December 21, 2021
The 5×5—Hindsight 2021: Cybersecurity is hard
When US President Joe Biden took office on January 20, 2021, his team immediately confronted the need to address one of the most consequential and widely publicized cyber-espionage campaigns in history. Less than two months prior to President Biden’s inauguration, details emerged on the hack of SolarWinds, a Texas-based software company whose compromised products would unwittingly go on to infect thousands of clients, including US government agencies. The campaign, dubbed Sunburst, ultimately targeted sensitive cloud environments for espionage purposes, precipitating long-overdue, widespread acknowledgement of the dangers of insecure software supply chains and eventually the Executive Order on Improving the Nation’s Cybersecurity—one of the most robust measures ever taken to improve the US cybersecurity.
It seems only fitting that now, one year after the public disclosure of Sunburst, a new security nightmare has come to light in the form of log4shell, a vulnerability in a broadly-used Java library that can grant adversaries access to computers running apps in Java. Attackers are already exploiting the vulnerability, demonstrating once more the serious consequences that faulty dependencies can have on large swaths of systems. Cybersecurity and Infrastructure Security Agency Director Jen Easterly referred to the vulnerability as “one of the most serious I’ve seen in my entire career, if not the most serious.”
Despite this, neither Sunburst nor log4shell were the trendiest cyber challenges of the year; that designation would have to go to ransomware. Though not a new threat, ransomware’s surge in 2021 thrust cybersecurity into the public attention like no cyber issue had ever been before. Ransomware attacks affected organizations across all sectors of the economy, including the largest fuel pipeline in the United States and the largest meat processor in the world, among many others. Amid the uptick in reporting on ransomware, as well as on issues like software supply chain security, about 90 percent of Americans now view cyberattacks as at least somewhat concerning, according to an October 2021 poll.
We brought together a group of distinguished experts to unpack the year that was and provide an outlook on the cyber policy challenges that lie ahead.
#1 What organization, public or private, had the greatest impact on cybersecurity in 2021?
Sherman Chu, lead technical cyber intelligence analyst, NYC Cyber Command:
“While not a singular organization, I believe that the joint global counter-ransomware operation carried out by law enforcement agencies from seventeen countries and INTERPOL had the most impact on cybersecurity this year. The resulting arrests and asset seizures reaffirm that national governments can effectively attribute cybercriminals and that ransomware operators are not immune to criminal consequences.”
Kurt John, chief cybersecurity officer, Siemens USA:
“The US government. Long-overdue guidance across various sectors, as well as federal contractors, will help harmonize the general approach to securing various operations. A measured, collaborative approach with industry is key to success here.”
Katie Nickels, nonresident senior fellow, Cyber Statecraft Initiative; director of intelligence, Red Canary:
“I think Colonial Pipeline had the greatest impact on cybersecurity this year. Though it sounds odd to name the victim of a major ransomware attack, the fallout from the Darkside attack on Colonial was crucial in pushing the US government to take meaningful action to fight ransomware.”
Bobbie Stempfley, nonresident senior fellow, Cyber Statecraft Initiative; vice president and business security unit officer, Dell Technologies:
“The Center for Internet Security (CIS), due to its release of key community-developed tools, Version 8 of the CIS Controls, and its associated Mobile and Cloud companions. These consensus-based guides were developed through an open, community-based process and serve as the foundation of several other important tools, the Community Defense Model and the Risk Assessment Method. All of these help organizations of any size more effectively mitigate the most prevalent cyberattacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks, and have recently been included in several states’ cybersecurity statutes. Beyond these community driven tools, in a time of unprecedented demand on healthcare partners, CIS also provided key ransomware protection capabilities to US public and private hospitals and related healthcare organizations at no cost to the healthcare providers.”
Josephine Wolff, nonresident senior fellow, Cyber Statecraft Initiative; assistant professor of cybersecurity policy, Tufts University’s Fletcher School of Law and Diplomacy:
“I am a little bit biased because I was finishing up a book about cyber insurance this year, but I think it is actually true that the insurers had the greatest impact on cybersecurity in 2021—advising policyholders about when to pay ransoms (as in the case of Colonial Pipeline), dictating which security practices and controls companies did (or did not) have to have in place to receive coverage, and trying to pin down definitions of what constitutes “cyberwar” in legal battles over whether or not they have to cover losses for incidents like 2017’s NotPetya attack. Insurers are increasingly shaping the cybersecurity landscape in terms of how companies prepare for cyberattacks, respond to them, and pay for them.”
#2 What was the most impactful cyber policy to be enacted in 2021?
Chu: “The “Infrastructure Investment and Jobs Act” included a myriad of funding for critical infrastructure and the new Office of the National Cyber Director. The bill also includes $1 billion for grants to improve state and local government cybersecurity, an often neglected-but-important facet of national cybersecurity.”
John: “Most definitely the INVEST in America Act. With billions of dollars to be spent to bolster cybersecurity across federal and state infrastructure, we are well positioned to make the type of changes necessary to help better protect our way of life.”
Nickels: “The most meaningful policy enacted in 2021 was President Biden’s Executive Order on Improving the Nation’s Cybersecurity. This order hit key cybersecurity issues that need to be addressed, including public-private partnerships, incident reporting, zero trust, multi-factor authentication, supply chain security, and improving federal government network security. While identifying these issues as a priority was impactful, additional action to follow up on this executive order in 2022 would be even more impactful.”
