Today’s cyber landscape isn’t just shaped by hackers seeking to prove their skills; it also includes nation-state actors on the offensive. At the ISC2 Security Conference in Las Vegas, CISA advisor and former New York Times cybersecurity journalist Nicole Perlroth took the stage to shed light on the evolving threat landscape over the past decade. Her presentation wrapped up the conference held from October 13 to 16.
Perlroth highlighted how attackers now seek “target-rich, cyber-poor” victims. She shared a timeline of nation-state attacks she reported on between 2011 and 2021. The entry barriers for attackers have lowered significantly, with ransomware evolving into a thriving economy. A notable example she discussed was the CrowdStrike outage, which illustrated how a widespread attack can severely disrupt operations.
In the past, the U.S. felt insulated from many threats due to its geographical advantage, but Perlroth remarked that “those oceans don’t exist anymore” in the realm of cyberspace. The digital landscape has shifted; today, the new edge encompasses the cloud, software as a service, and hybrid work environments. She emphasized that “the new edge is the people, it’s the endpoints.”
Attacks can now manifest as sophisticated deepfakes targeting CEOs or direct assaults on critical infrastructure. Perlroth particularly focused on Chinese state-sponsored attacks, such as the 2018 breach of the Marriott hotel chain. She described environments like Marriott and Change Healthcare as “target-rich, cyber-poor,” meaning they hold valuable data but lack robust cybersecurity teams. This includes sensitive personal information of government personnel.
Another vulnerable area she identified is water treatment facilities. Many of these local operations don’t have dedicated cybersecurity experts, which makes them prime targets. Perlroth expressed concern over the underestimation of the risks, stating, “The code had become the critical infrastructure and we really hadn’t bothered to notice.”
Shifting gears to global politics, Perlroth noted the relationship between cybersecurity and military action, particularly regarding Russia and China. With Russia’s offensive in Ukraine and China potentially eyeing Taiwan, cyber actors might aim to hinder U.S. military responses or manipulate public opinion. Despite expectations for more cyber attacks from Russia amid the Ukraine conflict, Perlroth pointed out the significant attacks that did occur, including DDoS attacks and disruptions to commercial services.
Then she discussed how generative AI is changing the game. Perlroth explained that AI allows both companies and attackers to create zero-day exploits and new code rapidly. While it poses challenges, it also offers defenders the chance to respond to attacks faster and more efficiently. She warned that upcoming large-scale attacks might originate from AI-related systems.
Perlroth urged cybersecurity professionals to begin sector-by-sector assessments to identify vulnerable entities, akin to Change Healthcare in various industries. The encouraging news is that cybersecurity professionals today are more aware of threats. They’ve become adept at conveying security’s importance to upper management. CISOs have evolved into business continuity officers, equipped with strategies for swift recovery post-attack.
She stressed the importance of considering organizational culture, management, budgets, and training alongside technical skills. The vital question remains: “What are my crown jewels and how do I secure them?”
Throughout her presentation, Perlroth aimed to inform rather than fearmonger, stressing the need for a balanced perspective on threats. She believes there’s immense hope in how the government and private sector can collaborate for better cyber defense.