Both the global pandemic and, more recently, the war between Russia and Ukraine have brought the threat of cyber-attacks on individuals, businesses, and nations into sharp focus.
As more of our lives have moved online to cope with lockdowns and restrictions on movement, scammers, hackers, and fraudsters have enjoyed greater opportunities to strike. And international tensions have shown us that today warfare is fought just as ferociously in the digital domain as it is in the real world, as state-sponsored threat actors attempt to spread disinformation and destabilize critical infrastructure.
Last month, economists at Goldman Sachs said that infrastructure responsible for generating and distributing energy, financial services, and the transport sector in the US is particularly vulnerable to potential Russian cyber-attacks that could cause billions of dollars worth of damage.
This means that the role of the Chief Information Security Officer – CISO – is becoming more important than ever when it comes to ensuring organizations are taking every precaution to avoid becoming victims.
This week I have had a conversation with Equifax CISO Jamil Farshchi. As one of the world’s largest credit agencies, Equifax has custody of data on more than 800 million individuals and 88 million companies. And as CISO, the buck stops with him when it comes to keeping this information safe. Before joining Equifax, he was responsible for protecting the US space program during his time with NASA, as well as its nuclear arsenal when he was with Los Alamos National Laboratory.
Farshchi has just compiled his own list of what he considers to be the ten most serious cyber-security threats faced by industry and society in 2022. He joined me to discuss these in more detail, as well as to talk about how he hopes the cyber-security industry will evolve to meet these challenges.
Threat to Trust
Aside from the potential for breach of privacy, loss of money, and disruption to infrastructure from cyber-attacks, there's another genuine and pressing problem that's often overlooked: A loss in the trust in tech and data. Emerging technology and data have the potential to do real good in the world, including solving massive problems like ending the energy crisis, feeding the hungry, protecting the environment, and curing disease. However, for any of these things to eventually happen, it has to be trustworthy. Farshchi told me how one incident – the Capital One data breach discovered in 2017 – caused a lot of companies to delay their move to the cloud as they reassessed the security implications.
He tells me, "If we [CISOs] don't do our jobs well … if the cyber crisis isn’t reigned in, it’s going to hurt our ability to innovate … those roadblocks and hurdles impact our ability to be successful and leverage the latest technologies.
“But if we do technology right, I think that both economically as well as from a societal standpoint … I do my best, and I want the industry at large to be able to focus on this so we can all be in a better place."
2021 saw a record rise in the number of data breaches and ransomware attacks, and Farshchi says that, unfortunately, he only believes that this is a trend that will continue. As technology permeates more of our lives, there will simply be more opportunities for us to accidentally leave doors or windows open, giving malicious actors the opportunity to sneak in and cause damage.
Take the internet of things (IoT), for example … the vast and ever-growing network of online, connected devices encompassing everything from industrial machinery to connected cars and smart home appliances. It’s predicted that there will be over 27 billion of these devices by 2025, creating an unprecedented number of opportunities for cyber-criminals.
These threats are well established and should clearly be on the radar of everybody with responsibility for cyber-security. But what about more exotic threats, such as the dangers posed by the onset of the era of quantum computing?
"This one really worries me," Farshchi says.
“A lot of folks think this is something we have to worry about in the future … the bottom line is that there are threat actors out there that are collecting encrypted data today … data that [using classical computing technology] would take thousands of years to decrypt. And they’re collecting it for a reason.”
The reason is that its quickly becoming apparent that quantum technology will be available in the not-too-distant future that will make short work of many of the industry-standard encryption techniques that are used to secure data today.
“This data has a long shelf-life … we’re racking up a tab that we’re eventually going to have to pay for.”
Farshchi believes that bodies such as the US National Institute of Standards in Technology are not moving quickly enough to adapt to these threats – guidelines on how government bodies should prepare for themselves for a time when all data will need to be protected with quantum-proof security are not even due to be published until 2024.
This is one of the reasons that "The quantum computing threat isn't decades away, it's here now," and it’s one of 10 key warnings in Farshchi’s report.
Others include the need for corporate boards to understand their liability as it relates to the data in their custody, the “blind spots” in security strategy when it comes to supply chain threats, growing cases of identity theft, and the increasing profitability to criminals of ransomware attacks.
The Importance of Preparedness
The key to being ready to cope with these threats, wherever they may come from, is preparedness, Farshchi tells me.
"If you've been through the steps to prepare, you can adapt in your muscle memory and respond," he says.
“I grew up in Iowa – we get a lot of tornados there … and you practice and prepare for them. Then fast forward to college, when I was there, and there were tornados all over the place. When you looked around, you could tell which [classmates] had grown up in the Midwest and which hadn’t … they knew what to do.
“I was in a different circumstance – I wasn’t back in Iowa, but I knew how to respond, and I think the same thing applies here. If organizations go through the steps and they practice with their board and executives, then when bad things happen … you’re able to lean in and solve them in a very rapid fashion.”
When I asked how he hoped the cyber-security landscape would look in the near future, he gave an answer that at first seems counterintuitive: "I would like to see more sophisticated threats out there.”
It turns out that there is a more down-to-earth reason for this than simply wanting to put his skills to the test against more challenging attacks; Farshchi reasons that most of today’s cyber-attacks, such as phishing and ransomware, while they may seem complex to a layman, are in fact remarkably simple. And it’s an indictment of much of the existing cyber-security infrastructure that so many attacks are still successful.
“It means that organizations aren’t even doing the basic things … and if we fast-forward to the future and we have a situation where we’re getting hit by meaningful and sophisticated attacks, it means we’ve done the basic stuff … we’re doing at least the minimum level necessary to make it difficult for our adversaries.”
You can watch my conversation with Jamil Farshchi, CISO at Equifax, where we also talk about the threats to security posed by the metaverse and more of the key threats identified by Farshchi in his new report. If you prefer to listen to it, then check out my podcast.