Stempfley: “The focus on supply chain security, including understanding the cyber elements of both digital and physical supply chains has the potential to be some of the most impactful elements of cyber policy. It is easy to think about supply chains as being just about components and containers, but two key areas require focus given that they span all supply chains: first, the automation and digitization of manufacturing, logistics, and key transportation systems increases the cyber risks that organizations face, and second, this digital transformation has made the software supply chains more visible and important.”
Wolff: “The Infrastructure Investment and Jobs Act certainly has the potential to be the most impactful cyber policy enacted in 2021 by allocating $1.9 billion in cybersecurity spending, though of course a lot depends on what that money is actually spent on. At present, the guidelines for that spending are pretty broad—$1 billion for grants to state, local, tribal, and territorial governments to strengthen cybersecurity, another $100 million for federal response to cybersecurity incidents, another $21 million to set up the Office of the National Cyber Director. All of those are initiatives that could be hugely important and impactful if done well.”
#3 What is the most important yet under-covered cyber incident of 2021?
Chu: “The Oldsmar Water Plant intrusion deserved more limelight and scrutiny. While the plant operator mitigated the attack’s impact and it would have been detected by other safeguards, the attack reemphasized the need to bolster critical infrastructure cybersecurity.”
John: “While it is difficult to be definitive, I think mergers and acquisitions. Playing the medium-term game, I think that attackers are compromising acquirable companies and waiting for those acquisitions to happen. It is a variant of the supply chain issue.”
Nickels: “Incidents involving cloud environments were under-covered throughout 2021, including NOBELIUM’s exploitation of trusted cloud relationships to move laterally between environments. Cloud environments are frequently misconfigured or unmonitored, making them an appealing target for adversaries. While NOBELIUM’s supply chain attacks made headlines, the group’s cloud activity was under-reported, despite it having the potential to cause massive damage.”
Wolff: “A lot of cybersecurity incidents were pretty well covered in 2021, thanks to the really remarkable and talented set of journalists working in this space. Speaking as someone who works at a university, I would like to see a little more coverage of incidents like the Howard University ransomware attack focusing on how the higher education victims of these types of attacks responded to and recovered from ransomware, not just what the immediate impacts were on their operations. But I think that is generally true of cybersecurity incidents. It would be good to have more coverage after an incident is over and resolved, looking back at what happened, and what everyone involved got right and got wrong.”
More from the Cyber Statecraft Initiative:
#4 What cybersecurity issue went unaddressed in 2021 but deserves greater attention in 2022?
Chu: “The pandemic forced both private and government organizations to pivot to remote workforce either temporarily or permanently. The rush to stand up remote work left security gaps, enlarging many organizations’ attack surfaces. Government, tech vendors, and cybersecurity firms should devote more capacity to address the growing remote workforce and provide technical and policy guidance.”
John: “Compromises focused on stealing research and development data. One of the reasons for the United States’ success is its ability to develop and quickly commercialize new technologies. By spending the collective funds to develop but then lose that data, the US economic and technological advantages are being impeded.”
Nickels: “Mobile device security is a hugely under-addressed issue that presents a significant risk. While monitoring of traditional enterprise endpoints and networks has improved, the mobile security space significantly lags behind in maturity. There needs to be a shift in attention to improve monitoring, detection, and response on mobile devices before adversaries ramp up targeting of this vulnerable attack surface.”
Stempfley: “The inability to reliably and consistently understand and quantify security risks and track the impacts of grant funding. The discussion on a Solarium Commission recommendation to create a Bureau of Cyber Statistics at the Department of Homeland Security started, but needs to continue into 2022 to help demystify the environment and allow the industry to move to more of a fact-based approach for policymaking and resource allocation.”
Wolff: “One thing that I would like to see discussed a little more, especially in policy circles, in the coming year is how we secure machine learning algorithms from manipulation and attack. There has been some debate over that in fairly vague, high-level terms, but very few concrete proposals for how to make algorithms more robust to different kinds of interference through policy measures—or even what types of attack or interference we should be focusing on in this space and what it would mean to make algorithms more secure against these threats.”
#5 Ransomware was the trending cybersecurity issue of 2021. Do you see this trend continuing in 2022 or will another cyber issue eclipse it? If so, which?
Chu: “Unfortunately, I believe that the ransomware trend will continue in 2022. However, I hope that more attention will be placed on assessing and understanding the attack flows of ransomware operations rather than the final impact itself.”
John: “Ransomware will continue to trend over the next couple of years, at least, unless something catastrophic happens. Ransomware is a general risk that impacts so many sectors—supply chain, maritime, finance, energy, and so on. We will be dealing with this for a while.”
Nickels: “I am confident that ransomware will continue to dominate the cybersecurity landscape in 2022. Though the US government has started to take action to turn the tide, ransomware has proven too profitable for adversaries to abandon it quickly. It will take continued multilateral action to put a dent in the ransomware problem.”
Stempfley: “Based on the current dynamics, ransomware will be here for a while.”
Wolff: “Ransomware definitely does not look like it is going anywhere in 2022. I would expect to see other, related policy issues (e.g., cryptocurrency regulation, security reporting requirements) receive greater attention as well as we continue to recognize the limitations of trying to take on ransomware without also tackling these other facets of the problem.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.