As 150 Chief Information Security Officers (CISOs), CEOs, law enforcement officials, heads of national cyber agencies and representatives from academia and civil society were gathering in Geneva this week for The World Economic Forum’s Annual Meeting on Cybersecurity global insurance company Axa released its 2023 Global Risks report, Almost 90% of experts surveyed for the report say the risk of a massive cyberattack is significant at a global level.
“The fears are certainly there,” says Akshay Joshi, the Head of Industry and Partnerships for the Forum’s Centre for Cybersecurity, “It underscores the need for greater collaboration because the problem is not going away.”
The Forum’s Centre for Cybersecurity’s three priorities are helping corporates build cyber resilience, strengthen global collaboration and “navigate cyber frontiers”, ie new threats posed by emerging technologies. The annual meeting meeting focused on all three topics.
Risks posed by Generative AI were top of mind. Attendees at this year’s meeting were “extremely concerned,” says Joshi. While there is often a time lag before businesses fully embrace new technologies, the same time lag does not apply to criminals. GenAI is making it easier for bad actors to launch more sophisticated attacks, including phishing, he says. Along with ethical concerns about misuse of the technology there have been reported incidents of people revealing confidential company information while using GenAI. “There is concern about human behavior and the way we interact with the technology,” he says. “There is a need for checks and balances on AI and the need for education is equally important.”
Quantum computing poses other concerns. While nobody knows for sure when a sufficiently powerful quantum computer will arrive, the timeline is shrinking. Once the technology goes mainstream organizations will need to adapt to the risk posed by quantum computers, which have the potential to break many of the cryptographic systems that are relied on today for secure communications and data protection.
To help organizations prepare the Forum has published a quantum tool kit that outlines a set of principles that organizations can use to help ensure they are ready to enter the quantum computing era. The toolkit provides organizations with a framework to assess their quantum readiness and identifies steps to prioritize and enhance their quantum security measures. It covers a range of areas, from strategizing about future-proof technology, embedding quantum risk in governance structures and existing risk management processes, to finding the right talent. The toolkit advises organizations to start now to give themselves sufficient time to experiment and get acquainted with the challenges and success factors that will allow a quantum-secure transition.
Since the release of the toolkit the U.S. government has come out with regulations concerning the move towards quantum safe computing. “Now that it is being codified in regulation it demands a lot more attention,” says Joshi. “Crypto hygiene is extremely important,” he says “If we take an analogy with Y2K the impact was unknown, but the timeline defined. With quantum the timeline is extremely variable, but the impact is somewhat anticipated. The problem is that the average CISO is so caught up with the here and now they don’t have the bandwidth to deal with that.”
The proliferation of regulations around cybersecurity are putting a lot of burden on CISOS to figure out how to confirm to the norm in different geographies, says Joshi. In July, the U.S. Securities and Exchange Commission (SEC) adopted rules requiring public companies operating in the U.S. to disclose cybersecurity incidents and annually report information regarding their cybersecurity risk management, strategy, and governance. “This needs to be a board responsibility,” says Joshi. “We have been talking about this for quite some time. Oversight for cyber risk can’t be left to the tech department.”
After the meeting ended the Forum’s Systems of Cyber Resilience: Electricity initiative issued a white paper that scrutinizes the current landscape of cyber regulations to tackle existing gaps and complexities and proposes collective positions on behalf of the sector to standardize cybersecurity practices across diverse regulatory environments.
Due to the economy, budgets are tight so CISOs are concerned about having adequate resources to meet regulatory obligations and mitigate cybersecurity risks, says Joshi.
Even if large companies manage to get their own cybersecurity houses in order the third-party suppliers they do business with may not have the resources to deploy what is needed, inserting vulnerabilities into the broader ecosystem.
Supply chain risks remain one of the biggest concerns for any CISO, says Joshi, along with attacks impacting critical infrastructure.
Just days before the Forum’s annual meeting on cybersecurity a serious cyberattack disrupted operations at four of Australia’s largest ports, causing delays and congestion. Late on Friday, Port operator DP World detected an IT breach that affected critical systems used to coordinate shipping activity. DP World Australia, which manages the flow of nearly 40% of Australia’s goods and is owned by Dubai-based logistics giant DP World, is one of that country’s largest port operators, handling approximately 40% of the nation’s container trade across terminals in Brisbane, Sydney, Melbourne and Fremantle.
