Recent Cyber-Security Reports and Managing Current Threats

This past May, the 2024 Report on the Cybersecurity Posture of the United States was released. The first-ever report explains:

Simply put, we are in the midst of a fundamental transformation in our Nation's cybersecurity. It is now clear that a reactive posture cannot keep pace with fast-evolving cyber threats and a dynamic technology landscape, and that aspiring just to manage the worst effects of cyber incidents is no longer sufficient to ensure our national security, economic prosperity, and democratic values. ¹

Key threats listed in the report include evolving risks to critical infrastructure, ransomware, supply chain exploitation, commercial spyware, and artificial intelligence. The report also details key threat actors and types, as well as the role of emerging technologies in shaping the national approach. As our technological landscape becomes increasingly complicated, the report explains the continued role of the Cyber Safety Review Board and the importance of applying lessons learned following incidents.

In our technological age, it would likely be challenging to find an organization that doesn't utilize the cloud to some extent. The cloud offers a range of benefits, and the convenience it affords is an indispensable necessity for most. However, this degree of dependence and lack of immediate oversight over one's data comes with a range of risks. In 2023, this was clearly illustrated when a cyber attack on Microsoft resulted in email account breaches, including some belonging to several US government agencies. ² The severity of the attack led the Cyber Safety Review Board to choose the incident as the topic of its most recent report, Review of the Summer 2023 Microsoft Exchange Online Intrusion, released in spring 2024. Following its investigation, it was determined that widescale security issues within Microsoft influenced the success of the attack.

The report highlights a need for strong upper management support at Microsoft, particularly calling on senior officers to carry out the board's suggestions. It states:

Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management. ³

After having identified a web of technological issues and vulnerabilities, there is what now seems to be an old adage of our threat landscape: Never underestimate the human element and the impact of security culture. The best technological defenses, the soundest written policies, even the most thorough education and training practices are insufficient when paired with a culture that fails to prioritize the values it espouses on paper. The report goes on to state that:

To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft's customers would benefit from its CEO and Board of Directors directly focusing on the company's security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms. ⁴

Top-down management support is a key ingredient that frequently gets forgotten when assessing security postures. Its lack can be the "make it or break it" factor that ultimately contributes to a successful attack. An established time line for necessary reforms is suggested in the report as a means to provide answers for consumers as well as establish trust in the security of their data.

The report points to a series of errors, when taken individually, that may not have resulted in catastrophic failure. However, since found to be combined, the report concludes that Microsoft has seemingly drifted from its original vision as established by Bill Gates:

So now, when we face a choice between adding features and resolving security issues, we need to choose security. ⁵

From the possible dangers of cloud computing to the systemic and cultural issues that can impact an organization's ability to remain vigilant about security threats, much can be learned from the Cyber Safety Review Board's most recent report. Focusing on the "written" ideals that guide your organization's security policies and making careful decisions to keep cyber an ongoing investment are key ways to maintain client trust and balance innovation with security. Reviewing the 2024 Report on the Cybersecurity Posture of the United States can help shape an organization's overarching security goals and prepare them for future risks.