It was a typical week for cyber attacks around the globe.
A small western Pennsylvania municipal water utility was just one of multiple organizations breached in the United States by an Iranian-backed hacktivist collective. The group, known as Cyber Av3ngers, targeted a specific industrial device – a programmable logic controller -because it is Israeli-made. Other industries that use the same equipment — Vision Series programmable logic controllers made by Israel’s Unitronics — including energy, food and beverage manufacturing and healthcare, have been warned that they are also potentially vulnerable.
In Israel, cyberattacks that use distributed denial of service (DDoS) operations; wiper malware; and the exploitation of other vulnerabilities that facilitate the spread of disinformation were used by Hamas and its supporters as weapons of war. So were deep fake videos that risk unleashing even more violence and confusion in the future.
Meanwhile, European cyber police arrested the ringleader of a ransomware gang operating in Ukraine accused of successfully extorting “several hundred million euros” in ransom from victims in 71 countries; the boss of Australia’s largest ports operator confirmed data from current and former DP World employees was stolen during a November cyber attack that shut down its operations around the country in November, temporarily disrupting global trade; and the UK foreign minister Leo Docherty told the House of Commons that Russia’s Federal Security Service had used a “range of cyber espionage activities” to target MPs, peers, civil servants, journalists and NGOs, through a sustained campaign to “meddle in British politics.”
These incidents are a snapshot of how the cybersecurity agenda has changed over the past five years: cyber is now an inextricable part of warfare, critical infrastructure – and democracy- are increasingly coming under attack, ransomware is on the rise, and the commercialization of new cutting-edge technologies like artificial intelligence, are introducing new threats such as deep fakes.
The next five years will bring another set of unprecedented cybersecurity challenges, says a new report from The World Economic Forum entitled Cybersecurity Futures 2030.
To help corporates and governments better prepare for the future, the UC Berkeley Center for Long-Term Cybersecurity (CTLC), with the support of the Forum’s Centre for Cybersecurity and the Center for Naval Analyses’ Institute for Public Research, launched Cybersecurity Futures 2030, a global initiative that explores how digital security could evolve over the next five to seven years. Between January and April 2023, the CTLC independently developed a set of four scenarios that portray possible cybersecurity futures. The scenarios were explored at workshops in five international locations: Dubai, Washington, DC, Kigali, New Delhi and Singapore and in virtual events involving the UK and multiple European countries.
The New Digital Security Landscape
So, what does the new digital security landscape look like? The report says it will require society to fundamentally reorient its responses to constant digital security challenges, three of which are changing in important ways: data privacy, talent development and sustainability.
*Data privacy: It is no longer plausible or desirable to fully restrict flows of personal data, says the report. The objective in the run-up to 2030 will be for countries, communities, and individuals to ensure a controlled and responsible use of their data and to negotiate a fair return.
*Cybersecurity Talent: The world needs 3.4 million cybersecurity experts to support today’s global economy, but the industry is struggling to fill that gap. Going forward the competition for global talent is expected to intensify. As automation and AI fulfill entry-level jobs there will be increasing need for people trained in supervisory and policy roles of cybersecurity and AI security, says the report. At the same time demand for people who can design, build, and deploy secure machine learning and AI products will continue to skyrocket. The risk is there will be zero-sum game dynamic, with countries and companies competing for the same limited pool of talent, says the report. Against that backdrop the ability to attract global talent, retain homegrown talent and provide a productive environment to capitalize on that talent, will be increasingly important. At the same time, education and awareness of digital security will be critical to combat misinformation and cyber crime, says the report. And, if countries want to re-shore supply chains and enable economic development, a mobilization will be required to upskill workers to create a workforce that is equipped to design, build, and deploy advanced technology across many sectors.
*Sustainability, climate change and digital security will increasingly be intertwined. Although technologies like AI promise to help with climate change the technologies themselves are causing major increases in energy demand. At the same time, construction of new, distributed green energy infrastructure, such as electric vehicle changing and smart grid networks, will expand the Internet of Things, introducing new vulnerabilities. Digital inclusion, or the equitable and safe access to and use of digital technologies, is another facet of sustainability, says the report. Without it the divide between haves and have nots will not only enlarge it may undermine security by destabilizing society. The report stresses the need to protect the most vulnerable parts of the population, reduce inequality between skilled and unskilled labor, reduce employment-driven migration and unrest, encourage stability and potentially reduce transnational cyber crime by redirecting potential criminals towards productive pursuits.
Matching The Speed Of Trust With The Speed Of Innovation
Three overarching observations also emerged from the workshops, according to the report.
The first is that “digital security is being reframed as the ability of societies to match the speed of trust with the speed of innovation.” The report says that governments that follow through on long-term technology and cybersecurity strategies can become trusted brands, gaining advantages in attracting talent, seizing leadership opportunities in multilateral standard setting processes and countering disinformation campaigns. Participants stressed that the online spread of misinformation, disinformation and mal information – which is referred to by the acronym MDM in the report– are now core cybersecurity concerns.. “Cybersecurity will become less about protecting the confidentiality and availability of information and more about protecting its integrity and provenance,” says the report.
Secondly, the report says cybersecurity challenges and opportunities of the next decade will be proportionate to the pace and scale at which countries digitalize. The report’s advice? Decision-makers should monitor the pace of digitization- and the ability of populations to integrate new technologies safely and securely-as closely as they do the security specifications of the technology itself.
Thirdly, there is an urgent need for the call for trusted standards that incentivize interoperability in cybersecurity and AI security. Some workshop participants expressed concern that there is no global leadership, a lack of trusted and expert regulatory bodies and insufficient capacity for the enforcement of security and privacy laws and standards. Practical conversations are needed about the trade-offs between digital sovereignty and interoperability, the report says. “The focus in the next three to five years will be on the practicalities of navigating a world in flux,” it says. Workshop participants anticipate that global alliances are set to reshuffle in the coming years, with opportunities for countries to create new poles in a more multipolar world.
Weaknesses Have Consequences
The report outlines how allowing unchecked weaknesses will impact the cybersecurity landscape and the competitiveness of companies and countries. For example:
*Collective failure to mitigate climate change will limit innovation and technology adoption and will deprioritize cybersecurity. “A continual cycle of preparing for, responding to and recovering from natural disasters and other climate-related challenges, is a key weakness for the digital security landscape, as it will mean fewer resources to commit to promising security ideas and endeavors,” says the report.
*Dependency on the largest tech firms or on tech products and services exported by other countries can lead to vulnerabilities. The report urges organizations and countries to carefully consider the advantages of investing in innovation before automatically using market-ready solutions.
*An inability to overcome social engineering could increase polarization, erode trust in digital products and platforms and leave organizations in a weakened position to solve other problems and seize new opportunities, says the report.
Key Takeaways for Decision-Makers
The report has a list of takeaways for decision makers. Among other things it advises organizations to ensure they have a stable and secure supply chain of resources, including technology components, new materials, and skilled, affordable workers. It also advises working to form a digitally literate public and customer base that is media savvy and inoculated against “mis-dis-and mal-information” and that countries and companies strategically and tactically use regulation to guard against the downsides of AI products as they rise in prominence.
The next phase of the Cybersecurity Futures 2030 project will focus on working with decision-makers to further set cybersecurity priorities and think more broadly how these findings might impact their organizations. “Grappling with these kind of questions should be a defining focus in 2024 for C-Suites, boards and government agencies internationally,” says the report.
This article is content that would normally only be available to subscribers. Sign up for a four-week free trial to see what you have been missing.
To access more of The Innovator’s cybersecurity stories click here.