December 13, 2023
The 5×5—2023: The cybersecurity year in review
It has been a busy year in cybersecurity and in the land of policy. On March 2, 2023, the Biden administration released its long-awaited National Cybersecurity Strategy, laying out an ambitious plan to maintain the United States’ advantage in cyberspace and boost the security and resilience of critical technical systems across the economy and society. The document was followed by its Implementation Plan and the National Cyber Workforce and Education Strategy later that summer.
This year saw other noteworthy developments, including cybersecurity failures that resulted in major hacks of organizations ranging from T-Mobile and 23andMe to critical infrastructure in Guam and the Ukrainian military amidst its war with Russia. There has been no shortage to discuss in 2023, so we brought together a group of Atlantic Council fellows to review the past year in cybersecurity, which organizations and initiatives made positive steps, and areas for improvement going forward.
Editors of the editor note: The 5×5’s founder and inaugural editor, Simon Handler, is moving on to new adventures, but it bears a note of thanks to Simon for his wit and work ethic in taking this series from an idea through to forty-two issues over the last four years. The series continues, but meanwhile thank you, Simon, and good luck.
#1 What organization, public or private, had the greatest impact on cybersecurity in 2023?
Amélie Koran, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council:
“Progress Software, the makers of the MOVEit file transfer service which has been the gift that has kept on giving this year when it comes to notable breaches this year. It has impacted private and public sector organizations and over sixty million individuals around the world, with more than 80 percent of the impacted organizations based in the United States. There was rarely a cybersecurity-adjacent news story in 2023 that did not have a component tied to this software.”
John Speed Meyers, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; principal research scientist, Chainguard:
“Since there is not, to a first approximation, a scale on which cybersecurity has been or is measured, it is hard for me to say anything objective. That said, assuming the scale extends below zero, I would like to vote for C and C++ software developers.”
Justin Sherman, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; founder and chief executive officer, Global Cyber Strategies:
“There are, in some ways, too many to pick from—both good and bad. On the positive side in 2023, the United Kingdom’s National Cyber Security Centre continues to roll out voluntary, systemic internet security protections for British networks and organizations, most recently offering its free Domain Name System (DNS) security service to schools. Such decisions exemplify the concept of security at scale, identifying the points with great ‘leverage’ improve security, something with which US policy still struggles. On the side of undermining US cybersecurity, the Chinese government’s expanded efforts to require companies to disclose software vulnerabilities to the state increase a number of hacking risks to the United States and plenty of other countries.”
Maggie Smith, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; director, Cyber Project, Irregular Warfare Initiative:
“I think everyone’s mind immediately goes to Microsoft and its ongoing efforts to assist Ukraine. But I think the company’s impact on cybersecurity goes beyond the all-consuming narrative around the role of the private sector before, during, and in the aftermath of conflict. In September, I read a great post by Cynthia Brumfield on the <Meta>curity Substack (I highly recommend subscribing to its ‘Best Infosec-Related Long Reads for the Week’) about the technical blunders made by Microsoft that gave Chinese actors access to US government emails. For me, it tied a bow around how I feel about how to approach cybersecurity: there is no silver bullet, and no one is ever truly secure. China’s hack highlighted how a company that is literally helping prevent catastrophic cyberattacks can simultaneously be the victim of one. This is a dichotomy inherent to the domain of cyberspace and the impact of seeing it so publicly with Microsoft was my 2023 cybersecurity ‘woah’ moment.”
Bobbie Stempfley, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; vice president and business unit security officer, Dell Technologies:
“It is hard not to say that the Security and Exchange Commission (SEC) has had the greatest impact on cybersecurity, given how active it has been in this space. That being said, recognizing the National Institute for Standards and Technology and its publication of post-quantum encryption standards for three of its four selected algorithms and intention to evaluate the next wave of algorithms has great impact on national security.”
#2 What was the most impactful cyber policy or initiative of 2023?
Koran: “I would say that the US National Cybersecurity Strategy would count in this category because it was released, debated, and followed with an implementation plan. Getting any policy or directive out of the government and through the gauntlet of reviews, markup, critique, and public consumption is to be lauded. Is it perfect? No. Is it a good start? Yes. For it to succeed and the United States to continue to lead in these policy areas, policymakers need maintain, revise, and consider it a living document. For the implementation plan, leaders need to realize that these were lofty goals with aggressive timelines—many of which may be missed—but to keep trying.”
Meyers: “Overlooking the aforementioned lack of a cybersecurity impact scale, I would nominate the Internet Security Research Group’s Prossimo project or, more parochially, the creation of Wolfi, a new security-first Linux distribution.”
