Security 00 01 02 03 04 05 06 07 08 09 10 11 12 Privacy and Security Watch Closely Informs Strategy Act Now

10TH YEAR ON THE LIST Security

KEY INSIGHT EXAMPLES used by 330,000 companies and organi- removing the domains used by the mal- COVID-19 played a role in new forms zations. The National Security Agency ware for command and control, updating From a security stand- of cyberattacks. Companies switched to and FBI say that Russia was likely behind the anti-malware capabilities built into point, 2020 was the remote work overnight, yet hospitals, the attack and likely had access to critical Windows, and automatically quarantin- worst year on record. schools, city halls, and businesses had data for months before being detected. ing systems with malware detected. security gaps that hackers exploited. IT Nearly all Fortune 500 companies use From compromised teams rushed to ensure files, software, SolarWinds products to monitor their high-profile social me- and databases were accessible for remote networks, but so do government agencies dia accounts to the work, but as many as 93% of IT teams (U.S. Department of Homeland Security, delayed security projects, and 43% have parts of the Pentagon), defense contrac- most significant cyber- since delayed or stopped patching alto- tors (Boeing), and important research attack in modern his- gether, according to a survey by security agencies (Los Alamos National Labo- tory, chief information management provider Tanium. And 85% ratory, where our nuclear weapons are of IT teams have seen more cyberattacks designed). The attack was sophisticated security officers found since the pandemic’s start, and thieves and difficult to undo, and it compromised themselves addressing stole confidential information, pass- critical infrastructure. existing problems while words, addresses, and other records. In Hackers penetrated a server used to other cases, hospital records systems, city trying to anticipate se- build updates for the SolarWinds Orion websites, and school email servers were Platform, and used that server to insert curity challenges on the penetrated and held for ransom. backdoor malware into products used by horizon. Last year, attackers breached what’s Microsoft and FireEye. Microsoft quickly SolarWinds marked one of the worst supply chain known as the security supply chain by and decisively mitigated the damage by attacks in history. infiltrating SolarWinds, an IT contractor mobilizing to remove digital certificates,

Security continued

DISRUPTIVE IMPACT EMERGING PLAYERS A company’s information assets, data, • Russian Foreign Intelli- and technology are its critical infrastruc- gence Service ture, yet cybersecurity is a continuously • U.S. Cybersecurity and moving target. The price tag to secure a Infrastructure Agency company’s data and IT infrastructure is • WireGuard VPN minimal compared to the cost of breach. The average total cost of a data breach is • Palantir Technologies $3.86 million, according to IBM’s annu- • Darktrace al Cost of a Data Breach Report, and it • Nuance Communications can take months to identify and contain an attack. Securing IT resources from • Sonatype malicious actors is paramount in the years • Deep Instinct ahead. • Qualys • Fortinet • Securiti.AI

Clear Health Pass uses biometric data to monitor people in public places.

Security continued A very brief list of 2020 attacks and breaches.

