AI-Based Attacks , Critical Infrastructure Security , Cybercrime
ISMG Editors: Looking Back on 2023
Editors Reflect on Top Interviews With Thought Leaders in the Past Year Anna Delaney (annamadeline) • December 29, 2023In this weekly update, four editors at Information Security Media Group delve into key 2023 cybersecurity issues, spotlighting efforts by the Biden administration, proposed U.S. healthcare cybersecurity laws, and crucial upcoming dates for the information security community.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Tom Field, senior vice president, editorial - discussed:
- Tom Field's conversation with U.S. Deputy National Security Adviser Anne Neuberger on the Biden administration's cybersecurity endeavors, notable achievements and strategic initiatives;
- Marianne Kolbasuk McGee’s interview with Virginia Democratic Sen. Mark Warner, chair of the Senate Select Committee on Intelligence, who discussed potential U.S. healthcare sector cybersecurity legislation;
- Mathew Schwartz's discussion with BlackHat creator Jeff Moss about two near-term geopolitical challenges facing the cybersecurity community and why we must prepare for them now.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Dec. 15 edition on decoding BlackCat ransomware's downtime drama and the Dec. 22 edition on AI concerns and priorities for CISOs.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. And this is our final episode of 2023, where we'll be sharing a selection of our top interviews of the year. And joining me on this reflective episode: Tom Field, senior vice president of Editorial, Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity, and Mathew Schwartz, executive editor of DataBreachToday and Europe. Wonderful to see you all. So, Tom, you're keeping warm by your fireplace.
Tom Field: You have no idea how stacked that fireplace is right now. Yes, I thought we'd have a fireside chat today. So welcome.
Delaney: Love it. Marianne, keeping warm?
Marianne McGee: Well, since the view outside of the hotel, they had to stay out when we had a power outage earlier this week. And so the view once the storm ended was pretty, you know, so that's nice to see the silver lining, I guess.
Delaney: Nice comment. Both you and Tom had quite the week, I here. And Mathew, snowman behind you?
Mathew Schwartz: Yes. Not my snowman. No, I've found snowman community snowman. We've had a little bit of snow here in Scotland, not too much. And I don't know if we'll get any more this year. It can be very fleeting. So it's fun to play while we have it.
Field: Way more than we have.
Delaney: Well, can anyone guess where I am?
Field: Looks very familiar.
Delaney: Yes, I am at one of the ISMG studios at RSA conference earlier this year. And Matt, you might be able to see yourself.
Schwartz: I'm in two places at once, maybe. Wow. That's incredible.
Delaney: But I thought it'd be nice to share one of the many memories you've had at various studios across the globe this year. And it's always a pleasure to interview our guests in person but also a great opportunity to hang out with you and spend time with the team. Well, Tom, 2023 was a very busy year to see say the least. Forrester analyst Allie Mellen described it as chaotic on last week's Editors' Panel, economic uncertainties seemed to dominate much of the year, as well as unfortunately many layoffs at security companies. We saw high-profile espionage hacks, many software supply chain breaches. And of course, the emergence of generative AI kept all sectors busy. And I'm sure all those topics have been discussed in your interviews, however, which interview stands out among all others?
Field: Well, it's a tough one. Because think about it, this was the first year we got to go back to RSA Conference post COVID. First time I had the opportunity to go to BlackHat post COVID. And just the number of conversations that we do day in, day out, who haven't we had the opportunity to speak with really, but if I had to narrow it down, choose one, the one I'm going to choose is with Anne Neuberger, deputy assistant to the President and deputy national security advisor for cyber and emerging tech, based in the White House. We had the opportunity to speak with her at RSA, and we spoke about many things, we spoke about the President's cybersecurity goals, we spoke about a critical infrastructure protection area that they hadn't addressed yet, the executive order. But what I want to share with you today was when I asked her what are the highlights of what you've done so far, essentially midway through the term at the point that we talked. So I want to share with you her response on the highlights of what the administration has done for cybersecurity.
