December 14, 2022
The 5×5—The cyber year in review
One year ago, the global cybersecurity community looked back at 2021 as the year of ransomware, as the number of attacks nearly doubled over the previous year and involved high-profile targets such as the Colonial Pipeline—bringing media and policy attention to the issue. Now, a year later, the surge of ransomware has not slowed, as the number of attacks hit yet another record high—80 percent over 2021—despite initiatives from the White House and the Cybersecurity and Infrastructure Security Agency (CISA). The persistence of ransomware attacks shows that the challenge will not be solved by one government alone, but through cooperation with friends, competitors, and adversaries.
Russia’s full-scale invasion of Ukraine, the landmark development of 2022, indicates that this challenge will likely remain unsolved for a while. Roughly three-quarters of all ransomware revenue makes its way back to Russia-linked hacking groups, and cooperation with the Kremlin on countering these groups is unlikely to yield much progress anytime soon. Revelations in the aftermath of Russia’s invasion confirmed suspicions that Russian intelligence services not only tolerate ransomware groups but give some of them direct orders.
Ransomware was not the only cyber issue to define 2022, as other challenges continued, from operational technology to workforce development, and various public and private-sector organizations made notable progress in confronting them. We brought together a group of experts to review the highs and lows of the year in cybersecurity and look forward to 2023.
#1 What organization, public or private, had the greatest impact on cybersecurity in 2022?
Rep. Jim Langevin, US Representative (D-RI); former commissioner, Cyberspace Solarium Commission:
“I think we have really seen the Joint Cyber Defense Collaborative (JCDC) come into its own this year. We saw CISA, through JCDC, lead impressive and coordinated cyber defense efforts in response to some of the most critical cyber emergencies the Nation faced in 2022, including the Log4Shell vulnerability and the heightened threat of Russian cyberattacks after its invasion of Ukraine.”
Wendy Nather, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; head of advisory CISOs, Cisco:
“I would argue that Twitter has had the most impact on cybersecurity. As a global nexus for public discourse, security research, threat intelligence sharing, media resources, and more, its recent implosion has disrupted essential communications and driven many cybersecurity stakeholders to seek connectivity elsewhere. We will probably continue to see the effects of this disruption well into 2023 and possibly beyond.”
Sarah Powazek, program director, Public Interest Cybersecurity, UC Berkeley Center for Long-Term Cybersecurity:
“CISA. The cross-sector performance goals and the sector-specific 100-Day Cyber Review Sprints this year are paving the way for a more complete understanding and encouragement of cybersecurity maturity in different industries. It is finally starting to feel like we have a federal home for nationwide cybersecurity defense.”
Megan Samford, nonresident senior fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; vice president and chief product security officer for energy management, Schneider Electric:
“I think all of us feel that it has to be the warfighting efforts that are going on in the background of the Ukraine war—these are the ‘known unknown’ efforts. If we take that off the table though, I would say it is not an organization at all, it is a standard (IEC 62443). As boring as it is to say that standards work, right now industry most needs time for the standards to be adopted to reach a minimum baseline. If we fail to achieve standardization, we will see regulation—both achieve the same things at different paces with different tradeoffs.”
Gavin Wilde, senior fellow, Technology and International Affairs Program, Carnegie Endowment for International Peace:
“The State Special Communications Service of Ukraine (SSSCIP), which has deftly defended and mitigated against Russian cyberattacks throughout Moscow’s war. SSSCIP’s ability to juggle those demands while coordinating and communicating with a vast array of state and commercial partners has improved the landscape for everyone.”
#2 What was the most impactful cyber policy or initiative of 2022?
Langevin: “The Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. Its impact lies not only in its effect—which will dramatically improve the federal government’s visibility of cyber threats to critical infrastructure—but also in the example it has set for how Congress, the executive branch, and the private sector can effectively work together to craft major legislation that will make the country fundamentally safer in cyberspace.”
