AI: the impact on the cyber threat
AI’s effect on cyber defence and offense is still in its early stages, but it will be transformative. Actors on both sides are likely to see a significant capability uplift with potential greater advantage for defence. For companies, AI’s most immediate impact is as Shadow IT – where employees use AI applications for work without company oversight or, in the worst case, awareness.
Both state and nonstate threat actors have begun integrating AI across their offensive operations. Key use cases include more sophisticated social engineering within phishing attacks, the enhancement of reconnaissance techniques, and the semi-automation of malware development and mutation. From a defensive standpoint, the greatest uplift has been in the application layer where quality and consistency as well as efficiency are being transformed. Companies are rolling out technologies that utilise ever faster behavior based analytics to detect abnormal activity within a network, automated threat intelligence which allows real-time updates on the threat landscape and the integration of AI into incident response training.
Whilst AI’s impact on cybersecurity is likely to be significant, it is important to take a considered, longer-term view rather than obsess about a single technology. Ensuring that companies have the practiced capability and capacity to respond to and recover from cyber incidents remains the keystone to protect value and reduce or avoid business interruption.
Ransomware: spending money to make money
Over the past five years, the ransomware industry has grown exponentially despite increasing cross-border law enforcement. Chainalysis estimated that total ransomware payments exceeded $1 billion in 2023, a near five-fold increase from the estimated $220 million paid in 2019. There is therefore a strong incentive for ransomware actors to invest money into maximising the likelihood of a successful attack.
The ‘zero-day vulnerability market’ refers to the buying and selling of previously unknown security flaws. Major technology corporations such as Apple have established bug bounty payouts, which pay between $5,000 to $2 million. Third-party exploit sellers, which sell exploits to corporate and government clients, may offer higher sums – Zerodium is offering up to $2.5 million. Criminals, however, are willing to offer significantly more – with a report in 2021 recording offers of up to $10 million from dark-web threat actors.
People continue to be the biggest cybersecurity threat to organisations. Whilst the industry’s focus has primarily been on human error, this risk also includes malicious employee activity. A survey of 100 IT and security executives found that 65% of companies had found that their employees had been approached to assist in ransomware attacks – with ~40% of these employees being offered at least half a million US dollars – in either cash or bitcoins – for their support.
The significant financial reward of ransomware – and of selective IP theft – incentivises threat actors to offer monetary rewards to insiders. A key indicator of resilience in an enterprise is the interplay between the people, security and cyber functions with a clear definition of roles, modelling of plausible risks and exercising against them. Care is needed in management and communication of such work to create the right level of curiosity in the workforce whilst avoiding excessive distrust.
Geopolitics: the cyber threat to public trust
With increasing geopolitical tensions worldwide, state actors seeking a low-cost and low-risk method of promoting their interests can launch cyberattacks on nongovernmental entities to indirectly weaken public trust in government and societal institutions. In 2022, a group of local residents who lived near a hospital that had been hit by ransomware were surveyed on the incident. The results found that the residents’ trust in the government and security agencies had fallen because of the attack. Recently, the Canadian Communications Security Establishment warned that Russia-aligned nonstate threat actors were likely aiming to compromise Canada’s oil and gas sector in order to generate a ‘psychological impact’ amongst Canadians to ‘weaken Canadian support for Ukraine’.
As geopolitical tensions ramp up and many states make use of cyber and disinformation tools below the threshold for an act of war, the likelihood of companies being impacted – whether directly or indirectly – increases. Election periods represent an opportunity for state threat actors to maximise their destabilising impact on political processes. Companies should therefore ensure resilience and response protocols are current and include tailored provisions and strategies in the event a state-aligned threat actor launches an attack.
Food for thought: the cybersecurity equity gap
The cybersecurity equity gap refers to the growing divide between the most- and least-resourced entities across the globe. This cybersecurity gap, which exists in both the public and private sectors, represents an alarming risk for all stakeholders due to the interconnected nature of the global cyber ecosystem. Companies with international operations and subsidiaries may therefore be unknowingly exposed to cyber risk due to weaker cybersecurity capabilities in some markets.
Historical research into this equity gap has found that it benefits threat actors, who can leverage the globalised nature of supply chains to target the most insecure link in the chain to reach their victims. One report estimated that there had been a 200% increase in open-source supply chain attacks in 2023 compared with 2022. Another report found that 98% of organisations have a relationship with at least one third party that has experienced a breach in the last two years.
This capabilities gap is not limited to companies; similar divides exist between governments, with consequences for global cooperation and international relations. It was reported that the US government had been hesitant about sharing defence-related information with Japan due to concerns around cybersecurity standards. The Philippine government acknowledged that its inability to provide competitive pay for cybersecurity experts meant that it was, in some instances, forced to work with “black hat” hackers who may have attacked government websites. The capabilities and roles of cybersecurity centres and regulators varies enormously between jurisdictions even within regulatory blocs such as the EU.
The cybersecurity equity gap remains a difficult challenge to address, with major consequences for the cyber ecosystem. Companies need to regularly update their cybersecurity resilience plans and strategies – as well as their exposure to third-parties across their entire global footprint. Companies with global footprints should be aware of the uneven cybersecurity capabilities across their markets and ensure they are accounted for when building resilience and crisis management plans.
Download a copy of this report here.