January February March April June

• Cyberattack: A Chinese group target- • Ransomware attack: Toll Group, an • Cyber espionage: Chinese hackers • Cyberattack: U.S. officials reported • Data breach: The Nova Scotia Health ed Mitsubishi in a massive cyberattack Australia-based logistics company, was targeted more than 75 organizations seeing a surge of attacks by Chinese Authority discovered that 3,000 patients that compromised the personal data of attacked twice in three months. around the world in the manufactur- hackers against health care providers, had their personal health information 8,000 individuals, as well as informa- ing, media, health care, and nonprofit pharmaceutical manufacturers, and the stolen. tion relating to partnering businesses • Cyberattack: Chinese hackers target- sectors as part of a broad-ranging cyber U.S. Department of Health and Human and government agencies—including ed Malaysian government officials to espionage campaign. Services amid the COVID-19 pandemic. • DDoS attack: Amazon Web Services defense equipment projects. steal data related to government-backed mitigated a massive 2.3 Tbps DDoS projects in the region. • Data breach: Hackers breached the attack. Ransomware: The Tampa Bay Times anonymous social media app Whisper, May • Data breach: Hackers exposed 440 was hit with “Ryuk,” a ransomware • which lets people share secrets, exposing Ransomware: Hackers breached health million internal records at Estée Lauder • July strain used to target large businesses and millions of users’ private profiles and care insurance giant Magellan Health due to middleware security failures. agencies. datasets. and exfiltrated the logins, personal • Data breach: A 17-year-old breached Twitter, hacking dozens of high-profile Data breach: The Defense Informa- information, and tax information of Ransomware attack: Tillamook • Data breach: More than 5 million accounts, including former President • tion Systems Agency, which handles IT • 365,000 patients. County in Oregon had its computer and Marriott guests had their information Barack Obama, Amazon CEO Jeff Bezos, for the White House, admitted a data telephone systems taken offline. taken when a hacker gained access to Cyberattack: Japan’s Defense Ministry and Tesla and SpaceX CEO Elon Musk. breach potentially compromised em- • guest records using the login credentials announced it was investigating a large- Cyberattack: An Iranian-sponsored ployee records. • of two employees at franchise properties. scale cyber attack against Mitsubishi • Cyberattack: Navigation systems pro- threat actor hacked a U.S. federal gov- Electric that could have compromised vider Garmin was attacked; its devices ernment library depository website to • Data breach: Clearview AI’s contro- details of new state-of-the-art missile and systems were forced offline. display messages vowing to avenge the versial client list was stolen due to a designs. killing of Qasem Soleimani, a military software vulnerability. general. It also displayed an image of • Data breach: Chinese hackers accessed former President Trump being punched the travel records of 9 million customers in the face. of U.K. airline group EasyJet.

Security continued A very brief list of 2020 attacks and breaches.

August October November • Vulnerability: A website created by December consultancy Deloitte titled “Test Your Ransomware: An online gang known Direct-to-consumer ransomware Data breach: Hackers exposed the Cyberattack: FireEye disclosed an at- • • • Hacker IQ” inadvertently exposed the • as “Maze” hit Canon with a ransomware attack: Vastaamo, a psychotherapy personal data of 16 million Brazilian tack resulting in penetration tools (code attack. center in Finland, had confidential Covid patients online after breaching database username and password in its that can be used to breach computer patient records stolen. In a unique twist, two Brazillian government databases. configuration files. The site was hosted systems, or test for and detect breaches) • Leak: 20 gigabytes of sensitive Intel hackers went straight to the patients and Among those affected by the leak were on an older version of Ubuntu, aLinux being stolen. corporate data was leaked online. blackmailed them directly. Brazil President Jair Bolsonaro, seven system that no longer received secu- ministers, and 17 provincial governors. rity patches. Deloitte later said that it • Ransomware: Hackers crippled the dig- September • DDoS attack: Google mitigated a 2.54 was a legacy site created for an event; ital systems of the city of New Orleans. Tbps DDoS attack, one of the largest • Data breach: Hackers breached the however, it was never removed. (This • Cyber homicide: In Germany, a ever recorded. Christian faith app Pray.com, leaking is a good reminder that legacy content • Bio-Cyberattack: Hackers accessed patient died after being redirected away private data of 10 million users. Finan- can cause future security headaches for data related to the Covid vaccine being from a hospital that was in the middle of cial information was one of the key companies.) developed by Pfizer during an attack on an active ransomware infiltration. gets in this attack: Donations processed the European Medicines Agency. by the app show how and when users • Data breach: Folksam, one of Sweden’s contributed. largest insurance companies, shared the personal information—including preg- nancies and other intimate details—of 1 million Swedes with third parties.