Sherman: “The 2023 US National Cybersecurity Strategy is particularly significant because of its strong, explicit bent toward regulation. It is the product of an important, positive, and long overdue decision to focus US cyber policy on where and why companies are not investing in cybersecurity, rather than continue to speak purely about public-private partnerships and ignore the failures of the market to address the risks to citizens, businesses, and the country. As a point of comparison for this shift, the 2023 cyber strategy mentions ‘regulation’ or some variant of it forty times—while the previous National Cyber Strategy, released in 2018, did not say ‘regulation’ once.”
Smith: “For impact in 2023, the Department of Defense (DoD) Cyber Strategy is at the top of my list because it places a hard stop on DoD by clearly defining its jurisdictional limits. With the rise of ransomware and other forms of pervasive cybercrime, US Cyber Command has often worked to support other US entities to combat attacks. Many viewed DoD’s activity as blurring the line and stepping dangerously close to getting involved in domestic cybersecurity. The 2023 DoD Cyber Strategy clearly draws the line: The Department, in particular, lacks the authority to employ military forces to defend private companies against cyber-attacks. It may do so only if directed by the President, or (1) if the Secretary of Defense or other appropriate DoD official approves a request for defense support of civil authorities from the Department of Homeland Security, Federal Bureau of Investigation, or another appropriate lead Federal agency; (2) at the invitation of such a company; and (3) in coordination with the relevant local or Federal authority. Given this—and the limited circumstances in which military cyber forces would be asked to defend civilian critical infrastructure—the Department will not posture itself to defend every private sector network.”
Stempfley: “The Delaware Court of Chancery ruling that expands the duty of care from ‘directors’ to ‘officers’ and takes an expansive view of what an officer is at a company. The ruling in the McDonald’s Corporation Stockholder Derivative Litigation, while not getting the same attention as the SEC rule or the National Cyber Strategy, is creating impact by lining up top-to-bottom conversations about cyber risks in organizations. Additionally, it is likely to lead to more standardization and clarity around the role of the Chief Information Security Officer and other relevant officers.”
#3 What is the most important yet under-reported cyber incident of 2023?
Koran: “The T-Mobile data breaches. If we answer the question of ‘what day is it?’ and reply ‘another day for a T-Mobile breach,’ the company has not learned from its long history of breaches, nor has regulatory framework aided in curbing the regularity and impact of these breaches. While other telecommunications companies have not had as many regular lapses as T-Mobile has had, one wonders what makes them different than the others and if the issue can be remedied. Additionally, the company has decided to cut more jobs and the only thing keeping people away from sensitive areas of the company is a sign on the door of a data center with a strongly worded message of ‘please do not steal any more data.’”
Meyers: “Using a loose definition of ‘incident,’ I would like to nominate the Cyber Safety Review Board’s decision to investigate the extortion activities of Lapsus$ prior to investigating the Russian intelligence agencies’ epic SolarWinds hack.”
Sherman: “Among others—recognizing that I am cheating on this response by picking a few—a Chinese state-sponsored group called Volt Typhoon hacked US critical infrastructure systems, including in Guam, which speaks to the cyber-focused risks associated with any potential kinetic conflict with Beijing in the future; hackers exploited the log4j vulnerability to hack into devices and then sell the information to ‘proxyware’ services, which speaks to the intersection of major vulnerabilities and the cryptojacking, adware, and other similar markets; and Russia’s military intelligence agency built malware specifically targeting Android devices to spy on Ukrainian devices and, for a period, gained access to the Ukrainian military’s combat data exchange.”
Smith: “Earlier this year genetic testing company 23andMe was hacked multiple times. For a long time, I have wondered about mail-order DNA kits and how they store, protect, and manage an individual’s data—consumer genetic testing data, for example, does not fall under the Health Insurance Portability and Accountability Act (HIPAA). As someone who has done genetic testing for a medical reason and felt the ripple effects of what it can reveal, the 23andMe hacks confirmed my fears that sensitive, personal genetic information gathered for commercial purposes may put marginalized groups at risk if stolen. Many genetic mutations, for example, fall in the ‘founder mutation’ category, meaning the mutation is observed with high frequency in a group that is or was geographically or culturally isolated, in which one or more of the ancestors was a carrier of the altered gene. Therefore, it is relatively easy to determine a person’s ethnicity if a founder mutation is present. 23andMe tests for many known founder mutations because they do tell people a lot about their personal history. With antisemitism at peak levels and the first 23andMe hack targeting those of Ashkenazi Jewish heritage, I think the hacking of commercial genetic data deserves a lot more attention.”
Stempfley: “Ransomware has gotten a great deal of coverage, from the Ransomware Task Force to its highlights in the Verizon Data Breach Report (VDBR) and the financial impact—so what is under-reported in ransomware? The now documented impact to public safety. Early in the year, published research explicitly tied ransomware at hospitals and health care delivery points to impact to patient care. This study showed that in 44 percent of the cases that were studied patient care was impeded leading to negative patient outcomes. This report was published in the Journal of American Medicine Association a mainstream medical journal, not in a security publication.”
