Despite the billions of dollars poured annually into cybersecurity by investors, organisations, academia, and government, adequate and reliable cybersecurity remains an ever-elusive goal.
The technological complexity and growing attack surface, along with a growing array of threat actors and increased interconnectivity, make securing digital systems and assets a perennial pipedream.
Chief among the challenges for decision-makers and experts is simply identifying and comprehending society's cybersecurity risks.
One organisation, the Washington, DC-based think tank Bipartisan Policy Center, has convened a working group of experts from industry, government, and civil society to "identify the nation's top cybersecurity risks to raise awareness so policymakers and businesses can take pragmatic action and invest in countermeasures."
The working group produced its Top Risks in Cybersecurity 2023 report, distilling the experts' assessments into eight "macro" risks and other risks not necessarily specific to 2023.
The report spells out the major hazards US organisations should be prepared to tackle because they represent the most likely and most impactful dangers ahead.
"One of the biggest challenges we often face is having a strategic discussion and understanding of what that risk landscape looks like," Jamil Farshchi, executive VP and CISO of Equifax and one of the working group co-chairs, tells CSO. "So, the goal was to be able to help define that."
"We ended up pulling together an all-star cast of security professionals from a variety of different walks of life. We wanted to get a good macro view from not just the CSO constituent group, but also folks in multiple different disciplines and capacities," including a then-sitting congressman and cybersecurity evangelist Jim Langevin (D-RI).
The set of risks the group developed are notable not for their novelty but for "quite frankly how dated they are," Farshchi says, highlighting the perennial nature of cybersecurity's challenges.
"For the progress that we've made as an industry, as a community, it just hasn't been enough because too many of these things have been out there forever."
Top macro security challenges
The top eight macro risks to watch out for in 2023 highlighted in the report include:
- Evolving geopolitical environment: The war launched by Russia in Ukraine is emblematic of this first risk, encompassing the key factors of lowered inhibition for cyberattacks, digital assaults on critical infrastructure, misinformation, and disinformation campaigns, and protectionist approaches to trade that can leave companies who purchased technology products from abroad even more vulnerable.
- Accelerating cyber arms race: As attackers step up their assaults on beleaguered organisations, defenders must keep pace in an environment that disproportionately favors malicious actors, who use commonly available consumer tools and trickery to achieve their ends while also targeting national security assets.
- Global economic headwinds: Stock market volatility and inflation pose risks across the cybersecurity sector, threatening supply chains, forcing businesses to make difficult decisions about allocating resources, and possibly harming innovation as startups face a weakened capital supply market.
- Overlapping, conflicting, and subjective regulations: Companies in the US face a "complex patchwork of required cybersecurity, data security, and privacy regulations implemented by national, state, and local authorities, with varying prescriptive requirements," including balkanisation of data privacy and breach disclosure laws, rapidly elevating security control requirements, and one-size-fits-all regulation.
- Lagging corporate governance: Although there has been significant improvement in the priority organisations place on cybersecurity in recent years, many firms still have not placed cybersecurity specialists in leadership positions, excluding CISOs and CSOs from the C-suite and boards of directors, and keep cybersecurity separate from organisational objectives.
- Lack of investment, preparedness, and resilience: Both public and private sectors are still insufficiently prepared for a cybersecurity disaster due to incomplete and imperfect data, lack of crisis preparedness, disaster recovery, and business continuity planning, failure to conduct crisis exercises and planning, vendor risk concentration and insufficient third-party assurance capabilities, the escalating cost of cyber insurance, and chronic poor cyber hygiene and security awareness among the general public.
- Vulnerable infrastructure: Critical infrastructure remains vulnerable as organisations "rely heavily on state and local agencies and third- and fourth-party vendors who may lack necessary cybersecurity controls," particularly in the finance, utilities, and government services sectors, which often run on unpatched and outdated code and legacy systems.
- Talent scarcity: The ongoing shortage of qualified security personnel continues to expose organisations to cyber risks, made even more glaring by insufficient automation of tasks needed to execute good cybersecurity.
Organisations to tailor their own security solutions
Notably absent from the report are any explicit solutions to these and other problems.
"We didn't want to have explicit solutions in place in this document because we feel like each organisation is going to have a tailored control set," Farshchi says. "They're going to have their own remediation plans and approaches to different things."
One working group member, Chris Painter, a former cybersecurity leader at the State Department, Justice Department, and the White House and currently president of The Global Forum on Cyber Expertise Foundation, tells CSO that too often, government reports details solutions that don't apply to everyone.
"I think people would rightly ask, well, why do you point out the challenges," without offering solutions, he says. "I think that the rationale was there are many different solutions depending on who the actor is, what the region is. So, there's no one size fits all."
While some things, such as geopolitical risks, are beyond the control of most organisations, the report can still help them formulate strategic decisions. "You're not going to change Russia or China's behavior overnight, but I think there are things you can do to harden your targets and be aware of them as risks to do things," he says.
In Painter's view, the report's real value is its ability to reach non-technical audiences. "It's written in English, which is helpful because sometimes these things either shoot to a technical audience or shoot too high," Painter says.
"I think this is something that people in C-suites at companies, people who are managers and not computer experts, can use to get a sense of the landscape."