The attack surface grows: Challenges to cyber resilience in 2023

The headlines are out in force: cybersecurity must be tightened, strengthened, and reinforced in 2023. But what are the key challenges that cybersecurity innovators are facing right now – and what are the security initiatives that will shape the year?

Here we look at recent high-profile attacks, as well as changes in US legislation that are working to increase resilience against cyber threats.

One thing that’s clear is that there’s no singular threat, and no simple solution to fight it. So cybersecurity experts and innovators are taking a wide view, and developing multi-faceted strategies to protect companies, governments, and digital users.

Polycrisis: what is it, and how can cybersecurity respond?

The World Economic Forum has dubbed this the era of ‘polycrisis’. Essentially, that means we’re living in a period of time in which a number of different major global issues are compounding to create a general state of crisis.

Geopolitical tensions around the world mean that cyber risks are at a peak – and simultaneously, cyberattacks that do occur will intensify geopolitical tension even more. Malicious cyber threats are likely to be woven into the fabric of war strategy; because just as we’re now living hybrid physical/digital lives, war too will morph into a hybrid experience, with digital spaces becoming increasingly unsafe. Indeed, we’ve already seen cyberattacks attributed to war, including this attack against satellite communications provider Viasat which took place just hours before Russia launched its invasion of Ukraine.

Economies around the world are precarious, with inflation and recession looming in many regions – heightened by extreme weather events, severe supply chain disruption, and food and energy shortages. All of this to say that cybersecurity workers are operating in a complex landscape, and are under pressure to take a huge array of factors into account in order to develop (and maintain) comprehensive, effective protection.

High profile attacks are hitting major organisations – and the general public

Password manager LastPass has been hit by a cyberattack that lasted for months before the threat was identified. The breach (in which hacker gained access to a software engineer’s work laptop, using it to access a cloud-based development space and steal information) was first detected in August 2022; and in a blog post in December, LastPass assured its stakeholders that the threat had been ‘eradicated’, and that it had been focused on a third-party cloud-based storage service. But by combining criminal activity with legitimate activity, the full extent of the breach actually remained undetected.

On March 1st LastPass issued this apology as the company conceded a second incident had leveraged the vulnerability of third-party software that was in use by another senior engineer, and delivered malware – bypassing controls and gaining access to cloud backups. Along with configuration data, API secrets, and third-party integration secrets, the data accessed via those backups included encrypted and unencrypted customer data.

This breach has unsettled the industry and the digital public because it quietly evaded detection and containment for a prolonged period – so effectively that in the December notice, following the investigation of the first breach, LastPass stated that there was “no evidence of any threat actor activity beyond the established timeline.”

In the UK, national postal service Royal Mail has also been the victim of an extended attack which has had an ongoing impact on its services, and on its customers. In 2021-22 Royal Mail employed more than 157,000 people in the UK and delivered just under 8 billion letters – it’s a company that everyone uses. But since a cyberattack in early January, the organisation has struggled to resume normal service.

LockBit, a ransomware gang with links to Russia, claimed responsibility for the attack in February. Transcripts released on the dark web suggest the gang demanded ransom totalling USD $80 million in exchange for decrypting the files that were compromised in the attack. Royal Mail firmly refused – but the company wasn’t able to reinstate its international mail export service until 6 weeks after the attack.

There’s more evidence of intensified risk in 2023

As we approach the end of Q1 2023, there’s already plenty of evidence that the increased risk is not just hypothetical:

• In February the EU Cybersecurity Agency (ENISA) released an alert that detailed several Advanced Persistent Threat actors (APTs) that have been identified as operating malicious cyber activities against EU businesses and governments – with a focus on information theft
• Recent data from Google highlights a 300% increase (compared with 2020) in state-sponsored cyberattacks that target users in NATO countries
• In the UK, cyber criminals targeted school children with a ransomware attack in January. A network called the Vice Society gang has claimed credit for stealing hundreds of files from one school, shutting down phones and IT services, and then leaking the stolen files (which included highly personal behavioural records of students) online in a double-extortion attack
• In February, Danish hospitals were hit by a cyberattack against their websites – taking vital patient services offline for ‘a couple of hours’

And these are just a few of many. We picked the above examples to demonstrate the reality that cyber attacks aren’t just a risk to private corporations or wealthy individuals – they’re putting the infrastructure of education and health at risk, and putting governments, businesses, and organisations under huge pressure to mitigate the dangers of information theft and ransom attacks.

Cyber resilience is a central challenge

Increasingly, malware is very easily accessible to threat actors. According to research by Atlas VPN, malware and ransomware can be purchased for as little as USD $66, and phishing kits are available for free on forums if you know where to look. So an attack can be launched at almost no cost to the attacker. And yet the global average cost of a data breach to the victim organisation is USD $4.35 million, and most victims have suffered repeat attacks – the IBM Cost of a Data Breach report notes that 83% of targets have been breached more than once.

So attacks will continue to rise. And in the face of that, governments and businesses cannot take a reactive approach to cybersecurity. Instead, resilience will be key: security must be built into the architecture of digital operations, not just added on top.

But this is more challenging than ever, because the attack surface on which cyber criminals can operate is expanding rapidly. In 2021 there were 11.3 billion IoT devices in operation around the world, but by the end of 2023 that figure is expected to reach over 15 billion. Couple that with a sharp increase in remote working (this 2022 study found that 90% of workers across the UAE prefer hybrid of full-time remote working) and it’s easy to see why most networks now have many more vulnerable points than they did pre-pandemic. The attack surface has never been this big – and it’s still growing.

In early March the White House released the new US National Cybersecurity Strategy, with a framework that focuses on the protection of critical infrastructure (including hospitals and clean energy production facilities). Importantly, the strategy also highlights the government’s goals to engage in more collaborative cybersecurity development and partnerships with international players – a nod to the reality that resilience requires collective effort.

Because cyber resilience can’t happen in a silo. It’ll take a collaborative effort from different organisations and governments to stretch cybersecurity solutions between targets and share threat information effectively. As Eugene Kaspersky (CEO & Co-Founder at Kaspersky) said at LEAP 2022 in Riyadh, community will be key to building resilience against cyber criminals and, eventually, to building cyber immunity.

But cyber immunity doesn’t exist yet – so pre-emptive action, responsive systems, and cyber resilience will be key themes for 2023.