Felix Ryan, Cyber Security Consultant at You Gotta Hack That, looks at several potential challenges related to successfully securing our increasingly connected world.

Let’s begin looking at some potential cyber security challenges in 2024 (and beyond) by making what should be an obvious statement: ‘not all cyber attacks are sophisticated’. This statement will continue to ring true in 2024, as despite overall improvements in cyber security, organisations will still struggle to effectively manage their cyber security risks as a reliance on embedded systems and operational technology increasingly becomes the norm.

Targeted vs untargeted attacks

I recently talked to a friend who works in a finance department and has little knowledge about IT, let alone penetration testing and hacking. He told me that he felt there must be a lot of highly skilled hackers in the world to maintain the number of breaches that get publicised. We talked for a while, and I realised how much the contents of news stories about breaches biased his view on this subject. There is a tendency for organisations that have experienced a cyber security breach to claim in their public relations that the attack was part of a ‘sophisticated’, ‘targeted’, and ‘sustained’ campaign. Often these claims don’t hold up to the scrutiny of a technically minded individual.

In fact, these claims can’t all be valid, as many cyber attacks are carried out by opportunistic threat actors. Attackers spray their efforts across large portions of the internet, looking to capitalise on the tiny percentage of vulnerable systems that they find. Most organisations struggle to deliver cyber security to a high standard. Therefore, it is a mathematical certainty that speculative hacking attempts cause a similar number of breaches. In 2024, let’s encourage each other to question whether the breaches we hear about are a result of sophisticated attacks, a lack of defensive capabilities, or perhaps a bit of both.

Impact of cyber complacency

Cyber security has fully become an influence on everyday life for individuals and businesses. This is so much the case that when talking with the younger generations, it is easy to be left with the impression that complacency has started to set in. There has grown an expectation that at least some details for every person have been leaked, stolen, or otherwise ended up in the hands of a cyber wrongdoer.  The argument for complacency can be quite compelling too, as it is difficult for most people to establish what impact they have experienced due to this illicit data handling.

The impact of cyber attacks may soon become much more tangible due to the enormous increase in connected embedded systems and operational technology. When this technological dependence is met with attackers who are gradually looking at alternative opportunities for them to monetise their efforts, you inevitably get physical disruption and damage that we will all be able to recognise. The opportunities for attackers in this space are numerous. For example, it is perfectly plausible to imagine a scenario where all the owners of a particular brand of smart freezer come home from work to discover that all their food has defrosted, and the machine refuses to work until a ransom is paid.

Product vendors will likely scoff at this prediction for the future. They may claim that there have been no such attacks to date or make noises about their products having ‘military grade encryption’, suggesting that this implicitly makes them secure. But there are two powerful counterarguments. First, earning a living by attacking traditional IT systems has been trivial. But as the cyber security arms race has matured and traditional IT isn’t quite the pushover it once was, threat actors are now considering what easy targets are out there. The second argument is that good digital defences are expensive, and we live in a world where cheaper products sell more. It doesn’t take much thought to realise that one of the corners that can be cut when making a product is cyber security, which makes all those embedded systems an excellent juicy target.

Undermining global trust

For those of us in the cyber security community, it is plain to see that election manipulation is now endemic. Various nations worldwide have successfully influenced governments’ election processes, whether their own or belonging to other countries. This has already happened a surprising amount of times, and there is little to show that the trend has stopped growing. Currently, many election manipulation activities are classed as influence campaigns rather than direct hacking. Influence campaigns affect the opinions of the people, not directly changing votes. There is some overlap, though, in that hacking has been used to enable or amplify influence campaigns, and it isn’t inconceivable that voting machines could also be manipulated.

With the development of generative AI, there is enormous potential for social engineering attacks and influence campaigns to increase in volume and sophistication. Generative AI will do two things: firstly, it will make it easier for those who operate influence campaigns to create and manage online persona, and secondly, it will make it much easier to fabricate stories, photos and videos. Take, for example, this image of a chameleon:

Chameleon

It was made in about four seconds by generative AI when I requested a picture of a chameleon (an animal known for its ability to change colours and blend in) wearing a masquerade ball mask and ‘in the internet manipulating data’. There is no reason why these same technological concepts can’t be used to alter existing images and videos of prominent people or world events. The ability to control the global narrative this way will make fact checking news stories and trusting media outlets incredibly difficult.

Fragility of the food supply chain

In a world that is ever more reliant on the just-in-time delivery of products and services, it is no wonder that the food and agriculture industries are investing in smart technologies. Technology can help irrespective of the crop or the part of the world where it is being cultivated. In Iceland, the use of vast greenhouses for crops can be regulated for temperature and lighting conditions using smart plugs and smart sensors. In Italy, the vineyards have their soil acidity levels monitored by embedded soil probes and new vines planted by robotics. In Australia, moisture levels are monitored in unfathomably distant fields to ensure the irrigation systems operate correctly. Those are just a few examples of how technology can enhance our ability to grow crops. But, our soil-to-plate food supply chain involves many more stages, all of which have their own reliance on technology.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

The combination of just-in-time delivery and the heavy use of technology makes the food supply chain fragile and susceptible to interference. We could start to see supply chain and production systems being tampered with, which could affect specific economic outcomes and instabilities. It is hard to imagine a significant range of foods becoming globally challenging to come by, but what are the 2nd, 3rd, and 4th order effects of, say, there being very few bananas available? Could that cause a nation's economy to falter? What would it do to the environment? Does the reduction in banana-specific vitamins and minerals such as potassium result in a deficiency in some populations? Whilst some of these questions might have been asked, it feels unlikely that they have received significant attention and that there are probably dozens of unforeseen impacts.

There is much food for thought when it comes to cybersecurity considerations for 2024. One thing is for certain, we need to become increasingly adept at identifying threats across the multitude of embedded systems we all rely upon, and working to mitigate this threat accordingly.