Sadly, my annual outlook for cybersecurity has, for the past 20 years, been this: "things will get worse before they get better."
In this context, "the outlook for cybersecurity" is the expected performance of efforts to defend information systems from abuse, as measured by the amount of system abuse that occurs despite those efforts.
On the right you can see just one measure of such harm, a dollar figure for internet crime losses reported to IC3 and the FBI. The losses recorded in this metric hit $3.5B in 2019.*
I predict that for 2020, the IC3/FBI report will show around $4.7B in losses, barring significant changes to the report's methodology. I further predict that the number will reach $6B in 2021.
Of course, I could be wrong, and I sincerely hope that the losses turn out to be lower than my predictions. What I can promise is that I will post the 2020 number as soon as it is published (about 45 days from now, if the Biden-Harris administration sticks to the traditional schedule).
One way of looking at the problem
Regardless of the IC3/FBI numbers for 2020, I think that criminal acts targeting digital systems and the data they process will cause more harm in 2021 than they did this year. And I say that despite 2020 being a quite unusual year, what with all that cybercrime which leveraged the pandemic, and the presidential election in the US, plus the massive Russian SolarWinds breaches.
The rest of this blog post is just one way of documenting why my outlook is bleak (I am working on a longer article about the history of my "will get worse before it gets better" perspective). What you have here are 50 cybersecurity headlines that I noticed during the last 30 days of 2020. These are not ALL the cybercrime headlines from December, 2020. These they are just a sample, plucked from one of the best cybersecurity "feeds" that I have found: InfoSecSherpa's Newsletter (subscription strongly recommended).
This daily email newsletter is produced by @InfoSecSherpa who pledges to provide: "a daily summary of 10 Information Security news items that aren't necessarily getting a lot of attention." So, here are 50 items I picked out to reflect the range of cyber-criminal activity currently taking place. I'm not saying that you should read them all. I think a quick scan will make my point:
- Fresh Card Skimmer Attacks Multiple E-Commerce Platforms
- Massive Cyber Attack Takes Down Major German Newsgroup
- Kawasaki Heavy Industries reports data breach as attackers found with year-long network access
- Cruise Ships Forced to Cancel Sailings Due to Possible Cyberattack
- Vietnam targeted in complex supply chain attack
- Serious attack on our democracy': Cyber strike hits Finnish MPs
- REvil hackers to leak photos of plastic surgery patients after massive hack
- VOIP hardware and software maker Sangoma struck by ransomware attack
- Hackers Tapped Microsoft Resellers To Gain Access
- Rakuten exposes 1.48 million sets of data to access from outside
- Pension Plan Personal Data Breached, Third-Party Blamed
- Russian crypto-exchange Livecoin hacked after it lost control of its servers
- Major Swedish firms suffer prolonged malware attack
- Emotet Returns to Hit 100K Mailboxes Per Day
- U.S. Cyber Agency: SolarWinds Attack Hitting Local Governments
- Credential phishing attack impersonating USPS targets consumers over the holidays
- Japanese Companies Fall Victim To Unprecedented Wave of Cyber Attacks
- Louisville PVA office temporarily closes due to a cyber threat
- Treasury Dept. email accounts were compromised in hack blamed on Russia
- Iranian hackers hit Israel aerospace industries
- iPhones vulnerable to hacking tool for months, researchers say | Malware
- Two Rubygems Infected With Crypto-Stealing Feature Malware
- Ransomware Attackers Using SystemBC Malware With Tor Proxy
- Cybercrime: Fake call centre duping foreign nationals busted in Delhi, 54 arrested
- House purchases in Hackney fall through following cyber attack against council
- Print security is the remote working cyber risk very few saw coming
- Poland, Lithuania are targets of cyber disinformation attack
- Norwegian cruise liner Hurtigruten sustains cyber attack
- Port of Kennewick crippled by cyberattack
- Two Indian banks affected by Windows ransomware attacks
- Iran suspected after massive cyberattack on Israeli firms revealed
- Files expose mass infiltration of UK firms by Chinese Communist Party
- Subway customers receive 'malware' emails
- KC suburb spent millions on cyber security protections but still got hit by ransomware
- Ransomware Attacks Hitting Vulnerable MySQL Servers
- Hackers leak data from trucking firm Cardinal Logistics
- Adrozek Malware Delivers Fake Ads to 30K Devices a Day
- New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
- Springfield Public Schools servers back to normal after October cyberattack that put abrupt pause to remote learning
- Ransomware gangs are now cold-calling victims if they restore from backups without paying
- Middle East facing 'cyber pandemic' as Covid exposes security vulnerabilities, cyber chief says
- Vancouver Metro Disrupted by Egregor Ransomware
- 113,000 Alaskan voter IDs exposed in data breach
- Data of 243 million Brazilians exposed online via website source code
- Cyberattacks Discovered on Vaccine Distribution Operations
- Brazilian aerospace firm Embraer hit by cyberattack
- Malware may trick biologists into generating dangerous toxins in their labs
- Spoofed FBI Internet Domains Pose Cyber and Disinformation Risks
- Cyber attacks against vaccine makers rise
- MacOS Users Targeted By OceanLotus Backdoor
These headlines paint a picture of rampant criminal activity abusing all manner of digital technology in all regions of the world, across all sectors of human endeavor, including education, research, medicine, healthcare, pharmaceuticals, heavy industry, light industry, commercial shipping, recreational shipping, retail, banking, software, hardware, the media, local government, state government, national government.
These headlines also document the main reason that I think the harm caused by such activity in 2021 will be even greater than in 2020: whatever deterrents there are to people continuing to engage in this type of activity, they are clearly not working. And in 2021 there will be more people than ever with both the motive and means to engage in cybercrime, and more opportunities than ever to commit cybercrime.
- Motive increase: widespread pandemic-related economic hardship
- Means increase: constantly improving cybercrime skills, increasingly accessible (e.g. crime-as-a-service)
- Opportunities increase: more devices and data, in more locations, performing increasingly valuable functions
As 2021 rolls on I will continue to document the scale of the cybersecurity challenge as I see it. For now, let me extend a massive THANK YOU to all the dedicated and righteous souls who labored so hard in 2020 to fend off the bad actors.
Is there any room for optimism in 2021? Maybe, if the Biden Harris administration is allowed to get on with the job of instigating major improvements in globally coordinated cybercrime deterrence. (And to be clear, I do sincerely hope that six months from now reality will show that my current outlook was overly pessimistic.)
In any event, here's to "cyber" becoming way less crimey in 2021. Happy New Year!
Notes
* While IC3 is the source of the numbers in the graph, IC3 has not—to my knowledge—published them in a graph, in other words, I built the graph from their numbers. And I know that the IC3 numbers are by no means perfect crime metrics; they are based on data that is accumulated as a by-product of one avenue of attack against the crimes they represent. However, I have studied each of the annual report and I am satisfied that collectively they provide solid evidence of a real world cybercrime impact trend that looks very much like the line shown in the graph. For more on issues with cybercrime measurement, see my article in the Journal of National Security Law & Policy: Advancing Accurate and Objective Cybercrime Metrics.
