In an ever-accelerating world, technological advances, geopolitical quagmires, and dark new innovations spread among a wide spectrum of bad actors. As a result, governments, business, and individual citizens across the globe face significantly heightened cyber risk.
Combine these threats with ever-evolving, increasingly stringent cyber regulation, and it is more critical than ever for corporations to strengthen their commitment to and oversight of strategic cyber risk management, governance, and operations.
Four trends are likely to dominate the cybersecurity discussion in the months and years ahead.
Cyberattacks spike from geopolitical conflict
Russia’s invasion of Ukraine represents the first protracted land war in Europe since World War II, with a death toll comparable to other major conflicts throughout history. Yet this is also a 21st century event, with new battle dynamics and capabilities and an unprecedented impact on cybersecurity. The Financial Services Information Sharing and Analysis Center (FS-ISAC) recently released its annual global intelligence threat report, calling the Russia-Ukraine war “by far, the most significant impact on the financial services cyber threat landscape.”
Leadership of this intelligence-sharing community reported that the conflict has triggered a surge in hacktivism, unleashing groups that have carried out distributed denial of service (DDoS) attacks, website takeovers, and other activities. In all, DDoS attacks jumped 22% globally last year, and increased are expected through 2023 and beyond.
The war in Ukraine has sparked not just an increase in attacks but also new types of attacks. It has produced at least two new types of ransomware and nine new families of “wipers,” or malware that destroys data across the computers and systems it infects. As the number of wipers increases, it adds to the risk of spillover events such as the 2017 NotPetya incident, when Russian actors targeted Ukrainian organizations with a wiper variant of the malware Petya. The malware quickly spread beyond Ukraine and cost companies around the world an estimated $10 billion in damages.
Even when the war concludes, there is a high likelihood a new era of geopolitical tension will remain, with heightened cyber-risk. The FS-ISAC said it expects more cyberthreats stemming from geopolitical power dynamics and conflict across other potential regions. Heightened tension in Asia and the potential for ideologically driven attacks on Western commerce and critical services such as power, communications, financial services, transportation, and healthcare could threaten resiliency, national security, and societal harmony.
Generative AI ramps up risk
Generative artificial intelligence (AI) capabilities like ChatGPT are ushering in an era of amazing digital innovations and workforce productivity gains. But such tools are also a boon to cybercriminals. With the ability to quickly recognize, summarize, and generate plausible content and emulations such as “deepfakes,” generative AI has the potential to enable bad actors to rapidly scale and deploy cyber campaigns including phishing, business email compromise, disinformation, and more.
Since its release to the public last November, ChatGPT, by US-based OpenAI, has already been successfully coaxed by users’ prompts into designing persuasive phishing lures. Having learned to write computer code in many programming languages, ChatGPT and other AI tools can lower the barrier to entry for those lacking technical ability who want to carry out malicious cyber activities. Researchers at CyberArk recently developed sophisticated “polymorphic” malware with code generated in response to plain-English prompts they fed to ChatGPT. As the researchers report, the resulting program is highly evasive and difficult to detect.
While the worst outcomes of generative AI are merely thought experiments now, geopolitical tension could amplify cybersecurity risks. OpenAI invites security researchers to report issues and then implements guardrails to at least try to prevent ChatGPT from producing dangerous responses. That’s why the researchers at CyberArk had to cleverly word their prompts to convince ChatGPT to write malware. There’s no guarantee, however, that hostile actors won’t leverage a similar AI capability free of such guardrails. In an equally risky scenario, generative AI could be given prejudiced parameters with ambitions to produce incendiary notices, unsettling narratives, or doctrine-driven disinformation.
Stringent cybersecurity regulation is coming
Going into 2023, the Biden administration released the long-awaited US National Cybersecurity Strategy. It calls for a rebalance of the responsibility to defend cyberspace away from individuals, small businesses, and local governments, and toward “owners and operators of the systems that hold our data and make our society function.” Soon regulators are likely to mandate companies to implement minimum cybersecurity measures for critical infrastructure and establish liability for software producers and providers. While the impact of the National Cybersecurity Strategy across the commercial arena remains to be seen, sectors like financial services that are already heavily regulated will need to prepare for more.
Companies embrace stronger cyber-risk oversight
In light of the current threat landscape and increased governance, defense, and resiliency expectations across regulators, the role of board and executive oversight for cyber-risk management is more critical than ever.
Executives should promptly review the National Association of Corporate Directors’ 2023 Director Handbook on Cyber Risk Oversight, released in April. It lays out expanded key principles of oversight on cybersecurity as well as guidance and tools to help boards and management put the principles into practice. In particular, executives should study the sections on board oversight structure and access to expertise, as well as cybersecurity measurement and reporting.
It’s also not too early to think through the practical steps to mitigating cyber-risks from generative AI at the organizational level. As a start, policies, standards, and critically training needs to be updated to increase risk awareness. Employees will soon be facing more sophisticated phishing attacks in fluent, conversational language — if they aren’t already.
As rising geopolitical tensions and technological innovations create a Pandora’s box of new cyber risks, companies need to seize the moment to protect their franchises — and employees — before trouble strikes.