Anne Neuberger: It's a great question. I think to your point, the executive order really said two core messages. One, we will practice what we preach, and we set aggressive guidelines for improving cybersecurity across federal government networks. That was in the aftermath of SolarWinds that compromised quite a few sensitive federal government networks. The second piece was we said, we in the U.S. government buy large amounts of technology and we buy the same tech American companies are buying, let's use the power of the purse to say we will only buy software that meets these critical security standards. Let's establish that standard. And by our own purchases, lift that up. There were many elements of the executive order. Those were two key ones that we focused on. When we look at the National Cybersecurity strategy, you have, of course that first piece where it captures the work done to improve the security of critical infrastructure I mentioned a moment ago. It focuses on our international partnerships. And it focuses as well to say there's a shared partnership between the companies who build tech, and the companies who use tech. And as tech is a bigger part of our economy is a bigger part of our critical infrastructure, the companies who build tech really need to recognize their role in building tech that's as secure as possible.
Delaney:Loved it. Brilliant interview. And, Tom, how do you assess the effectiveness of the Biden administration's approach to cybersecurity, seeing as we have the National Cybersecurity Strategy and more recently, the EO on AI?
Field: Yeah, this administration has paid more attention to cybersecurity than any that we've seen to this point. And I think there's been some significant progress made, particularly when you look at how federal agencies have responded to the zero trust mandate, and to multi-factor authentication. I think you've seen some great advancements there. But what concerns me is that cybersecurity is no longer a bipartisan issue. Anything about security now comes down on political lines. And that concerns me particularly going into an election year. So I think the administration has done a decent job. But there are issues ahead because it's going to be hard to get agreement on anything.
Delaney: Challenging times ahead. Well, thank you. That was a great start, Tom. Marianne, moving to the healthcare sector now. So you've been kept very busy this year reporting on the many disruptions from both familiar and new threats targeting the industry. Same question, what does that one interview you'd like to share?
McGee: Well, my choice in what sort of sums things up on kind of piggybacks on what Tom was just talking about when it comes to regulation. I spoke earlier this year with Senator Mark Warner, who's a Democrat in Virginia, about his plans to work on bipartisan legislation to bolster cybersecurity in the healthcare sector. Among his other leadership roles in Congress, Warner chairs the Senate Select Committee on Intelligence. Now, Warner late last year issued a whitepaper with a variety of proposals on how to push healthcare sector entities into taking a stronger security stance, and he received about 100 comments from healthcare industry stakeholders on those proposals. But while Congress has not yet moved forward with a bill to improve healthcare cybersecurity, in recent months, that effort has built some momentum among other Democrats and Republican lawmakers. For instance, Republican Senator Bill Cassidy of Louisiana, who is one of 19 physicians in Congress, last month launched a working group with Warner and several other senators to investigate ways to bolster healthcare cybersecurity. In the meantime, as Tom mentioned, the Biden administration is also pushing forward with recently proposed cybersecurity strategy for the healthcare sector. Now, some of the Biden proposals are similar to the ones that Warner has been keen on. And that includes potential regulatory sticks and carrots for hospitals that participate in Medicare programs, including financial incentives or penalties in Medicare reimbursements if those hospitals don't meet certain yet-to-be-specified cybersecurity performance goals. Now, as part of that strategy, the Biden administration is also looking to overhaul the HIPAA Security Rule, which is also something Warner and some other lawmakers have been eyeing. But here's what Warner told me earlier this year about potential financial incentives and disincentives to promote better cybersecurity and health care sector. And why some groups oppose such proposals.
Mark Warner: Whenever you talk about mandates, the trade associations all say "no, no, no," you know, that's going to be a cost a burden. Interestingly enough, and I thought this was very telling. While trade associations said government regulations are voluntary, a number of smaller hospital systems, even some of the doc groups that responded and said, You know what? Voluntary doesn't work. We've got to have some level of mandates. And this is not a complete analogy, but it was somebody who was in the telecom business before I got into politics. I still am haunted by the fact that 12 years ago, when we did the Affordable Care Act on electronic medical records, we didn't put any kind of interoperability requirements around so the promise of healthcare it has never been fully realized. Because we've got all these isolated, separate systems that don't talk to each other. I think we have a little bit of the same on mandates and interoperability between cybersecurity systems around healthcare is something we're trying to sort through and obviously, that goes to a lot of systems around questions of rebates and what shared the federal pay so I think that will be an ongoing conversation next association.
McGee: So it's also worth noting that it's not just the U.S. federal government that's looking for ways to improve healthcare sector cybersecurity, because after all, you know, the sector is a critical infrastructure sector. Now, New York State has also this month published proposed regulations to boost cybersecurity at hospitals. Those proposals, however, are backed by a half a billion dollar budget request, hospitals would potentially be able to get financial assistance from the state choosing to help them invest in meeting those new requirements. So we'll have to see what happens not only in some of the states, but with the federal government in the year ahead.