Nather: “I have to call out CISA’s election security support at this crucial point in our Nation’s fragile and chaotic state. It continues to provide excellent information and resources—particularly the wonderfully named “What to Expect When You are Expecting an Election” and video training to help election workers protect themselves and the democratic process. Reaching out directly to stakeholders and citizens with the education they need is every bit as important as the ‘public-private partnership’ efforts that most citizens never encounter.”
Powazek: “CISA’s State and Local Cybersecurity Grant Program and Tribal Cybersecurity Grant Program. The programs will dole out $1 billion in cyber funding to state, local, tribal, and territorial governments over four years, with at least 25 percent of those funds earmarked for rural areas. If that money is invested well, it will be an incredible boon to critical public agencies struggling to improve their cybersecurity maturity, and it can better protect millions of people.”
Samford: “Software bill of materials (SBOM), but not for the reasons people may think. SBOM is a very useful tool in managing risk, provided that organizations already have good asset inventory capability. In operational technology, asset inventory is an area that asset owners continue to struggle with, so the benefit from SBOM is more of a long-term journey. That is why I say SBOM, but not for the reasons people think. In my mind what I think was most impressive around SBOM was that it demonstrated that the industry can successfully rally and rapidly standardize around very specific asks. SBOM came together because it had three things: 1) common industry understanding of the problem; 2) existing tooling that, for the most part, did not require new training; and 3) government policy and right-sized program management.”
Wilde: “The European Union’s proposed Cyber Resilience Act, which is poised to update and harmonize the regulatory environment across twenty-seven member states and set benchmarks for product and software security—particularly as both cybercrime and Internet-of-Things applications continue to proliferate. The proposals offer a stark contrast between a forward-looking regulatory regime, and a crisis-driven reporting and mitigation one.”
#3 What is the most important yet under-covered cyber incident of 2022?
Langevin: “I think it is worth reminding ourselves just how serious the ransomware attacks were that crippled the Costa Rican government this year. This was covered in the news, but from a policy perspective, I think it warrants a deeper conversation about what the United States can be doing on the international stage to double down on capacity-building and incident response efforts with allies, particularly those more vulnerable to such debilitating attacks. Part of that conversation needs to include a commitment to ensuring that our government actors, like the State Department’s Bureau of Cyberspace and Digital Policy, have the appropriate resources and authorities to effectively provide that assistance.”
Nather: “The Twilio breach (although Wired did a good job covering it). It is important because although SMS is a somewhat-reviled part of our security infrastructure, it is utterly necessary, and will continue to be long into the future.”
Powazek: “The Los Angeles Unified School District (LSUSD) ransomware attack by Vice Society was highly covered in the news, but I think the implications are resounding. LAUSD leaders refused to pay the ransom, maintained transparency with students and parents, and were able to move forward with minimal downtime. It was a masterclass in incident management, and I was thrilled to see a public institution take a stand against ransomware actors and recover quickly.”
Samford: “Uber’s chief information security officer (CISO) going to jail. This has turned the industry on its head and forced people to challenge what it means to be an executive in this industry and make decisions that can land you—not the chief executive officer or chief legal counsel—in jail. What is the compensation structure for this amount of risk taking? I have heard of CISOs being called the ‘chief look around the corner officer’ or the ‘chief translation officer,’ but now has the CISO become the ‘chief scapegoat officer?”
Wilde: “The US Department of Justice’s use of ‘search and seizure’ authority (Rule 41 of the federal criminal code) to neutralize a botnet orchestrated by the Russian GRU. So many fascinating elements of this story—including the legal and technical implications of the operation, as well as the cultural shift at DOJ—seem to have gone underexamined. Move over, NSPM-13…”
More from the Cyber Statecraft Initiative:
#4 What cybersecurity issue went unaddressed in 2022 but deserves greater attention in 2023?
Langevin: “I am hopeful that this answer proves to be wrong before the end of the year, but right now, it is the lack of a fiscal year (FY) 2023 budget. The federal government has a wide array of new cybersecurity obligations stemming from recent legislation and Biden administration policy, but agencies will struggle to fulfill these responsibilities if Congress does not provide appropriate funding for them to do so. Keeping the government at FY22 funding levels simply is not good enough; if we want to see real progress, we need to pass a budget.”
