Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Cybersecurity in 2023 and the challenges ahead

Ollie Whitehouse 7 November 2023
Share On:
The new Chief Technology Officer of Britain’s National Cyber Security Centre (NCSC), Ollie Whitehouse, looks at cyber trends in 2023 and beyond
Main Top Image
This image was created with the assistance of Midjourney

Cybersecurity science only really started to emerge in earnest in the early 2010s. The US National Security Agency (NSA) sponsored the first annual Science of Security Community meeting to discuss issues fundamental to the science of cybersecurity in 2012. We are in still the foothills of evidence-based approaches to cyber resilience, while adversarial capability and aggression are increasing rapidly. Several trends outline the scale of the technological challenge nations and societies face.

Vulnerabilities

Software vulnerabilities have surged from tens per month in the 1990s to thousands per month in the 2020s. This growth contributes to global systemic levels of vulnerability. In response to this technical debt, a growing number of organisations are adopting strategies to patch only the most serious vulnerabilities rather than all of them. This approach has yet to provide successful results.

Many vulnerabilities stem from incorrect or poor configurations. One example is memory corruption. This was first discussed in 1972 in the Computer Security Technology Planning Study report of the US Air Force, which read:

The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine.

Fast forward to 2023 and this class of vulnerability 50 years later enables commercial spyware companies, such as NSO’s Pegasus or Cytrox’s Predator, to compromise the most modern mobile devices.

Socio-technical vulnerabilities are also pervasive in allowing cyber intrusions. This primarily means human error: 74% of the disclosed breaches analysed in 2023 included a human element.

Aggressive adversaries

Over the last 30 years, technology has become increasingly embedded, distributed, and connected. It is being met by more aggressive and greater numbers of adversaries.

Their aggressive nature is evident in the criminal ecosystem as shown by the decreasing time it takes for them to breach an organisation and deploy ransomware payload. In 2023, the median time between initial breach and deployment decreased to a median of just 24 hours compared to 4.5 days in 2022 and 5.5 days in 2021. On October 25, insurer Allianz said that in 80% of large cyberattacks in 2022, personal or sensitive commercial data was stolen. This figure was up from 40% in 2019 and is expected to be even higher in 2023. Ransomware activity alone saw a 50% increase in the first six months of 2023. The stolen data is then used for extortion.

States are also becoming more aggressive. Since 2005, thirty-four countries are suspected of sponsoring cyber operations, mostly espionage. Some make more extreme use of offensive cyber capabilities, with one nation-state assessed to have stolen over $3 billion in crypto assets through cyber operations to fund its nuclear programme.

The response

Regulatory intervention, both primary legislation and guidelines, is increasingly shaping cyber defence trends.

States are growing more concerned about the Internet of Things (IoT), which refers to physical objects connected to the internet. It is projected that by 2030, there will be approximately 50 billion IoT devices in use around the world, with a majority lacking basic security measures. The response to this challenge ranges from legislation to voluntary schemes. For example, Singapore and the EU have implemented labelling or certification schemes that will help consumers identify products with enhanced security. These emerging principles are attempts to address market failures in producing secure embedded internet-connected devices.

Another emerging response is the application of root cause analysis to cyber risk. This approach involves identifying the underlying cause of vulnerabilities and implementing necessary changes to the technology to eliminate them.

Root cause analysis has been applied to the memory corruption mentioned earlier. Academic research has led to technological solutions that have enhanced the underlying hardware computing architectures we rely on, such as CHERI. At the level of computer programming language design, new languages have been developed to prevent the inadvertent introduction of this vulnerability class.

Other trends include data collection and analysis for cyber defence, from insight and quantification to understanding adversary behaviour. The future will rely on high-quality data at scale to detect and respond quickly.

One example of the value of data is seen in active cyber insurers who use ongoing technological assessment and policy underwriting to achieve better outcomes. Cyber insurance company Coalition, for example, achieved a 65% lower claim frequency than the industry average by using measures like continual scanning and prompt issue notification so clients could fix the identified problems. In 2022, Coalition reported that they reduced their clients’ critical vulnerabilities from 17% to 9.7%.

However, there is still room for improvement in technical cyber resilience solutions that address real-world threats and vulnerabilities on a large scale and with quantifiable performance.

The future of cyber technology

Forecasting technologies that will perform in the real world is challenging. However, a few show promise. Emergent technologies, such as artificial intelligence, help improve security outcomes through machine learning. An example of such an emergent solution is artificial intelligence that helps developers write secure code using large language models. There are also technologies that use data to detect security events in real time and respond automatically to suspected breaches.

Beyond these, there are many short-term open questions, including:

  • Which technologies help small organisations achieve cyber resilience the most effectively?
  • Which technologies are the most effective in helping critical national infrastructure organisations secure their industrial control systems?

Longer term there are still fundamental research problems to which we seek answers, as articulated by the NCSC:

  • How can we build systems we can trust?
  • How do we make system security assessments more data-driven?
  • How do we create and adopt meaningful measures of cyber security?
  • How do we make phishing a thing of the past?
  • How can we accelerate the adoption of modern security mitigations into operational technology?

These may seem rather foundational and they are. But they also highlight the lack of evidence as to what does work in practice.

Cyber resilience is arguably today for the most part not evidenced with any scientific rigour. It is this that needs addressing at scale to give us the best probability of creating a more secure internet digital society for all.

avatar
Ollie Whitehouse

Related

Featured image
Hooked On Trends
Drones enhance defences in the Ukraine war
Mauro Gilli / Niklas Masuhr 10 January 2024
Read more arrow
Featured image
Hooked On Trends
China’s generative AI governance
Rogier Creemers 18 April 2024
Read more arrow
Featured image
Hooked On Trends
Re-thinking cybersecurity capacity building
James Barr / Sofia Liemann Escobar / Jessica McClearn / Phil Sheriff 18 June 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.