Security Trends

Bio-Cyberattacks Several of those images were posted to itage. Sensitive DNA information could Supply Chain Attacks With the global COVID-19 pandemic the dark web. There have been plenty be used for a number of purposes, from Cybersecurity has its own supply chain, forcing fast coordination by government of attacks in recent years, including the blackmail to government espionage. which includes IT services, vendors, agencies, researchers, and pharmaceu- emergence of a tool in 2018 that scraped software, networks, and data. The Solar- tical companies, vaccine data became a photos from social media and used them Cyber Homicide Winds attack last year is an example of to launch sophisticated phishing attacks. new target for cyberattacks. Hackers are The first-known death resulting from a a supply chain attack, because it com- working to gain access related to Covid Malware called CamuBot targeted Brazil- promised the systems management tools ian bank customers, bypassing biometric cyberattack happened in 2020. Intending research, genetic code, and vaccines. In to extort money from Düsseldorf Univer- used by IT professionals. It was a prime December 2020, hackers penetrated the hardware protections for device takeover. target—breaching the supply chain meant Using biometrics to keep people safe sity, attackers locked its local computer European Medicines Agency, stealing network—which included the computers potentially gaining access to hundreds of data related to the vaccine developed by while they travel or during the pandemic thousands of companies and government could also put them in greater danger. at the university hospital. At that mo- When ESPN cut to the draft headquarters of Bill Pfizer. ment, a woman who needed immediate agencies. In a supply chain attack, hackers Belichick, head coach of the New England Patri- surgery couldn’t be seen, which resulted infiltrate your systems through an outside ots, during the second round of the virtual 2020 DNA Database Hacks partner that has access to your data. NFL draft, his dog—an Alaskan Klee Kai named Biometric Malware in her being transferred to another hospi- Nike—was seated all alone by two laptops. As more consumers send their saliva tal. Time ran out, and she died. Hospitals Nearly every company must use outside Kaspersky researchers found that in the hardware and software—it would be Photo courtesy of Twitter.com/katfominykh. third quarter of 2019 alone, about 33% of away for genetic testing, the need for rely on computerized machinery, logis- secure DNA databases has never been tics, and transportation systems. Taking impossible to build everything a modern the systems that use and store biometric company needs from scratch—and reli- data were targets of malware attacks. as important. In July 2020, hackers them offline for a ransomware attack, were able to access GEDmatch, a DNA even for a few hours, causes real-world ance on outsiders requires tight security. Biometric data isn’t stored as securely as Security is only as good as its weakest it should be, opening the door to theft database, which resulted in the genetic harm. Security experts are increasingly profiles of 1 million users being searched concerned about accidental incidents, link, and supply chain attacks are growing and manipulation. We saw that in the in both frequency and sophistication. U.S. in 2019, when a massive data breach by law enforcement. A few weeks later, as well as those caused intentionally. compromised 100,000 facial images and hackers used the emails retrieved from Bad actors could take down a hospital’s 105,000 license plate images collected by GEDmatch to launch another attack, this entire computer system just to target one the U.S. Customs and Border Protection. time on genetic testing company MyHer- patient.

Security Trends

Techlash Leads to Messy Code the site didn’t actually remove deleted neered complex code with novel exploit and Security Problems posts, and, inconceivably, each post used a systems, revealing new exploit chains. For the past few years, some social media sequential numerical ID, making it simple (Both companies have since patched users left big platforms for nascent to scrape data. Geolocations weren’t security flaws.) The zero-day market- startups that were established quickly and scrubbed, metadata was preserved … we place, where tools are bought and sold, is with little technical oversight. Anger to- could go on. The result: 80 terabytes of lucrative and growing. Tools to exploit ward Twitter and Facebook catalyzed the posts, including 1 million videos, were vulnerabilities will be in greater demand growth of newer entrants, such as Signal made available online. through the near future. and Telegram, which promised encrypted private messaging, and Clubhouse, which Zero-Day Exploits Rising Zero-Knowledge Proofs Go offered private chat rooms that could be A zero-day vulnerability is a flaw—a Commercial controlled by hosts. Facebook-owned problem within a hardware or software With all the hacking scandals that have WhatsApp confused its global user base system that developers didn’t discover plagued us in the past several years, we because of a sloppy announcement about during the testing process. That vulner- will see a transition to something called data sharing and privacy: It notified users ability can be exploited by malware to zero-knowledge proofs, which allow one they would get new options to message cause all sorts of problems. Zero-days are party to verify data without conveying businesses but had to opt in or their dangerous, prized tools, and discovering any additional information. For example, service would be cut off. (Practically them is a favorite activity of malicious researchers at Microsoft and a handful of speaking, very little changed, but in the hackers. Once the flaw is revealed, pro- universities are collaborating on Picnic, haze of confusion, users left in droves and grammers have zero days to do anything which is the code name for a post-quan- joined Signal and Telegram.) Sloppy code about it. From February through April tum digital signature algorithm, and it and a mess of security failures allowed a 2020, hackers used zero-days to target uses a zero-proof system. Picnic uses this Remote employee tracking software was widely deployed in 2020. hacker to infiltrate Parler, a Twitter clone Microsoft and Google, making use of two concept together with symmetric cryp- launched by Trump supporters. Parler’s exploit servers: one for Windows and the tography, hash functions, and block ci- public API didn’t require authentication, other for Android. They used well-engi- phers, to create a novel signature scheme.