Nather: “One trend I see is that there is almost no check on technological complexity, which is the nemesis of security. Simply slapping another ‘pane of glass’ on top of the muddled heap is not a long-term solution. I believe we will see more efforts to consolidate underlying infrastructure for many reasons, among them cost and ease of administration, but cybersecurity will be one of the loudest stakeholders.”
Powazek: “The United States still does not have a scalable solution for providing proactive cyber assessments to folks who cannot afford to hire a consulting firm. There are lots of toolkits available, but some organizations do not even have the staff or time to consume them, and there is no substitute for face-to-face assistance. We could use more solutions like cybersecurity clinics and regional cyber advisors that address this market failure and help organizations increase resiliency to cyberattacks.”
Samford: “Coordinated incident response as well as whistleblower protection. If you want safety-level protections in cybersecurity, you need safety-level whistleblower protections. In the culture of safety, based on decades of culture development and nurturing, whistleblowing is a key enabler. It is based on a basic truth that anyone in an organization can ‘stop the line’ if they see unsafe behavior. In cyber, we lack ‘stop the line’ power and, in many cases, individuals fail to report risk because of fear of attribution and retaliation. That is why, in my mind, the topic of whether or not whistleblower protection should become a cyber norm remains something that has gotten little attention but it is a critical decision point in how the cyber community wants to move forward. Will we have more of a tech-based culture or a safety-based culture?
As far as coordinated incident response, we estimate that upward of 80 percent of the cyber defense capacity resides in the private sector, yet very few mechanisms exist to coordinate these resources alongside a government-led response. We have not yet figured out how to tap that pool of resources, and I fear that we are going to have to learn it quickly one day should such attacks occur that require rapid and consistent response coordination, such as a targeted campaigned cyberattack linked with physical impact on critical infrastructures. Using Incident Command System could solve for this and the ICS4ICS program is picking up this challenge.”
Wilde: “Privacy and data protection. The ‘Wild West’ of data brokerages and opaque harvesting schemes that enables illicit targeting and exploitation of vulnerable groups poses as much a threat to national security as any foreign-owned applications or state intelligence agencies.”
#5 What do the results of the 2022 midterm elections in the United States portend for cybersecurity legislation in the 118th Congress?
Langevin: “The cybersecurity needs of the country are too great for Congress to get bogged down in partisan fighting, and I think there are bipartisan groups of lawmakers in both chambers who understand that. There may be philosophical differences on certain issues that are more pronounced in a divided Congress, but I expect that we will still see room for effective policymaking to improve the Nation’s cybersecurity. The key to progress, as it would have been no matter who controlled Congress, will be continuing to build Members’ policy capacity on these issues, lending a broader base of political support to those Members who understand the issues and can lead the charge on legislation.”
Nather: “Some of the centrist leaders from both parties who led on cybersecurity, such as John Katko (R-NY) and Jim Langevin (D-RI), are retiring. And Will Hurd (R-TX), who held a similar role—working across the aisle on cybersecurity issues—in the previous Congress, is gone. As the work on cybersecurity legislation has historically stayed largely above the political fray, it will be interesting to see who steps up to build consensus on this critical topic.”
Powazek: “The retirement of policy powerhouses Rep. John Katko and Rep. Jim Langevin leaves an opening for more cyber leadership, and the recent elections are our first glimpse of who those leaders may be. As a Californian, I am particularly excited about Rep. Ted Lieu and Senator Alex Padilla, both of whom are poised for cyber policy leadership.”
Samford: “More focus on zero trust, supply chain, and security of build environments. These are efforts that all have bipartisan support and engagement.”
Wilde: “The retirement of several of the most driven and conversant members does not bode well for major cybersecurity initiatives in Congress next session. Diminished expertise is not only a hurdle from a substantive perspective, but it also makes it difficult to avoid cyber issues falling victim to other political and legislative agendas from key committees.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
Image: ASPECTS OF CYBER CONFLICT (PT. 4) by Linda Graf