More from the Cyber Statecraft Initiative:
#4 What cybersecurity issue went unaddressed in 2023 but deserves greater attention in 2024?
Koran: “Not to flog the buzzwords, but better forward-leaning policies and regulations toward security in artificial intelligence (AI) and large language model (LLM) services deserve more attention. Putting these tools and services on the market well before their safety has been successfully worked out, vetted, and peer reviewed greatly increases risk to critical and non-critical infrastructure. While these tools may not be directly flipping switches at power plants and hospitals, the impact of their generated content on mis- and disinformation, at a time when the public is not critically thinking about their output, is dangerous. Even non-LLM or AI-based tools that are labelled as being backed or run by these technologies not only engender a false sense of safety and completeness but also fuel the hype train.”
Meyers: “The ungodly amount of time that software professionals spend identifying, triaging, and remediating known software vulnerabilities. I thought computers were supposed to make our lives better.”
Sherman: “Some of the most important protocols for internet traffic transmission globally, such as the Border Gateway Protocol (BGP), remain fundamentally insecure, and many companies and organizations still have not implemented the available cybersecurity improvements. Policymakers should also remember, amid excitement, fear, and craze about generative AI, to think about the cybersecurity of physical internet infrastructure that underpins GenAI—such as the cloud computing systems used to train and deploy models.”
Smith: “In March, the Environmental Protection Agency (EPA) released a memorandum stressing the need for states to assess cybersecurity risk to drinking water systems and issued a new rule that added cybersecurity assessments to annual state-led Sanitary Survey Programs for public water systems. However, the EPA rescinded the rule after legal challenges. Attorneys general in Iowa, Arkansas, and Missouri, joined by the American Water Works Association and the National Rural Water Association, claimed that making the cybersecurity improvements were too costly for suppliers and those costs would pass to the consumers. Importantly, EPA Assistant Administrator Radhika Fox warned, ‘cyberattacks have the potential to contaminate drinking water, which threatens public health.’ I hope to see more action to protect our public water systems, as well as other systems critical to public health and welfare.”
Stempfley: “The impact of Generative AI on entry-level positions in the cyber workforce [deserves greater attention]. The cyber workforce shortage has been widely reported, as has the challenge that many new entrants to the field have experienced, but we have not begun to talk about how the impacts from this technology will be disproportionately aligned to those least experienced in the field, potentially doing away with most entry level roles. If this happens, it will require us to think about the workforce in different ways.”
#5 At year’s end, how do you assess the efficacy of the Biden administration’s 2023 National Cybersecurity Strategy?
Koran: “In a short word, it has been ineffective—despite, as I note above, being the most impactful. Barring the momentum of the software bill of materials (SBOM) message train, the suggested movements by public and private sector organizations to align with the strategy have been resisted or questioned, even though many of the ideas and efforts proposed are laudable. There was not a lot of momentum for these groups to push some of these efforts, and it will take years, not weeks or months, to meet the strategy’s goals. The strategy is a way finder, but Congress—in disarray for quite some time—needs to act to power it. Until Congress passes legislation and appropriations that support government efforts, private sector organizations will have little reason to align unless the market demands change. Everything else has also been overshadowed by global events and politics, and momentum to achieve the goals set out by the strategy will be hard to come by.”
Meyers: “To be determined. Perhaps it shifted the Overton window on software security and liability, though I suspect that general suspicion of large technology companies did that more than the issuing of any one strategy.”
Sherman: “The Biden administration’s strategy, particularly with its emphasis on regulation, is an important and long-overdue shift in how the US government is messaging and advancing its cybersecurity policy. However, there is still much to be done, and it is not yet clear exactly how the administration intends to implement the emphasis on regulation in practice—the implementation guidance for the National Cybersecurity Strategy entirely omitted certain sections of the Strategy itself.”
Smith: “I think it is too early to assess the efficacy of the strategy, but I do think that it is a step forward. As a wild example, the October 22 60 Minutes brought the Five Eyes (United States, Australia, New Zealand, United Kingdom, and Canada) intelligence chiefs together for an interview—something that has never happened before! Before the interview they released a rare joint statement to confront the ‘unprecedented threat’ China poses to the innovation world, and that from quantum technology and robotics to biotechnology and artificial intelligence, China is stealing secrets in various sectors. The best part about the interview, in my opinion, is that it is conducted in a sparse, dimly lit room with all the chiefs sitting around a non-descript round table, adding to the spook factor!”
Stempfley: “The National Cybersecurity Strategy, its associated implementation plan, and workforce strategy have been important documents and have certainly set the national direction—this direction has served the administration well in domestic and international discussions. The strategy’s influence in the federal budget process and in those elements of industry that do not typically engage in public private partnerships have not been as substantive as hoped.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
Image: The future of technology industry. Futuristic CPU and question icon. Vibrant modern colours. Technology background with space for branding. 3D render Source: Credit:da-kuk