Theme 3: Impact of a Digitised World
The aftereffects of Covid-19 continue to accelerate digital transformation as the world increases its reliance on cyber space. Although this has seen upgrades in the agility of technological platforms, the shift towards hybrid working environments has increased the surface area for threat actors to exploit bad security habits.
In the first half of 2021, the FBI reported a 62% increase in ransomware complaints in the US from the same period in 2020, while the US Treasury logged ransomware-connected suspicious activity reports (SARs) to the amount of USD 590 million in that time – a 42% increase from the entirety of last year. This rapidly changing threat landscape will further test the ability of firms to promote a security culture that allows employees to work safely and productively in 2022.
“Zero trust” frameworks (designed to segment networks and prevent cyber intruders from moving laterally through organisations) will soon become the norm. However, this is unlikely to address underlying vulnerabilities, particularly human factors. As global travel reopens and the entertainment, education and hospitality sectors recover from the pandemic, cyber criminals will adapt their social engineering tactics to exploit increasing demand. This will lead to more frequent scams and phishing attempts by criminals masquerading as travel companies, airlines, ticket vendors and health authorities, particularly near major events such as the Winter Olympics in Beijing.
As shown by the Colonial Pipeline incident in the US in May, the risk of a cyber attack causing serious disruption to critical infrastructure also looms, particularly as ransomware teams explore methods such as software supply chain attacks (in a comparable way to the SolarWinds attack in 2020), firmware rootkits (which could allow malware to upload on computers before operating systems can initialize antivirus protections), and bulk “smishing” campaigns (phishing via text message).
The effects of inter-state cyber conflicts will increasingly impact societies as more nations pledge to retaliate against cyber attacks with their own offensive capabilities. Notwithstanding their progress in modernising conventional weapons, China and Russia have already proven their ability to harm the government sites and vital infrastructure of rivals such as Australia and Canada from a distance.
Canberra joined the UK and the Netherlands among those who threatened to use military cyber assets in response to ransomware this year, highlighting rising intolerance of attacks on soft targets such as healthcare and education. As hostilities escalate, the protection of harder targets, such as power grids, food supply chains and water treatment facilities, is likely to become more difficult as states deploy more complex tactics. In a worst-case scenario, online aggressors could target smart city technologies to devastating effect, forcing governments to rethink how they shore up critical sectors.
Meanwhile, the intersection of the digital and physical worlds will continue to drive established risks, including the tendency of protest movements and extremists to coordinate through a widening choice of messaging apps with strong encryption. This will increase the likelihood of government-enforced internet and communication blackouts in jurisdictions where resistance groups challenge the state, such as Myanmar, Nigeria, and India’s Jammu and Kashmir.
There are unfamiliar risks too, including the weaponisation of deepfakes (both voice and video) and other synthetic media, which offer tools for adversaries to manipulate financial markets, sow public discord or damage reputations. As artificial intelligence (AI) and automation penetrate industry domains, some executives might also have to address job losses when many populations are still bearing the financial impact of Covid-19 in 2022.
Finally, data will continue to increase in value amid developments in high-performance computing and predictive analytics. This is likely to drive further tension between service, security, and privacy, increasing levels of public distrust towards emerging technologies and their end users. This could manifest in the form of anti-corporate activism (against both developers and their high-profile clients), protests, boycott campaigns and hacktivism, especially in cases of data leaks or misuse. Security managers and compliance officers across all sectors will therefore have more prominent roles in strategic planning and R&D initiatives moving forward.