The Humble CISO 2023
On the last day of 2023, the overall assessment of the year may be that it has been a humbling experience. Again.
The average cost of a data breach reached an all-time high of USD 4.45 million.¹ Vendor exploitation attacks, like the ones of SolarWind, MoveIT, or GoAnywhere, send shock waves in global supply chains.²
Ransomware is now marketed as a service (SaaS) by professional criminals, which can be purchased as any other SaaS. National Cyber Security Centres and government boards around the world assess the risk of ransomware attacks as “high” and the threat to critical infrastructures as “catastrophic”.³ Future attacks will have the power to wipe out the computer networks that make the fabric of our financial, medical, and logistical infrastructures.
Attackers start using AI-powered techniques, allowing fully automated attacks at a quality and scale never seen before. Expect waves of AI-powered attacks that will target all types of organizations worldwide.
These attacks will cause disruptions orders of magnitude larger to society than what we have seen so far. Small and large organizations face the immanent threat of experiencing a cybersecurity breach, as it is impossible to guarantee against hacking incidents in the entire supply chain.
So, at the end of this year, cyber security has grown again in a direction that points towards one’s limitations. As a CISO, one no longer juggles the ongoing waterfall of cyber risks, but this year, it has become a torrent of interwoven developments and complexities. In 2023, these developments have washed over us in huge waves, sometimes in just a few months.
Overall, we have witnessed in the past year not just one humbling trend (as in 202¹⁴ and 202²⁵) but four.
1. Generative Artificial Intelligence
The year started fast forward when openAI presented the first commercially available large language model (LLM). A recent CISO survey reveals that a third of CISOs are now using AI for security (which is not just generative AI but also natural language processing), and more than half will likely use it in the next year. Some 9 out of 10 CISOs believe that generative AI will alleviate security skills gaps and talent shortages.⁶
Yet the risks of generative AI are also plentiful, and they come on top of existing information security risks.⁷ Data leakage is a huge concern. Any employee can use chatGPT for almost anything — writing code and facing leakage of intellectual property or confidential credentials, asking for suggestions for the next organizational move, and facing leakage of personally identifiable or strategic business information.
Yet most concerning about AI is that nation-state-supported cybergangs from China, Russia, North Korea, and Iran, as well as armies of lone hackers, now have the power of generative AI at their fingertips. This will significantly impact their operations regarding scale and quality.⁸
Ransomware, zero-day exploits, file-less attacks, and backdoor malware will dramatically become better, much more challenging to detect, and easier to distribute⁹. The better quality is due to AI-powered copilots, which allow attackers to write more complex code quickly, exploit known vulnerabilities significantly faster, or auto-translate malicious code from one programming language to another. It’s now easy to exploit the pandora box of vulnerabilities that hide in long-forgotten frameworks or programming languages because generative AI takes away the burden of writing malicious code in obscure languages introduced decades ago yet still in use (for instance, font-definition files, which a malicious actor can use to create zero-click exploits of iPhones).¹⁰
Many new types of ransomware are now developed in the programming language Rust, which allows for easy cross-platform capabilities. A single malware can now simultaneously target Windows, Linux, Apple, Android, and iOS systems.¹¹ Detection of malware has become significantly harder because LLMs can be used to dynamically synthesize code, which can obfuscate code footprints and application behavior on the fly. The level of sophistication available to attackers has grown exponentially with generative AI, and the sheer increase in the speed of development of attacks is mind-boggling.
For distribution, generative AI can be utilized in phishing campaigns. Spear-phishing at scale is now perfectly possible. What used to be a slow, laborious task — targeting a specific individual with enough domain- and cultural context to be convincing — can now be fully automated. Even the poor nephew of the long-lost prince in Nigeria can target individuals at scale with nothing more than a laptop, by sending out high-quality generated content and material, including voice and video. Automated delivery of malicious content in any language of the world, in near-perfect spelling and grammar, can now be orchestrated by a single attacker across any medium, including e-mail, SMS, chat applications, social media, websites, phone calls, and video conferences. Attackers only need basic information, such as names, job titles, departments, or vendors, to target individuals with personalized, relevant and seemingly authentic messages.
The grand solution to this is now often sold by vendors of defensive software solutions as being Artificial Intelligence. Yet, in the current cat-and-mouse game, attackers have significantly more advantages by using AI. Of course, automation and AI on the defensive side will continue to be vital, yet what we need most in the cyber domain now is curious and creative people. We need high-performing security operations teams, happy, motivated, competent penetration testers, ethical hackers, red teamers, and any cyber security person with a knack for finding new ways to defend systems against exploitation.¹²
2. Supply Chain Attacks
In the biggest hack of the year, malware was placed on MOVEit’s servers. This popular file transfer software helps organizations transfer large amounts of often sensitive files and data over the internet, allowing hackers to infiltrate over 2,300 organizations, including top-notch financial institutions, health insurers, hospitals, and car manufacturers.¹³ The hack has affected 65 million individuals so far and caused an estimated global cost of more than 10 billion USD, half the annual profit of a company like Mercedes Benz.
