Thursday, December 31, 2020

Cybersecurity had a rough 2020, but 50 recent headlines suggest the outlook for 2021 could be even worse

Sadly, my annual outlook for cybersecurity has, for the past 20 years, been this: "things will get worse before they get better." 

In this context, "the outlook for cybersecurity" is the expected performance of efforts to defend information systems from abuse, as measured by the amount of system abuse that occurs despite those efforts. 

If you boil cybersecurity outlook down to a single question it is this: will criminal acts targeting digital systems and the data they process cause more harm next year than they did this year?

On the right you can see just one measure of such harm, a dollar figure for internet crime losses reported to IC3 and the FBI. The losses recorded in this metric hit $3.5B in 2019.*

I predict that for 2020, the IC3/FBI report will show around $4.7B in losses, barring significant changes to the report's methodology. I further predict that the number will reach $6B in 2021.

Of course, I could be wrong, and I sincerely hope that the losses turn out to be lower than my predictions. What I can promise is that I will post the 2020 number as soon as it is published (about 45 days from now, if the Biden-Harris administration sticks to the traditional schedule).

One way of looking at the problem

Regardless of the IC3/FBI numbers for 2020, I think that criminal acts targeting digital systems and the data they process will cause more harm in 2021 than they did this year. And I say that despite 2020 being a quite unusual year, what with all that cybercrime which leveraged the pandemic, and the presidential election in the US, plus the massive Russian SolarWinds breaches. 

The rest of this blog post is just one way of documenting why my outlook is bleak (I am working on a longer article about the history of my "will get worse before it gets better" perspective). What you have here are 50 cybersecurity headlines that I noticed during the last 30 days of 2020. These are not ALL the cybercrime headlines from December, 2020. These they are just a sample, plucked from one of the best cybersecurity "feeds" that I have found: InfoSecSherpa's Newsletter (subscription strongly recommended).

This daily email newsletter is produced by @InfoSecSherpa who pledges to provide: "a daily summary of 10 Information Security news items that aren't necessarily getting a lot of attention." So, here are 50 items I picked out to reflect the range of cyber-criminal activity currently taking place. I'm not saying that you should read them all. I think a quick scan will make my point: 

  1. Fresh Card Skimmer Attacks Multiple E-Commerce Platforms
  2. Massive Cyber Attack Takes Down Major German Newsgroup
  3. Kawasaki Heavy Industries reports data breach as attackers found with year-long network access
  4. Cruise Ships Forced to Cancel Sailings Due to Possible Cyberattack
  5. Vietnam targeted in complex supply chain attack
  6. Serious attack on our democracy': Cyber strike hits Finnish MPs
  7. REvil hackers to leak photos of plastic surgery patients after massive hack
  8. VOIP hardware and software maker Sangoma struck by ransomware attack
  9. Hackers Tapped Microsoft Resellers To Gain Access
  10. Rakuten exposes 1.48 million sets of data to access from outside
  11. Pension Plan Personal Data Breached, Third-Party Blamed
  12. Russian crypto-exchange Livecoin hacked after it lost control of its servers
  13. Major Swedish firms suffer prolonged malware attack
  14. Emotet Returns to Hit 100K Mailboxes Per Day
  15. U.S. Cyber Agency: SolarWinds Attack Hitting Local Governments
  16. Credential phishing attack impersonating USPS targets consumers over the holidays
  17. Japanese Companies Fall Victim To Unprecedented Wave of Cyber Attacks
  18. Louisville PVA office temporarily closes due to a cyber threat
  19. Treasury Dept. email accounts were compromised in hack blamed on Russia
  20. Iranian hackers hit Israel aerospace industries
  21. iPhones vulnerable to hacking tool for months, researchers say | Malware
  22. Two Rubygems Infected With Crypto-Stealing Feature Malware
  23. Ransomware Attackers Using SystemBC Malware With Tor Proxy
  24. Cybercrime: Fake call centre duping foreign nationals busted in Delhi, 54 arrested
  25. House purchases in Hackney fall through following cyber attack against council
  26. Print security is the remote working cyber risk very few saw coming
  27. Poland, Lithuania are targets of cyber disinformation attack
  28. Norwegian cruise liner Hurtigruten sustains cyber attack
  29. Port of Kennewick crippled by cyberattack
  30. Two Indian banks affected by Windows ransomware attacks
  31. Iran suspected after massive cyberattack on Israeli firms revealed
  32. Files expose mass infiltration of UK firms by Chinese Communist Party
  33. Subway customers receive 'malware' emails
  34. KC suburb spent millions on cyber security protections but still got hit by ransomware
  35. Ransomware Attacks Hitting Vulnerable MySQL Servers
  36. Hackers leak data from trucking firm Cardinal Logistics
  37. Adrozek Malware Delivers Fake Ads to 30K Devices a Day
  38. New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
  39. Springfield Public Schools servers back to normal after October cyberattack that put abrupt pause to remote learning
  40. Ransomware gangs are now cold-calling victims if they restore from backups without paying
  41. Middle East facing 'cyber pandemic' as Covid exposes security vulnerabilities, cyber chief says
  42. Vancouver Metro Disrupted by Egregor Ransomware
  43. 113,000 Alaskan voter IDs exposed in data breach
  44. Data of 243 million Brazilians exposed online via website source code
  45. Cyberattacks Discovered on Vaccine Distribution Operations
  46. Brazilian aerospace firm Embraer hit by cyberattack
  47. Malware may trick biologists into generating dangerous toxins in their labs
  48. Spoofed FBI Internet Domains Pose Cyber and Disinformation Risks
  49. Cyber attacks against vaccine makers rise
  50. MacOS Users Targeted By OceanLotus Backdoor

