly a necessary step.
About the author: Bob Kolasky is Senior Vice President for Critical Infrastructure at Exiger where he focuses on developing cutting-edge third-party risk