Delaney: And Marianne, as you reflect on the past 12 months, what significant lessons has the healthcare industry learned that could shape the challenges of 2024?
McGee: Well, you know, some of the lessons are important ones, and not necessarily new ones. But I think this year was a very good example of how everyone continues to be a target in healthcare. You know, regardless of whether you're a large healthcare system with multiple hospitals, or a small doctor clinic, or a specialty provider, like imaging, and especially their vendors. Now, many of the largest breaches we've seen reported in the healthcare sector this year involve hacking incidents on more mainstream vendors, such as exploits on vulnerabilities in Progress Software's MOVEit, and Fortra's GoAnywhere File Transfer software. But there's also been a significant number of ransomware and data exfiltration attacks on the more fishy types of vendors, such as medical transcription firm Perry Johnson & Associates, which affected many of its clients and at least 9 million patients. The lessons emerging from these incidents or things that we hear so much about all the time, you know, patching vulnerabilities quickly, as soon as they're known, keeping software up to date, regularly backing up data, implementing multi-factor authentication, anti-malware software, phishing awareness for employees, log and systems monitoring and deleting old files containing patient information that's no longer needed for business, or no longer required to be saved for regulatory purposes. Now, again, none of those recommendations are new. But many of these measures still aren't done and healthcare was thus, you know, this push to have some sort of government mandates to make these entities do these things. And in some cases, it's as simple as either performing a comprehensive risk analysis, which again, many entities in the healthcare sector fail to do, or even having a CISO. The New York proposals that I just mentioned a few moments earlier, has a requirement that hospitals would have to have a system many still don't.
Delaney: Very surprising, but also great analysis there. Thank you very much, Marianne. Matt, last but not least, I believe you're sharing some cautionary advice from one of the industry's top minds.
Schwartz: Yes, definitely. So earlier this month was the annual BlackHat Europe in London. And the conference's founder and creator Jeff Moss, always does a great job, jumping up on stage introducing keynotes, giving some bookends to the conference in terms of what we're going to be hearing about, then what we heard about, but also highlighting some trends. And he said that the InfoSec community has two dates that it needs to be aware on his calendar 2024. The first is because there's going to be major elections across the more than half the world, including a U.S. presidential election. If you recall, in 2016, the U.S. didn't do a great job of resisting Russian attempts to interfere, to use disinformation and misinformation. And not just Russia, but other countries will be looking to interfere. What defenses do we have in place? What can we have in place? Open question. Another date 2027, less fixed. But this is the year by when Chinese president Xi Jinping has said he wants the option to invade Taiwan. He wants the military to be ready. He wants that on his desk. So when he says go, they can go. And Jeff Moss told me at the conference that what a lot of analysts think is China is possibly preparing to launch preemptive, disruptive, but non-lethal cyberattacks against Taiwan's allies to buy Beijing enough time to seize control of Taiwan without having to face other country's military forces.
Jeff Moss: One of the most popular theories is you would pursue a sort of "everywhere, everything all at once" strategy, which is, you would spend the next couple of years leading up 2027, leaving behind, you know, rootkits in infrastructure and civilian or critical systems. And then when you're ready to go, you hit all the buttons all at once, and you tie up all the cyber defenders, you snarl the supply chain, the logistic chain to make it hard. And then the country is turning inward to face their challenges. And that gives China a number of weeks or months to try to get Taiwan. So if that's plausible, then that tells us well, we have until 2027 to get ready. And I call that out because I think that's quite unique to have a sort of a date certain in the future, which means we have a responsibility then. Because if we know the date, and it's not some amorphous, well, at some point in the future, we think China may or may not do something, when it's so obvious and in print and that, you know, statements from the leader, well, then we have a responsibility to prepare for that. And maybe if we prepare really well, it has a deterrent effect, you know, maybe if their analysis at the end of the day is that we'll only screw us up for three or four days, and it really needs to screw us up for 21 days, then maybe it's not so much of an option. But if we do nothing, then I think the deterrent effect is gone. And I'm trying to think back in time, like when have we ever been in a situation? I can't think of anything. So we should probably call out that uniqueness. And we should probably start coming up with what's our 2027 plan, you know, or project 27 or incident response plan, because I think incident response capability is built around maybe one or two incidents, right? There's a ransomware incident and maybe something.