Space is the another worry. “We had a very interesting session on cyber and space,” says Joshi. “Although it might seem that this is not something that will directly impact cybersecurity if you go back to the Viasat incident during the crisis in Ukraine the intent was to disrupt the communications infrastructure in Ukraine but there were wind farms that came to a standstill in Germany because they were using the communications infrastructure for operation monitoring. “
In addition to impacting a major German energy company remote monitoring access to over 5,800 wind turbines, in France nearly 9,000 subscribers of a satellite internet service provider experienced an internet outage and around a third of 40,000 subscribers of another satellite internet service provider in Europe (Germany, France, Hungary, Greece, Italy, Poland) were affected.
“As the cost to deploy satellites in space goes down there are significant risks in space infrastructure and, as the Ukraine incident illustrates, ground-based infrastructure is also prone to vulnerabilities,” says Joshi.
The Cybersecurity Centre has formed groups to deal with industry specific cyber threats. There is one for the oil and gas industry, another for electricity and one targeting manufacturing. The Forum runs initiatives year-round with members of its community. The annual meeting is an opportunity to get together and advance some of that work, says Joshi.
At this year’s meeting the Forum kicked off an initiative to bridge the cyber skills gap, another top concern of CISOs, says Joshi. Last year there were 3.5 million unfilled cybersecurity positions. That gap has widened to around 4 million this year. “Companies are really struggling, hiring talent is extremely hard,” he says.
IN OTHER NEWS:
Ransomware Attack On ICBC Disrupts Trades In U.S. Treasury Markets
A ransomware attack on the financial services arm of China’s largest bank disrupted the U.S. Treasury market by forcing clients of the Industrial and Commercial Bank of China to reroute trades.The Securities Industry and Financial Markets Association told members that ICBC Financial Services had been hit by ransomware software, which paralyzes computer systems unless a payment is made. The attack prevented ICBC FS from settling Treasury trades on behalf of other market participants, according to traders and banks, with some equity trades also affected. Market participants including hedge funds and asset managers rerouted trades because of the disruption and the attack had some effect on Treasury market liquidity, trading sources told The Financial Times.
A Big Week In AI
It was a momentous week in AI. OpenAI announced plans for a “GPT Store”, enabling users to develop and market customized bots tailored for specific functions. Some rivals are doing similar things — marking a new stage in the march of Big Tech: the emergence of AI-powered “agents” that can carry out tasks on behalf of consumers. OpenAI is releasing a platform for subscribers to its ChatGPT Plus service for developing bots powered by GPT-4, its underlying AI model. Developers will be able to create “GPTs” for external use, as the company is calling these AI apps, for purposes that might range from maths tutoring to interior design to creating presentations. They can be branded and marketed via the coming GPT Store, with OpenAI eventually splitting revenues with the most popular creators. More notably, GPTs will be able to “plug in” to other websites and services — enabling them to perform tasks such as sending emails or making payments or bookings. The ability to handle online tasks turns AI-driven apps into agents that can, over time, plan and perform more complex actions. Think of a shopping assistant that can browse online for specific products and then buy them, or a concierge that plans and books travel — and which builds up an intimate knowledge of a user’s preferences.
Meanwhile, Elon Musk announced an AI ChatGPT rival called Grok that will be added to his platform, X, formerly known as Twitter. There was a U.S. Senate subcommittee hearing about AI regulation in the healthcare space, a targeted attack against OpenAI, the first wearable AI device that intends to one day replace the smartphone was announced, and news broke that a robot has used meteorite extracts from Mars to help make oxygen from water, melding artificial intelligence’s powers of chemical discovery with efforts to explore and even populate the red planet. The automated experiment boosts the possibility of sustaining future manned outer space missions, according to the paper published on November 13 in Nature Synthesis. The authors estimated that it would have taken 2,000 years of human labor to achieve the same result by trial and error.
The UK Greenlights CRISPR Treatment
The United Kingdom has become the first country to give regulatory approval to a medical treatment involving the revolutionary CRISPR gene editing tool. The country’s Medicines and Healthcare products Regulatory Agency said November 16 it had given a greenlight to a treatment known as Casgevy, which will be used to treat sickle cell disease and beta thalassemia. Both genetic conditions are caused by errors in the genes for hemoglobin, which is used by red blood cells to carry oxygen around the body. There is no known universally successful treatment for either disorder. Sickle cell disease, which can result in attacks of debilitating pain, is more common in people with an African or Caribbean family background. Beta thalassemia mainly affects people of Mediterranean, South Asian, Southeast Asian and Middle Eastern origin, the statement said.
To access more of The Innovator’s News In Context stories click here.