The Black Hat 2022 conference in Las Vegas informed that the US Cybersecurity and Infrastructure Security Agency (CISA) contends a pessimistic outlook on the short-term developments taking place in cybersecurity.
In the words of Chris Krebs, the first director of CISA, the US Department of Homeland Security expects things to get worse before they get better. Krebs also pointed out several reasons for the pessimistic outlook:
- Technology complexity is increasing risks
- Cybercriminals are getting bolder
- Governments are slow to adapt
- Stakeholders in many industries are unaware of cybersecurity threats.
The switch to a more digital marketplace has compounded security issues even further. Now, with many businesses thriving online, it is harder for security to keep up with the complexity of modern technology. The situation allows various malicious actors to exploit the gaping holes within the security apparatus.
Most experts and stakeholders hold that the situation will eventually reach equilibrium. But, unless the stakeholders and decision-makers in government and public spheres change their current approach, the issues will continue to persist.
Why Is Cybersecurity on a Downward Spiral?
During the conference, Krebs highlighted the four main reasons behind today’s cybersecurity challenges. Throughout the conference, other keynote speakers also reiterated these ideas in their own ways.
The first reason was the accelerated adoption of cloud technologies in the wake of the pandemic. Many companies are focused on being the first-to-market players and adopt new technologies at a fast pace, meanwhile throwing all caution to the wind.
Second, our careless and hasty cloud adoption offered a carte blanche for criminals to do whatever they want. This has resulted in some of the biggest security breaches in 2021. And, with a lax cybersecurity to boot, criminal cyber incursions face little to no opposition.
Additionally, the understanding and approach of world governments, including that of the United States’, about the cybersecurity issue may be systematic, but it relies too much on outdated methods. In the current situation, these obsolete methods may not be applicable.
Finally, industry stakeholders and decision-makers are unaware of the severity of the threats. Few CEOs understand the risks before their own company is under attack. Since public companies are largely unaware of the cybersecurity issues, their position is even worse.
Cybersecurity Is One of Technology’s Growing Pains
Stakeholders in the tech sector are trying to combat their security-related vulnerabilities. However, the success of their efforts is questionable due the reasons alluded to earlier.
Businesses in the non-tech industries, who have only recently migrated to cyberspace, are up against even tougher risks. In most cases, companies focus on technologies that provide instant benefits, without considering the risks they inadvertently invite with the adoption.
On the regulatory side, the government and public bodies are promulgating different compliance acts to battle the issue. For instance, we can especially note the creation of the California Consumer Privacy Act (CCPA). However, even that act hasn’t pushed vendors to fully adapt.
As the situation continues to evolve, it is reasonable to expect that the increase in demand for security products will also spur growth in the cybersecurity commercial market. But, the development of new, scalable tools will take time. Market-wide adoption, on the other hand, may be even slower.
It is estimated that cybercrime cost the global economy $6 trillion in 2021, making it a ten times larger threat than global illicit drug trade in terms of damages incurred. The figure also illustrates that cybercrime may become the biggest criminal industry in the world.
The increase in complexity has left gaps in much of the economy’s cybersecurity. Additionally, the number of vulnerable targets is rising as more market players adopt cloud technologies.
Moreover, the rise in adoption of remote and hybrid work models has opened up a whole new angle of attack for both industrial espionage and cybercrime. Many recent remote workers are uninitiated in cybersecurity methods, and so become easy targets for bad actors.
Lack of Understanding
Even among the experts, it seems a holistic understanding of the situation is absent. Consequently, industry stakeholders, as well as government agencies, are relying on old tools and techniques that might have worked in the past.
Governments are also facing a bureaucracy issue. Most solutions have to go through many rounds of committee deliberations before they’re accepted as policy. Generally, these checks and balances improve most solutions. But, in the case of cybersecurity, decision-makers need to act fast and roll out solutions as quickly as possible before they become obsolete.
Further, the cybersecurity field is severely lacking in experts. Even seasoned specialists need time to fully grasp the complexity of the risks. The supply of experts is far behind the rapidly increasing demand.
To remedy the supply-side issue, companies such as IBM are trying to source talent from alternative sources, while others are simply trying to hog talent by increasing compensation. Doing so has worked out for some of the biggest names across industries, but it has shut out many smaller actors from accessing specialized talent within cybersecurity.
A Wake-up Call for the Market
Even though the Black Hat 2022 conference had a slightly bleaker outlook, Krebs pointed out that he is optimistic about the future. He commended the Biden administration’s focus on both funding cybersecurity programs and cybersecurity apprenticeships, which should help train new talent.
He also mentioned the need for increased severity in sanctions against cybercriminals, regardless of the scale of an attack. Sanctions would especially be effective for cyberattacks in the fintech industry, where many acts of digital crime overlap with already registered financial crimes.
In the end, Krebs proclaimed his faith in the people making up the industries, as well as the consumers, for bringing about the much-needed transformations. He believes people will eventually rise to the occasion because cybersecurity is in everyone’s interest.