A Year in Review: Cyber Threat Landscape and The Impact on Organizations

|

Throughout the year, we have seen indications that both the commercial sector and the government remain concerned about the continued evolution of the cyber threat landscape. 

In July, a survey of more than 1,000 board members and C-suite executives in various industries identified cyber threats as one of the top risks for 2024 and for the decade ahead.[1]  In June, the Government Accountability Office (“GAO”) provided its Cybersecurity High-Risk Update to Congress, noting that threat actors are “becoming more willing and capable” of executing cyberattacks and summarizing its work related to four major cybersecurity challenges.[2]  

The realities of advancements in artificial intelligence, increased reliance on third-party partners, and expanding geopolitical tensions have all accelerated the growing concern over new threats and vulnerabilities.[3]  We recently discussed a couple of 2024 cybersecurity trends in our articles about Ransomware and evolving evolving Generative AI threats AI threats.   In this article we turn to some events in the news that have major ramifications for the cybersecurity industry.

Critical Infrastructure Vulnerabilities are High Risk

Concerns about potential vulnerabilities in critical infrastructure were thrust back into the spotlight this year.  In July, a software update introduced by CrowdStrike, a cybersecurity company, to its next-generation antivirus platform Falcon caused worldwide IT outages in industries including transportation, finance, and healthcare.[4] 

Although human error (and not a cyberattack) proved to be the root cause of the incident, the widespread and prolonged disruption highlighted the need to protect critical infrastructure.  Regarding this incident, the Falcon platform is a combination of cloud software and endpoint sensors installed on customer endpoints, including laptops, desktops, and servers.[5]  The problem occurred when the update at the endpoint sensor level when Falcon failed to understand the new configuration causing the sensors to malfunction.[6]  It took three days for CrowdStrike to release automated remediation and 99% functionality was not achieved for 10 days.[7]  

Although the issue with the update was a result of human error and, unlike the SolarWinds attack,[8] was not a cyberattack, it once again raised concern about the vulnerability of our nation’s infrastructure.  Following the outage, the GAO raised the red flag and cautioned that “attacks on critical infrastructure sectors continue to grow and could seriously harm human safety, national security, the environment, and the economy.”[9]  To substantiate the claim, the GAO cited a recent attack in the healthcare industry, which resulted in $874M in loses and the disruption of health care services.[10] 

Growing Geopolitical Tensions Highlight Commercial Spyware and Supply Chain Risks

As conflicts throughout the world have increased in recent years, cybersecurity practitioners are reminded of the importance of remaining vigilant against risk emanating from spyware and the supply chain.  Equally important as potential vulnerabilities to critical infrastructure are advanced-persistent threat (“APT”) attacks, which are aimed at espionage or disruption and are funded or supported by nation-state actors. 

Spyware continues to be one of the principal APTs. Spyware is software that is surreptitiously installed in a target’s environment to siphon off non-public information.  In June 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) announced an unprecedented Final Determination prohibiting Kaspersky Lab, Inc, the U.S. subsidiary of a Russia-based anti-virus software and cybersecurity company, from directly or indirectly providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons.[11]  The BIS found that national security risk—due to the Russian Government’s offensive cyber capabilities and capacity to influence or direct Kaspersky’s operations, which could be in a position to install spyware on unsuspecting systems. 

And finally, Israel’s September attack against Hezbollah in which they inserted explosives in two-way radios and pagers highlights the vulnerabilities within supply chains and at third-party vendors.[12]  Although it is not the first of this type of attack, it has not previously been used on such a wide scale.[13]  The attack is a stark reminder that organizations can only be as secure as their weakest links, including those in the supply chain and at third-party vendors. 

The Critical Infrastructure Security Agency (“CISA”), which serves as the nation’s cyber defense agency and national coordinator for critical infrastructure security, monitors and advises on defending against APTs.  Through its Joint Cyber Defense Collaborative (“JCDC”), CISA continues to partner with both public and private partners to prioritize collective cybersecurity priorities.[14]  In addition to working to increase cybersecurity baselines and anticipating emerging risk, the JCDC is moving beyond concerns of just data theft and espionage from APTs, and is also working to make sure that cyberattacks do not cause extensive harm.[15] 

Conclusion

Worldwide systems outages, state-sponsored cyber espionage, and exploding communication devices—what should an organization learn from these events?  Although solutions to these extreme problems are likely beyond the capabilities of any one organization, these incidents provide reminders of what an organization can do to prepare for smaller-scale attacks that exploit similar vulnerabilities.  For example, organizations should ensure their business continuity plans remain functional and are practiced regularly.  They should also maintain robust third-party vendor assessment programs.  Additionally, organizations should conduct thorough risk and vulnerability assessments to ensure appropriate reputation and security controls, and continue to monitor and update these relationships over time.

[1] Matt Moore, Top Business Risks for the Next Decade, Risk Management (July 18, 2024), https://www.rmmagazine.com/articles/article/2024/07/18/top-business-risks-for-the-next-decade.

[2] High-Risk Series: Urgent Action Needed to Address Critical Cybersecurity Challenges Facing the Nation, U.S. Government Accountability Office (June 2024) at 1-3, https://www.gao.gov/assets/gao-24-107231.pdf.

[3] Id. (discussing some of the reasons for the increased concern.)

[4] See CrowdStrike Chaos Highlights Key Cyber Vulnerabilities with Software Updates, United States GAO (July 30, 2024), https://www.gao.gov/blog/crowdstrike-chaos-highlights-key-cyber-vulnerabilities-software-updates.

[5] See Testimony of Adam Meyers, Subcommittee on Cybersecurity and Infrastructure Protection, Committee on Homeland Security, United States House of Representatives (Sept. 24, 2024) at 3, https://homeland.house.gov/wp-content/uploads/2024/09/2024-09-24-HRG-CIP-Testimony-Meyers.pdf.

[6] Id.

[7] Id. at 1,4.

[8] The SolarWinds attack occurred when threat actors injected malicious code into the SolarWinds software update, and when released it was used to create enable threat actors to gain remote access to SolarWind’s customers systems or networks.

[9] CrowdStrike Chaos Highlights Key Cyber Vulnerabilities with Software Updates, GAO (July 30, 2024), https://www.gao.gov/blog/crowdstrike-chaos-highlights-key-cyber-vulnerabilities-software-updates.

[10] Id.

[11] Press Release, Commerce Department Prohibits Russian Kaspersky Software for U.S. Customers,  Bureau of Industry and Security (June 20,2024), https://www.bis.gov/press-release/commerce-department-prohibits-russian-kaspersky-software-us-customers#:~:text=WASHINGTON%2C%20D.C.%20%E2%80%93%20Today%2C%20the,.%2C%20%E2%80%9CKaspersky%E2%80%9D.

[12] See Israel’s Pager Attacks and Supply Chain Vulnerabilities, Schneier on Security, (Sept. 24, 2024), https://www.schneier.com/blog/archives/2024/09/israels-pager-attacks.html.

[13] Id.

[14] 2024 JDC Priorities, Cybersecurity and Infrastructure Agency, https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative/2024-jcdc-priorities.

[15] Id.