These headlines paint a picture of rampant criminal activity abusing all manner of digital technology in all regions of the world, across all sectors of human endeavor, including education, research, medicine, healthcare, pharmaceuticals, heavy industry, light industry, commercial shipping, recreational shipping, retail, banking, software, hardware, the media, local government, state government, national government. 

These headlines also document the main reason that I think the harm caused by such activity in 2021 will be even greater than in 2020: whatever deterrents there are to people continuing to engage in this type of activity, they are clearly not working. And in 2021 there will be more people than ever with both the motive and means to engage in cybercrime, and more opportunities than ever to commit cybercrime.

  • Motive increase: widespread pandemic-related economic hardship
  • Means increase: constantly improving cybercrime skills, increasingly accessible (e.g. crime-as-a-service)
  • Opportunities increase: more devices and data, in more locations, performing increasingly valuable functions

As 2021 rolls on I will continue to document the scale of the cybersecurity challenge as I see it. For now, let me extend a massive THANK YOU to all the dedicated and righteous souls who labored so hard in 2020 to fend off the bad actors.

Is there any room for optimism in 2021? Maybe, if the Biden Harris administration is allowed to get on with the job of instigating major improvements in globally coordinated cybercrime deterrence. (And to be clear, I do sincerely hope that six months from now reality will show that my current outlook was overly pessimistic.)

In any event, here's to "cyber" becoming way less crimey in 2021. Happy New Year!

Notes

If you found this article interesting and/or helpful, please consider clicking the button below to buy me a coffee and fuel more independent, vendor-neutral research and writing like this. Thanks!

Button says Buy Me a Coffee, in case you feel like supporting more writing like this.

* While IC3 is the source of the numbers in the graph, IC3 has not—to my knowledge—published them in a graph, in other words, I built the graph from their numbers. And I know that the IC3 numbers are by no means perfect crime metrics; they are based on data that is accumulated as a by-product of one avenue of attack against the crimes they represent. However, I have studied each of the annual report and I am satisfied that collectively they provide solid evidence of a real world cybercrime impact trend that looks very much like the line shown in the graph. For more on issues with cybercrime measurement, see my article in the Journal of National Security Law & PolicyAdvancing Accurate and Objective Cybercrime Metrics.