Schwartz: So some ideas by Jeff Moss there about what we need to do. And he said, there's no easy answer here. It's not clear exactly how we might handle this. But we do need to get ready. We need to plan, we need to have the ability to respond, because we've got some serious deadlines approaching.
Field: So it's like death entering the dinner party, you kind of cast a pall over New Year's.
Schwartz: Serious issues, you know, I think we need to look forward here. That's all.
Delaney: I hear governments and organizations are listening to Jeff. But thank you so much, Matt, for sharing. And you also frequently report on the state of the ransomware landscape. I seem to remember this time last year, there were a few whispers, a few murmurs predicting the decline of the ransomware threat, but no such luck. Ransomware gangs definitely came surging back in the second half of this year. So again, what was the big takeaway from 2023 in this space? And so that we end on a positive note, where did we make the most significant gains?
Schwartz: So if I had to summarize, I would say don't let perfect be the enemy of good enough. And that seems to be the strategy that's being used, along with a lot of other strategies. I think everyone's agreed, there's no easy way to get rid of ransomware. But what we have seen is this wonderful, I don't know, it's a military kind of phrase of persistent engagement or continuous engagement, by which authorities mean that like it's your little sister who just keeps poking you, won't leave you alone, doesn't let you think straight, you're trying to do something, you can't remember what it was. Well, not to be too comedic about the whole thing. It's the end of the year, though, so why not just a little. We've seen, for example, with Hive in January, and then just earlier this month with BlackCat, or ALPHV reservoir groups that authorities have disrupted them. And with Hive, it looks like it has stuck. And with BlackCat, it may stick and even if it doesn't stick, that's okay. Because they have disrupted business for the bad guys. And this is a strategy that the FBI and others have signaled that they are willing or able and planning to double down on because like I said, it's not the only strategy, but it seems to give attackers a real headache. So they're just using everything they can think of to try to make the ransomware profit model look less, like less of an incentive for current players and potential new entrants.
Delaney: Very good. We're all about headaches for the attackers. Some great note to end on. Well, finally, and just for fun, it's predictions time, of course. What is your one prediction for 2024, what the space looks like, next year? Go on, Tom.
Field: Well, so first of all, the event behind you. We call the RSA AI conference next year. And I think you can't stay away from AI, can you? Think that we are at the top of a hype cycle right now, it might be a while before that starts to diminish. But I do think what we will see in 2024, that we haven't seen in 2023 is attacks powered more by AI, and I don't mean, just phishing emails that have been written cleverly, I think you will start to see the adversaries harness the power of AI more to fuel their attacks, make them stronger, and make them broader. I think that's something we unfortunately, see in the months ahead.
Delaney: Yeah. Helps with that scale. Absolutely. Marianne?
McGee: AI, again, something that I was going to talk about also for healthcare in particular, again, you know, some of the bad things that Tom was just talking about, you know, the sophisticated AI-enabled attacks, but on the more promising side, you know, AI being applied more for, you know, clinical decision support, your drug discovery, you know, trying to reduce the time it takes to identify, you know, appropriate participants in clinical trials. So that can move the pipeline faster. There's all sorts of interesting things going on, you know, with AI in healthcare. So, you know, as much as there's gloom and doom, potentially, there's also a lot of hope there.
Field: The best use cases in the business are in healthcare.
Delaney: Yeah. Matt, what do you say?
Schwartz: I feel like I should be contrarian and come up with something that's not AI, but it's going to be AI, just because I think there are so many use cases that have yet to be discovered. Good, bad, maybe everything in between. It's going to help defenders, it'll no doubt help attackers. And I think there's a lot of potential and we really just don't know what that potential is. It's baby steps so far. I think the hype will die down, hopefully. And we'll just get to grips with what are probably some small wins in the short term, which, in the long term, sky's the limit still, I think.
Delaney: Well, I'm going to mention something you've kind of all mentioned today, election security. 2024 is being declared the world's biggest election year. More than 2 billion people across 50 countries could head to the polls in 2024. And of course, AI is part of this. So this is the year that will have mainstream tools like ChatGPT and Midjourney. So there's going to be a lot going on. Well, what a year!
Field: In my prediction, Anna, I bet we have lots more opportunities to get there, get together and have conversations such as this.
Delaney: And may they continue. I hope so. I hope you're right. Well, thank you so much. Thank you so much for today, but also for all your contributions to this panel over the past 12 months.