Security Trends

It’s a mind-bending approach to security, used surreptitiously to harness everything Marsha Blackburn (R-Tenn.), would un- would come with a cost, however. Kill words. IoT security is bad, and this year allowing you to verify your identity with- from our webcams to our personal data. dermine privacy and security protections switches would mean that nobody could we are likely to see new threats. Many out actually revealing who you are. In es- In 2020, Republican lawmakers intro- built into the technologies we use. Given gain access to what’s inside a lost or stolen IoT devices ship with insecure default sence, this eliminates the need for a com- duced the Lawful Access to Encrypted the rise of zero-day exploits, we should phone—not even law enforcement. settings, which then often remain un- pany to store private identity data during Data Act, which would result in weaker question whether backdoors are the best changed after the consumers set them up the verification process. Zero-knowledge encryption in communication services way forward. Low-Cost Malware in their homes. Insecure routers and Wi- proofs aren’t new, but deploying them to so that law enforcement officials could Fi configurations are also problematic. Older malware is being remixed and protect our digital identities is an emerg- gain access to devices with a warrant. Remote Kill Switches Attackers might find a way into a coming application, especially in the wake of Government officials worldwide have used for new purposes. For example, two pany database or hijack your smart TV increased telemedicine and remote work. been advocating for a set of “golden As our technology becomes more im- older types of malware enabled a remote for ransom the day before a big televised JPMorgan Chase is using zero-knowl- keys,” to allow law enforcement to break mersive, we’ll have increased needs for administration tool to infect Android event (national elections, Eurovision, the edge proofs for its enterprise blockchain through the security using backdoors. remote kill switches. Found on smart- phones with a keylogger, allowing Super Bowl) and refuse to unlock it until system, while cryptocurrency startup But even without public agreement, phones and connected devices, these will attackers to monitor the use of websites you’ve paid a fee. Companies that now Ethereum is using zero-knowledge for some agencies may find their way into soon come in handy for the enterprise and apps. For $29.99, low-level cyber- have legions of employees working from authentication. Sedicii and SecureAuth our machines. In 2013, NSA made a deal and government agencies. Uber devel- criminals could easily steal usernames and home should closely monitor internet make and sell zero-proof software. with security company RSA to include a oped its own software program called passwords. service providers (ISPs), smart devices, flawed algorithm, effectively giving the Ripley, which could be activated by and local network configuration. NSA a backdoor into various systems. staff in San Francisco, should any of its Consumer IoT Vulnerabilities Government Requests for overseas offices be raided by police. It also Backdoor Access The challenge is that the simple act of With the proliferation of smart devices— Sonic Lock Picking creating a backdoor would leave ordinary deployed uLocker, a remote kill switch While they sound malicious, backdoors that could lock all company devices, connected speakers, mirrors, and fitness Machine learning is being used to recog- people vulnerable to everyday attacks by gadgets—and millions of people working aren’t necessarily bad. Often, developers a wide swath of actors, both benevolent including laptops and phones. On the nize and regenerate sounds, including the intentionally install them into firmware consumer side, both Apple and Android from home, hackers have a wellspring of sound of someone inserting a key into and malicious. Tech leaders warn that the new targets in 2021. Especially because so that manufacturers can safely upgrade proposed act, introduced by then Senate devices now allow users to remotely wipe a lock. The unique sequence of metallic our devices and operating systems. The all information from their phones and consumers don’t always update firmware, clicks can be deciphered using signal pro- Judiciary Chairman Lindsey Graham security patches, or even their pass- challenge is that backdoors can also be and U.S. Sens. Tom Cotton (R-Ark.) and tablets using a web interface. That benefit cessing software to replicate the precise