The number of software packages affected in supply chain attacks worldwide increased more than a hundredfold in the past few years, from around 700 in 2019 to more than 185,000 today. The expected global cost of software supply chain attacks to businesses will reach nearly USD 140 billion in about five years, up from 45 billion today.¹⁴
Managing supply chain risk is the biggest headache for most CISOs because almost every organization builds services and applications in a modular fashion nowadays. This means there are a lot of interdependencies with third party service providers.
The main entry point for supply chain attacks is still phishing, but unpatched vulnerabilities have grown this year by 16% compared to last year.¹⁵ Implementing an automated patch management system to streamline patch identification, testing, and deployment is urgent for most CISOs.
The average time between a vulnerability disclosure and a vendor or creator of a software package patching the vulnerability is around nine days.¹⁶ Most vendors patch their vulnerabilities even more quickly, sometimes even hours after the first disclosure of a vulnerability.
Attackers are on top of the vulnerability news. With AI, they are now able to mass-exploit any new vulnerability quickly. They can operate fast and automated. So, on the defensive side, you also need to be fast and automated. The window for successfully patching vulnerable systems grows narrower and narrower. Automation is great, as it reduces the time between the release of a patch and its implementation, minimizing the exposure window. Yet automation is only as good as the teams that operate the tools.
Research findings for Q2 2023 reveal notable shifts in supply chain risk.¹⁷ Attackers get better at bypassing multi-factor authentication. Also, they now prefer to target individual software developers directly. In one particularly concerning scenario, a developer was compromised by installing a malicious package, which gave a threat actor access to the developer’s source code and allowed the actor to add a backdoor. This is low-cost, high-impact stuff.
Overall, there is an increase in attackers preying on organizations via their weakest links: third parties, trusted relationships, software libraries, package managers such as PyPI, and individual developers.¹⁸ For any organization that continues to look at third-party risk management solely through a compliance lens, let 2023 be your wake-up call. The worldwide software supply chain attacks tracker (updated daily!) is your friend.¹⁹ It’s time to shift focus and concentrate on mitigating this risk.²⁰
3. Regulatory Lag
In 2023, regulatory lag may have become an actual liability for managing cyber security risk. If regulatory frameworks continue to struggle to keep pace with the rapidly evolving technical realities of cyberspace, the gap between regulatory measures and the actual challenges posed by emerging technologies may become so broad that developments such as AI and supply chain risk may wash away the ability of regulatory bodies to comprehend the risks, analyse and adapt mitigations, and establish practical guidelines.
The issue has been of particular global concern among CISOs this year, because regulators now focus on making cyber security professionals personally liable for cyber security management. In October, the Securities and Exchange Commission (SEC), for the first time, charged a chief information security officer, Timothy G. Brown of SolarWinds, for fraud and internal control failures. The complaint alleges that from at least its 2018 initial public offering through at least its 2020 announcement, it was the target of a massive, nearly two-year-long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.²¹
This is a game changer for the cyber security domain. Systemic issues in the cyber domain may now drop on the feet of security professionals. Regulators may dig in with age-old methodologies instead of fostering closer collaboration with industry experts, academia, and international partners.
The unintended consequences of the regulatory development in the cyber domain may be significant. It may lead to organizations focussing on compliance becoming more vulnerable to attackers instead of less. It may lead to a talent exodus in the cyber domain. It may lead to more “compliance theatre,” in which organizations do not report openly about cyber threats or incidents but only through a thick lens of legal quagmire, which would be the end information sharing. It may lead to an even wider gap between the cybersecurity competence of regulatory bodies and organizations. It may lead to diverging cybersecurity regulations internationally and, thus, to even more differences, confusions and loopholes between jurisdictions.
Overall, the effect may be a growing inability of regulators to understand and respond to the emerging, highly concerning, and fundamentally global cybersecurity challenges.
4. Geopolitical risks
The geopolitical risks for Western organizations, including financial institutions and organisations managing critical infrastructures, are more severe than ever.
The dependence of organisations on third-party providers had grown tremendously. This affects not just the individual organisations, which may or may not have the necessary cyber security risk management in place, but the most worrying thing is that complete industry sectors may become — as a whole — too dependent on just a handful of suppliers. This risk is already significant. And it will affect us all in ways we don’t even realize would be possible.
Before the 2022 Russian invasion of Ukraine, Russian advanced persistent threat groups gained access to Ukrainian targets and launched a destructive attack that coincided with kinetic operations. There will be a proliferation of this technique: I bet most nation-states have been toiling in 2023 to ensure they have wiper malware in plenty of supply in their cyber arsenals. Wipers are here to stay and may affect any organization in any supply chain at any time.²²
The Ukraine’s cyber spy chief, llia Vitiuk, who is head of the Security Service of Ukraine’s (SBU) cybersecurity department, disclosed exclusive details about the wiping of Kyivstar’s infrastructures. This is a wealthy, private company that has invested a lot in cybersecurity, and it is one of Ukraine’s largest telecom companies. A significant portion of its infrastructures were completely wiped out on december 12, 2023. This should be a big warning, not only to Ukraine, but for the whole Western world.²²ᵇ
Outlook
The most important takeaway from these four trends is that we need to value people working on the defensive side in cyber security even more than before.
