Shifting sands of cyber

A number of high-profile stories in the cyber-security space occurred in the past month. As political relations between the US and Russia continue to evolve, so does the approach to Russian cyber threats. 

In recent weeks, the US has made a series of moves to suggest that Russia is no longer considered a key threat, with the pausing of offensive operations, the absence of Russia in lists of top threat actors, and reports suggesting that formal collaboration between various US and European agencies to specifically counter Russian sabotage has also ceased.

This is perhaps out of step with prevailing global thinking. Indeed, research by the thinktank Center for Strategic and International Studies (CSIS) believes that Russian campaigns of sabotage and subversion are escalating, with a tripling of attacks (both physical and virtual) between 2023 and 2024. 

Infrastructure and public sector organisations are cited as primary targets in CSIS’s report, using cyber attacks to undermine trust and cohesion through persistent low-level activities not generally considered significant enough to trigger a formal, collective response.

There is some agreement on the threat posed by North Korea, especially after criminals believed to be working for the North Korean government were able to convert more than $300m (£232m) of stolen cryptocurrency into unrecoverable funds. So far, just $40m of the $1.5bn stolen has successfully been recovered. This highlights the risks that continue to be posed by the use of digital assets, despite the traceability of crypto transactions on the public blockchain.

From a UK perspective, it’s not necessarily true that cyber attacks perpetuated by state actors are unlikely to affect smaller organisations. Indeed, smaller organisations are most likely to be attacked as a way to undermine trust. For example, HMRC scams regularly do the rounds at this time of year and are typically perpetrated by criminal gangs of all sizes. 

It is also important, as always, to consider supply chain cyber security as a priority. There is a clear risk that the US’s more relaxed attitude towards Russian cyber risks could allow bad actors to attack non-US organisations through the back door.

Quantum risks

The risks posed by quantum computing are also set to increase in the coming years. As a result of this, the UK’s National Cyber Security Centre (NCSC) has issued new guidance recommending larger organisations take steps now to ensure so-called ‘post-quantum cryptography’ is in place to prevent attacks utilising quantum technology. 

At the same time, the National Institute of Standards and Technology in the US has identified candidate algorithms for a set of standards in relation to post-quantum cryptography. 

As computing power, driven by quantum, looks set to take another leap forward in the coming years, the cyber security landscape must also evolve to detect and prevent attacks. Post-quantum cryptography is one of the solutions to this challenge, but the journey is likely to take several years. NCSC predicts that full migration to post-quantum cryptography may not be completed before 2035, so it is fortunate that quantum computing is not expected to become widely available within that timeframe.

Big moves by big players

Two of the world’s largest tech companies have also both made headlines recently in the cyber space.

Google’s parent company, Alphabet, is set to buy cyber security start-up Wiz for $32bn, its most expensive acquisition on record. While many readers may not have heard of Wiz, it is used by more than half of the Fortune 100 and several well-known global brands such as Revolut, DocuSign and Mars, and so is very likely a part of many business supply chains.

Meanwhile, the UK government is embroiled in a row with Apple regarding its Advanced Data Protection (ADP) feature. After the UK government requested the ability to access data encrypted using ADP, Apple withdrew the feature entirely for UK-based users before embarking on legal action, which is now proceeding in secret. 

While these hearings play out, it’s important to note that data stored by Apple remains protected and encrypted. However, ADP provided more sophisticated, end-to-end encryption that could not be accessed by anyone other than the end user, including law enforcement agencies and Apple themselves. 

Getting the basics right

Security measures such as biometric authentication and two-step verification (2SV) remain critical tools in protecting sensitive information stored on mobile devices. The NCSC has launched a campaign under the Stop! Think Fraud initiative (including this video advert) to encourage individuals and businesses to ensure 2SV is in place wherever possible to protect online accounts and physical devices.

Cyber considerations also feature in our recently published software adoption guidance. When looking at software procurement, particularly for cloud-based solutions, it’s important to consider the cyber resilience of those solutions and the controls that need to be in place to protect data and ensure continuity of service in the event of a cyber incident. Our guidance pages explore these considerations, among many others, critical for the successful adoption of software that delivers on business needs. And as always, the NCSC’s 10 Steps to Cyber Security provides a useful starting point for cyber best practices.

Finally, as we’ve covered in our recent round-ups, a consultation by the UK Home Office on ransomware legislative proposals remains open until 8 April. Ransomware is still one of the biggest cybercrime threats faced by individuals and businesses – an overview of the ransomware threat and the government’s proposals can be found here (Commercial Partner content). Any views on the proposals, as well as any other cyber stories you’d like to share, can be sent to techfac@icaew.com.

Want to learn more about cyber security?

Visit the ICAEW cyber security webpages.