Security Trends

shape of the key shaft in a computer ren- information, insurers will also offer pro- several months or even years to complete, offline, slowing down search, and making dering program, from which a functional tection against damage to reputation, the and yet the machine that won the Grand its cloud unreachable. It was an example plastic clone key can then be 3D-printed. loss of operational capacity, and the costs Challenge proved its might in just a frac- of Border Gateway Protocol hijacking It’s an example of a major vulnerability in for system upgrades. As organizations tion of that time. The winner became the and, while in this case the error was the legacy security systems that include older develop their next fiscal year budgets, first nonhuman entity to earn the DEF result of an outdated Nigerian ISP, the safes and traditional locks. they should assess the need for cyber risk CON’s Black Badge, which is the hacking incident points to a vulnerability in our insurance. community’s equivalent of an Oscar. Very web infrastructure. We anticipate new Data Theft Becomes Data soon, malicious actors will create auton- cases of internet traffic hijacking in 2021, Manipulation AI-Powered Automated Hacking omous systems capable of automatically especially as people continue to socially learning new environments, exposing distance indoors and stream content. Rather than malicious actors simply Systems Biometric security features are coming to many vulnerabilities and flaws, and then devices in 2021. stealing data, you can expect to see new Thanks to advancements in AI, one of exploiting them for gain—or whatever DDoS Attacks on the Rise kinds of attacks in 2021 involving hackers the big trends in security is automated the stated objective, which could simply accessing and then manipulating data for hacking—in short, software that’s built be generalized mayhem. This could pose A distributed-denial-of-service (DDoS) long-term damage. The implications are to out-hack the human hackers. The a significant threat to news, eSports, and attack happens when a hacker sends so more concerning than you might realize Pentagon’s Defense Advanced Research entertainment companies. many requests to a battalion of machines at first: If a company’s vigilance over its Projects Agency launched a Cyber that the entire network goes down. In the data integrity is cast in doubt, it could Grand Challenge project in 2016, with past several years, the number of DDoS quickly lose customers and partners. a mission to design computer systems Hijacking Internet Traffic attacks have spiked—and they are increas- capable of beating hackers at their own The protocols underpinning the web ing in both reach and duration. DDoS Cyber Risk Insurance game. DARPA wanted to show that were written long before we had con- attacks were up 25% last year alone, and smarter automated systems can reduce nected microwaves and billions of daily public institutions were warned of more New forms of insurance, intended to help the response time—and develop fixes users. In 2018, hackers created a massive than 50 credible threats. To date, half businesses protect against hackers, will in system flaws—to just a few seconds. internet traffic diversion, rerouting data of the world’s attacks have originated in begin to enter the marketplace. Rather Spotting and fixing critical vulnerabilities through China, Nigeria, and Russia. It China. Hackers are using more sophis- than simply covering the theft of basic is a task that might take a human hacker disrupted Google, taking its business tools ticated tools, which means that future

