Cybersecurity Threat Landscape and Risk Preparedness
This week, the United States Intelligence Community released the 2024 version of its Annual Threat Assessment that “focuses on the most direct, serious threats to the United States primarily during the next year.”[1] While these threats may be directed at the country as a whole, one thing should stand out from this assessment: private entities and organizations, especially within the critical infrastructure sector (e.g., financial services, energy, healthcare, etc.) are squarely in the crosshairs of some of our major adversaries as a means to achieve their goals. As stated in the assessment, organizations face cyber threats designed to disrupt critical services or create societal panic and division through cyber attacks or by leveraging advancements in AI to push disinformation. These threats are not limited to sophisticated nation state actors. Thanks to advancement in technologies, cybercriminals are well equipped to also cause major disruption targeting these same services.
For organizations thinking about some of the highest-level threats of 2024 and how to plan for and manage cyber risk, there are a few key takeaways from the Intelligence Community’s threat assessment and some immediate cybersecurity and communication considerations for organizations to plan and prepare.
Critical Infrastructure Remains a Top Target for Nation-state and Other Attacks
In the aftermath of the Colonial Pipeline ransomware incident, we all witnessed firsthand the significant effects an attack on critical infrastructure can cause.[2] Even the implication of a more severe attack can lead to widespread panic and supply chain shortages.[3] U.S. officials and its allies recently issued a joint warning over foreign disruptions in critical infrastructure after gaining access to the IT environments of multiple organizations.[4]
The Intelligence Community also assesses Russia will continue to target critical infrastructure, including Industrial Control Systems and Underwater Cables.[5] As we’ve seen with ransomware actors and cybercriminals over the past few years, critical services such as hospitals, schools, local governments and banks remain a prime target in ransomware attacks.[6]
Critical infrastructure operators should be planning and practicing their response not only to an attempted disruption, but even an allegation of a disruption to services that could easily create a level of panic. The ability to communicate the facts quickly will be key in any response strategy. Have your crisis communications plans in place now, practice them and make sure you have the right people in the room to quickly communicate to key stakeholders such as government, regulators, customers, employees and the general public, in the immediate aftermath of any attempts.
The critical communications element should be included as part of an overall incident response plan. Effective incident response is an essential aspect of building cyber resilience – the ability to quickly and efficiently respond to and recover from a cyber incident. Doing so effectively will mitigate financial and reputational fallout, avoid legal and regulatory impacts, and maintain trust.
AI Advancements Will Make the Spread of Disinformation Easier
Advancements in AI technology will assist adversaries and other threat actors and bolster their attempts to distort public perception of information. Improvements in AI make it challenging to spot deepfakes and disinformation, allowing inaccurate information to spread rapidly and calling into question what’s real and what’s fake. Elections remain a main target of influence campaigns, and we’ve already seen attempts to use AI technology to interfere or create confusion around the election process. Other actors may use these tools with the broader goal of creating division and stoking societal tensions. This is a risk all organizations, especially essential services, should be planning for and considering. Organizations will be best served by understanding the source of the information, detecting disinformation in its early states and initiating a response strategy when necessary. Putting in place early detection tools and scenario plans to game out various response options, while leaving room to adapt as necessary can serve as helpful mitigation tools to combat any false emerging narratives.
Ransomware
While recent law enforcement actions such as the takedown of one of the most prominent ransomware groups, Lockbit, are encouraging,[7] it seems highly likely we will see a continuation of ransomware attacks against organizations in the foreseeable future. The assessment noted that with little ability to take action against criminals in safe havens such as Russia or other countries, cybercriminals and members of these groups will continue to rebrand and renew activities. Furthermore, the ability to access low-cost infrastructure to support these cyber attacks along with the high profitability of these crimes has made ransomware more appealing and accessible to a growing group of potential cybercriminals.
Our Takeaways
Organizations should not underestimate the importance of cybersecurity investments and preparing for a potential attack – having a crisis plan in place and practicing response is key. As is often said in the security community: There is no such thing as 100 percent security and it’s not if, but when a cybersecurity incident will occur.
Recent Securities and Exchange Commission (SEC) requirements related to enhanced cybersecurity risk disclosure have made it clear: the response to a cybersecurity incident cannot and should not be handled by your CISO or IT team alone.[8] Everyone from the Board Members down should understand the risk, as well as their role in an incident response plan. Those responsible for communicating to key stakeholders, whether it’s customers, media, investors, employees or regulators, need to be brought in the fold and working off the same script. Know those roles now and be ready to respond.
The Annual Threat Assessment should serve as a playbook for organizations to better understand the threat landscape now, so they can take action and make investments to manage against these risks in the near future.
The lights are blinking red, not only for organizations within the critical infrastructure sector, but across all sectors to understand these are very capable actors and very real threats and the time to prepare is now. How an organization responds to these types of threats can make a difference between a bad day and major disruption or reputational damage.
By understanding your unique threat profile, who your key stakeholders are, what your message needs to be and who is responsible for communicating that out in the wake of any of these threats, along with ensuring your plans are well socialized and practiced are important and simple steps every organization can take now to ensure they are prepared for 2024.
Sara Sendek is a Managing Director on the Cybersecurity and Data Privacy Communications team at FTI Consulting. She previously served as the head of Public Affairs at CISA and as Director of Rapid Response in the White House. Brad Carpenter is a Managing Director on the Cybersecurity team at FTI Consulting. He previously served as the Supervisory Special Agent of the FBI Cyber Division in New York, on the Joint Terrorism Task Force, and as a Supervisory Special Agent for the Counterterrorism Division in Washington D.C. and London.
Have questions about this article, or interested in a discussion about your organization’s cyber risk preparedness? Please contact us.
Related Expertise
[1] “Annual Threat Assessment of the U.S. Intelligence Community,” Office of the Director of National Intelligence (February 5, 2024), https://www.dni.gov/files/ODNI/documents/assessments/ATA-2024-Unclassified-Report.pdf
[2] Vanessa Romo, “Panic Drives Gas Shortages After Colonial Pipeline Ransomware Attack,” NPR (May 11, 2021), https://www.npr.org/2021/05/11/996044288/panic-drives-gas-shortages-after-colonial-pipeline-ransomware-attack
[3] MacKenzie Sigalos, “Colonial Pipeline cyberattack is no cause for panic – here’s why,” CNBC (May 14, 2021), https://www.cnbc.com/2021/05/14/colonial-pipeline-hack-doesnt-mean-more-ransomware-attacks-critical-infrastructure.html
[4] The Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation, U.S. Department of Energy, U.S. Environmental Protection Agency, U.S. Transportation Security Administration, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, United Kingdom National Cyber Security Centre and New Zealand National Cyber Security Centre, “Joint Cybersecurity Advisory,” Cybersecurity & Infrastructure Security Agency (February 7, 2024), https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf
[5] See supra note 1.
[6] Tina Reed, “Health care was biggest victim of U.S. ransomware attacks last year,” Axios (March 11, 2024), https://www.axios.com/2024/03/11/health-care-ransomware-attacks
[7] “U.S. and U.K. Disrupt LockBit Ransomware Variant,” U.S. Department of Justice (February 20, 2024), https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant
[8] Regulation S-K Item 106(c) – Governance of “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” Federal Register (September 5, 2023), https://www.sec.gov/files/rules/final/2023/33-11216.pdf
| The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals. ©2024 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com |
