By Byron V. Acohido

A new report from the Bipartisan Policy Center (BPC) lays out — in stark terms – the prominent cybersecurity risks of the moment.

The BPC’s Top Risks in Cybersecurity 2023 analysis calls out eight “top macro risks” that frame what’s wrong and what’s at stake in the cyber realm. BPC is a Washington, DC-based think tank that aims to revitalize bipartisanship in national politics.

This report has a dark tone, as well it should. It systematically catalogues the drivers behind cybersecurity risks that have steadily expanded in scope and scale each year for the past 20-plus years – with no end yet in sight.

Two things jumped out at me from these findings: there remains opportunities and motivators aplenty for threat actors to intensify their plundering; meanwhile, industry and political leaders seem at a loss to buy into what’s needed: a self-sacrificing, collaborative, approach to systematically mitigating a profoundly dynamic, potentially catastrophic threat.

Last Watchdog queried Tom Romanoff, BPC’s technology project director about this analysis.  Here’s the exchange, edited for clarity and length:

LW: Should we be more concerned about cyber exposures than classic military threats?

Romanoff: Classic military threats will always merit significant concern due to their direct impact on life. But for most Americans, cyberattacks are a lot more likely to happen. They can cause severe economic or social disruptions and impact a broad crosscut of our society.

Incidents of nations using cyberattacks as an extension of military operations to disrupt or destabilize targets are on the rise. As part of criminal enterprises or economic warfare, nation-states using cyber-attacks can inflict damage without firing a shot and extend power beyond their borders.

Our report connects the threats from particular nation-states and showcases how this can accelerate risks for non-military organizations.

LW: Regulation hasn’t seemed to help much; data security rules have been highly fragmented, i.e., Europe vs. the U.S. and even state-by-state in the U.S.

Romanoff: Concerns about data privacy and cybercrime are fast-tracking the push for regulations.  In the U.S., tech has enjoyed “permissionless innovation” for much of its industrial existence.

As Congress continues to debate the role of Big Tech, increased state-level regulations, and worldwide regulations, policymakers are increasingly pressured to do something to increase data protections.

California is leading the effort at the state level and has passed the California Consumer Privacy Act (CCPA). Similar bills, including many data privacy bills, follow California’s lead. For example, Colorado, Connecticut, Utah and Virginia  have all signed privacy laws in the last few years, and fifteen other states are considering privacy laws.

The push for a national data privacy law would have an immediate and quantifiable impact, but sadly progress is stalled. Without a national data privacy law or laws, we are left with a fragmented regulatory landscape.

The EU is moving much faster to regulate digital security.  Between the General Data Protection Regulation (GDPR), Digital Services Act (DSA), the Digital Markets Act (DMA), and the emerging ePrivacy Regulation, the EU is framing the data security debate worldwide.

The overall impact of regulations has been on how businesses collect, process, and protect personal data. There will continue to be a push to increase transparency and accountability around data handling practices.  For example, the recent FTC complaint regarding GoodRX and the Illinois case against White Castle for violations of the Biometric Information Privacy Act (BIPA)  show that the norm is trending toward increased oversight.

LW: So what difference can regulation actually make in the next few years?

Romanoff: We should expect the government to break from the self-governance/marketplace regime that has been in place and move away from incentive-based cyber compliance. I expect to see more penalties for data leaks or non-compliance.

DMA and other EU regulations will come online, creating compliance hurdles for American companies.

We can also expect the U.S. government to work toward more oversight mechanisms by finding authorities that can be interpreted through a data-security lens.

LW: It’s certainly not a surprise that nightmare breaches keep happening; your report calls out lagging corporate governance as a major variable.

Romanoff: Cybersecurity in many organizations is considered a cost, not an investment. Too often, cyber leaders are not included in board discussions or c-suites, and thus cybersecurity isn’t integrated into business decisions. This will continue to be a challenge until security is built into the business model or product from the beginning.

For example, one of our working group members talked about the need to create software development teams that knew cybersecurity just as well as UX/UI. Traditionally these are different teams- one team builds the software product, and another one tests it for vulnerabilities.

When you have a team that builds a product with cybersecurity as part of its functionality, that’s when you have full integration. It’s the same for corporate governance- when cyber is built into a product, we know this risk is being meaningfully addressed.

LW: Will infrastructure threats and/or disruptions be a catalyst?

Romanoff: Infrastructure and utility disruptions pull cybersecurity from the abstract into reality for most Americans. These sectors continue to be targeted, and events like the Colonial Pipeline shutdown pushed government agencies and companies to prepare for attacks.

No system, no matter how well protected, is 100 percent safe from attack. What is important to highlight is the resilience and contingency planning that organizations should build into their strategy before being the disruption case study.

I commend the work that CISA and DHS are doing to help organizations build out that resiliency. By partnering with cyber leaders in these sectors, CISA is working to mitigate risks before they become disruption events.

LW: What is an optimistic scenario for shrinking the trajectory of cybersecurity risks, as laid out in this report?

Romanoff: Hopefully, some of these risks will be addressed and become part of standard resilience and contingency planning.  However, eight of the risks we identified are not new. They have been a concern for some time.

We hope that the framing of this report will spur action, especially at the policy level, to allocate the necessary time and resources. Our report is a baseline for 2023, and we hope to update it as new risks emerge or as risks are addressed meaningfully, mitigating their impact.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

---

(LW provides consulting services to the vendors we cover.)

March 14th, 2023