Security Trends

attacks will be larger in scope and could Ransomware-as-a-Service searchers have already found “doxware” Weird Glitches Open Source App Vulnerabilities achieve greater impact. Last year, ransomware devastated compa- floating around the internet—rather than Glitches are problems that don’t have The SolarWinds breach gave new atten- nies and even entire cities. Entertainment just holding your data hostage until you an immediate, obvious cause but none- tion to unintentional vulnerabilities in Third-Party Verified Identities and news media organizations could be pay up, you face the threat that it could theless can create frustrating problems. code, especially with a booming market all be published to the web, for everyone Glitches are so common now they don’t U.S. citizens must continually hand over next. In a ransomware attack, hackers for malware that exploits vulnerabilities to see. always make the news—but there were their social security numbers for authen- deploy malicious tools to hijack data, ef- in open-source applications and software. hundreds in the spring and fall of 2020, tication. But in the wake of the massive fectively locking out systems and devices, As the AI ecosystem grows to incorpo- as students went to virtual school. Online Equifax data breach, it has become clear until a fee is paid. Since cash and online Decentralized Hacktivists rate more open source code and com- bank transfers are easy to track, the learning platform Blackboard reported munity-built tools, it will be especially that our social security numbers—a single Hackers-turned-activists have had a that students couldn’t register on the first identifier used in everything from bank currency of choice is now bitcoin, which busy few years, working for causes they important to spot problems in advance. moves through an encrypted system and day of school and pages loaded slowly. WhiteSource’s Vulnerability Database accounts, to health insurance, even with believe in. They launched DDoS attacks Technical and user errors riddled last can’t be traced. The emergence of the continuously updates its library with the university registrar—aren’t secure. against governments, corporations, and year’s NFL draft, held virtually amid the blockchain and cryptocurrencies have emerging threats and available fixes. These numbers were never intended to banks. Hacktivist organizations, including pandemic. When cameras cut to Bill transformed ransomware into a lucra- be used as general-purpose passwords. Anonymous, WikiLeaks, and DC Leaks, Belichick’s home after the New England tive business. In 2019, New Orleans was We will start to see the emergence of see themselves as enduring forces of Patriots selected safety Kyle Dugger, the Global Cybersecurity Pacts one of dozens of cities hit by municipal third-party, nongovernmental providers change. In 2020, Anonymous organized coach had left his table—but his dog was In late 2018, more than 50 countries of verified identities. One example that’s ransomware attacks. Residents couldn’t attacks on multiple law enforcement waiting patiently at a computer and star- pay water bills, email their city represen- signed an international agreement on cy- already in the marketplace is Clear, the websites in support of Black Lives Matter ing into the camera. From customs and bersecurity principles. Along with those tatives, or schedule trash pickup, among border protection terminals going dark trusted traveler program that lets verified protesters. Given ongoing heated political countries were more than 200 companies other things. Cities, financial services, to technical malfunctions on assembly customers get through airport security tensions, we’ll likely see more operations (Microsoft, Google, and Facebook among and health care organizations have been lines, glitches affect every industry. They faster. Last year, it announced plans for being carried out this year. Hacktivists them) that committed to end malicious targeted with the brunt of ransomware often result from newer technologies, comprehensive verification for digital will use their skills to help shape local, cyber activities in peacetime. While the attacks because the data and services they which break in unexpected ways. And identity, as well as health and vaccination state, national, and international politics, agreement was nonbinding, it was an provide are so valuable. Simply backing often, glitches stem from not thinking records. conversations, and business practices. attempt to develop norms and standards up your organization’s data won’t be (See: Crowdsleuthing.) technology through, from imagined use enough of a fail-safe going forward. Re- cases to actual real-world usage. for the ways in which countries behave

Security Trends

in cyberspace. Noticeably absent from transactions nearly impossible. You can’t Bounty Programs information. Our critical financial data the list of signers: Russia, China, North just hop on to a darknet the way you White hat (read: good hacker) bug and scientific records may be kept on Korea, Israel, and the United States. But Google your high school sweetheart. To bounty programs are becoming popular. cloud servers at Microsoft, Amazon, and that could change in 2021. The Biden ad- access the hidden crime bazaars, you need In some cases, businesses solicit friendly Google, but duplicate copies are backed ministration signaled its focus on cyber- special software such as the Tor Brows- hackers for paid work through platforms up to tape. The problem is that consolida- security as a top national security policy er or Freenet, you need to know where like HackerOne, which is being used by tion has left us with just two companies— in January, as it staffed departments with you’re headed, and you do need a bit of the U.S. Department of Defense, Word- Sony and Fujifilm Holdings—that still appointees. Cybersecurity will be a key technical knowledge. It isn’t illegal to take Press, Coinbase, Shopify, and GitHub. In manufacture tape. For four years, Fujif- foreign policy issue, a critical national a walk through dark marketplaces. But 2021, HackerOne and the Defense Digital ilm and Sony remained locked in a feud security issue, and a formal component of there’s also plenty of good activity that Service announced a new bug bounty over alleged patent infringement, which the new administration’s leadership. takes place in anonymous web portals: program, in which participants attempt to resulted in Sony being banned from im- Clear announced plans for comprehensive whistleblowers hoping to shine a light on uncover vulnerabilities in the U.S. Army’s porting media tape. The case was settled verification for digital identity. Proliferation of Darknets wrongdoing, political dissidents looking digital systems. Verizon Media has paid in the fall, but it caused widespread short- for asylum, and investigative journalists ages. Tape isn’t a big business unit within Many people confuse the deep web— $9.4 million and resolved nearly 6,000 hunting down leads. As cryptocurrencies bugs. Google has paid out more than $21 these otherwise sprawling companies, hidden parts of the internet that aren’t gain popularity, we’re likely to see more and this could lead to problems down the usually indexed by search engines—with million since it launched its bug bounty activity in darknets. Activists with legiti- program in November 2010. road for the world’s data archives, espe- darknets, which are niche spaces promis- mate concerns will advocate for new lay- cially because the creation of critical data ing anonymity, often for illegal activities. ers of protection, while law enforcement increases significantly each year. People go there to sell and buy drugs, will receive training on how to navigate Magnetic Tape Supply Shortages guns, ammunition, security exploits the dark web. For government and law It’s odd to think that in 2021 the world (malware, ransomware) and your hacked State-sponsored Security enforcement, the challenge of training is still relies on magnetic tape—those clunky Breaches data (passwords, credit card numbers, and that unregulated and at times purposely old cartridges used decades ago to store more). Cryptocurrencies have fueled ac- evasive dark websites are insular and data. And yet that’s still the preferred It’s thought that the SolarWinds sup- tivity in the dark corners of the internet, ever-changing. Those accessing darknets method of backups for many companies ply chain attack was likely planned and since they’re encrypted and make tracking are typically also the ones building them. needing to safeguard their most precious facilitated by an elite Russian government