This includes creating a safe space for people to self-reflect and be mindful of their competences and limitations. It includes creating room for respectful disagreement and seeing everyone’s strengths and weaknesses from a growth perspective. Teamwork and collaboration have become much more critical now. Decades of scientific research show that teams who adopt a curious mindset and practice honest, open, and continuous improvement are the best achievers.²³
Managing the risks of generative AI, supply chains, regulatory lag, and geopolitical developments does not begin with buying yet another tool. It starts with establishing a healthy work environment. A healthy culture is foundational to building the capabilities to manage cyber risk. It is detrimental to reducing burnout. It increases productivity. Job satisfaction goes up. There is a substantial increase in organizational performance. Curiosity and joy is what we need in the cyber domain. This leads to improved security behavior, better vulnerability patching routines, more secure software delivery, more fun together, and better team performance.
Teams with “generative cultures,” thus, cultures that encourage open communication and collaboration, have experimentally shown to have a measured 30% higher organizational performance²⁴.
Going forward, we will need this extra performance level to manage cyber security risk.
References
(1) IBM, “Cost of a Data Breach Report 2023”, 2023, p. 5.
(2) Newman, Lilly Hay; Burgess, Matt, “The Biggest Hack of 2023 Keeps Getting Bigger”, Wired, Oct. 2, 2023[Retrieved: 12. December 2023]
(3) House of Commons, “A hostage to fortune: ransomware and UK national security”, December 2023; Australian Government, “Ransomware action plan”, 2021; Barker, W., “NISTIR 8374. Ransomware Risk Management: A Cybersecurity Framework Profile”, NIST, 2022
(4) https://drrispens.medium.com/the-humble-ciso-9c5f66fe2359
(5) https://drrispens.medium.com/the-humble-ciso-2022-b47dc96c201c
(6) Splunk, “CISO Research Reveals 90% of Organizations Suffered At Least One Major Cyber Attack in the Last Year; 83% Report Ransomware Payments”, https://www.splunk.com/en_us/newsroom/press-releases/2023/ciso-research-reveals-90-of-organizations-suffered-at-least-one-major-cyber-attack-in-the-last-year-83-report-ransomware-payments.html, [Retrieved: 25. December 2023]
(7) Rispens, Sybe, “The Seven Rules of Success in Artificial Intelligence”, Medium, 2023
(8) Google, “Cybersecurity Forecast 2024”, 2023 [Retrieved: 2. December 2023]
(9) Espinosa, Christian, “Generative AI’s Dark Side: How It’s The Perfect Tool For Hackers To Spread Malware”, August 14th, 2023, [Retrieved: 25. December 2023]
(10) Kasperski, “Operation Triangulation: The last (hardware) mystery”, December 27, 2023, [Retrieved: 30. December 2023]
(11) HAWKEYE, “Why threat actors are now using Rust to develop new ransomware?”, January, 2023
(12) Fernandez, Ray, “Exclusive Interview: Google Cloud CISO Phil Venables Talks Ethical Hackers”, Technopedia, December 16, 2023, [Retrieved: 17. December 2023]
(13) Page, Carly, “MOVEit, the biggest hack of the year, by the numbers”, Techcrunch, August 25, 2023, [Retrieved: 13. December 2023]
(14) See for an overview of markets and tools: https://de.statista.com/outlook/tmo/software/unternehmenssoftware/supply-chain-management-software/weltweit
(15) Krol, “Q2 2023 ThreatLandscape Report:All Roads Lead to Supply ChainInfiltrations”, 2023, p. 10.
(16) Metrick, Kathleen, “Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation Intelligence for Vulnerability Management, Part Two”, 2020
(17) https://www.kroll.com/-/media/kroll/pdfs/publications/q2-2023-threat-landscape-report-supply-chain-infiltrations.pdf
(18) https://services.google.com/fh/files/misc/google-cloud-cybersecurity-forecast-2024.pdf
(19) https://www.comparitech.com/software-supply-chain-attacks/
(20) Boyens, J. , Paulsen, C. , Moorthy, R. and Bartol, N., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, 2015, [Retrieved: 28. December 2023]
(21) SEC, “SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures”, https://www.sec.gov/news/press-release/2023-227
(22) https://services.google.com/fh/files/misc/google-cloud-cybersecurity-forecast-2024.pdf
(22b) Balmforth, Tom, “Exclusive: Russian hackers were inside Ukraine telecoms giant for months”, reuters, Jan. 5,2024, https://www.reuters.com/world/europe/russian-hackers-were-inside-ukraine-telecoms-giant-months-cyber-spy-chief-2024-01-04/
(23) Carvalho, J. D. “Continuous Improvement in Organizations”. CRC Press, 2023.
(24) Westrum, Ron.“The study of information flow: A personal journey”. Safety Science, p. 67. 5863, 2014; Dora, Google Cloud, “Accelerate State of DevOps Report 2023”, 2023, see also https://dora.dev/
Update
06–01–2024 — added reference to the december 12, 2023 wiping of Kyivstar’s infrastructures.