Security Trends

agency, while Russian hackers targeted Critical Infrastructure Targets er grid, targeting staff at nuclear energy as artificial intelligence becomes a focus more than 20 U.S. states’ voter regis- Every year, cybercriminals target critical facilities with phishing attacks. The U.S. for the nation’s cyber strategy. Eventu- tration databases leading up to the 2018 infrastructure and facilities, and for years, Computer Emergency Readiness Team ally, artificial intelligence could enhance elections. But there is evidence that the security experts have warned that hackers issued a sternly worded notice but one offensive operations and replace human Russian government had a long list of tar- could potentially disable dams, power that lacked an enforcement mechanism, troops, but the agencies face a shortage of gets that went far beyond American poli- plants, and traffic lights with these at- and it’s clear that the companies and util- gifted hackers willing to join government ticians running for office. Russian hackers tacks. This past February, it was revealed ities managing our critical infrastructure ranks. That could change with the Biden targeted thousands of people, from that hackers had remotely accessed the haven’t yet been jolted into action. administration, which is actively promot- defense contractors at Lockheed Martin water supply of a city near Tampa Bay, ing science and technology as it tries to and Raytheon, to Ukrainian lawmakers, Florida, and had adjusted the amount of Offensive Government Hacking rebuild trust in the government. to the pope and his executive team. Rus- lye to levels harmful to humans—for- Rather than simply pursuing cyber There is a global magnetic tape storage. sia is home to some of the world’s most tunately the attack was identified and gifted and prolific hackers. Elite digital deterrence, governments are more thwarted before the tainted water reached actively engaging offensive positions in forces in Russia and China are targeting any homes. Another group of hackers hit managed service providers that provide cyberwarfare. It’s been a decade since the the jackpot during the SolarWinds supply U.S. and Israel joined forces to deploy IT infrastructure. And they aren’t neces- chain attack, targeting vital facilities in sarily covering their tracks as they did in a devastating worm known as Stuxnet, countries around the world. And three which took down parts of Iran’s covert the past. Outside of state-sponsored cyber years ago, Russia targeted critical infra- initiatives, plenty of talented people may nuclear weapons program. Singapore’s structure sectors in the U.S., including Ministry of Defense is hiring white hat be motivated both by a lack of economic the power grid—though it’s been trying opportunity and weak law enforcement. hackers and security experts to look for to gain access to that since at least 2016— critical vulnerabilities in its government Over time, this has created a perfect and hackers did gain access to one power storm: Enormously talented people, weak and infrastructure systems. In the U.S., plant’s control system. Cybersecurity the two agencies responsible for cy- laws, and poor economic conditions have company Symantec has warned that hack- led to a growing pool of talented hackers. berwarfare—the U.S. Cyber Command ers have already penetrated the U.S. pow- and NSA—are playing offense, especially