The Year in Review: 2023’s Most Important Cybersecurity Events

Or listen on:

             

Explore the pivotal cybersecurity events of 2023 in our comprehensive review, covering major breaches, evolving threats, and key policy shifts.

Cybersecurity is about more than the biggest breaches. That’s why we elected to break our year-in-review into two separate episodes. In the first, we discussed the 10 biggest cyberattacks of the year. But 2023 was a pivotal year in all aspects of cybersecurity, marked by significant incidents and evolving threats.

1. The Repeat Offenders

While there were a lot of major cybersecurity incidents, data breaches, and newsworthy events, only a select few managed to be involved multiple times!

T-Mobile’s Troubles

T-Mobile faced a series of cybersecurity breaches, continuing a trend from previous years. These incidents involved significant data leaks, including sensitive customer and employee information. The breaches highlighted the growing concern around mobile phone security, particularly in the context of SIM swapping attacks. The ramifications of these breaches were intensified by T-Mobile’s recent merger with Sprint, raising questions about the company’s data protection capabilities and the regulatory oversight of such large-scale mergers.

MOVEit’s Missteps

MOVEit, a popular file transfer utility by Progress Software, experienced a complex series of breaches. These incidents exposed a vast amount of data, impacting a wide range of users across different markets. The breach’s scale and the ongoing discovery of its impacts underline the challenges in securing widely used digital utilities and the long-term consequences of such cybersecurity failures.

Okta’s Oversights

Okta, an identity provider and cybersecurity firm, faced multiple security incidents throughout the year. These breaches were particularly concerning given Okta’s critical role in managing secure access to various resources for companies. The frequency of these incidents underscores the challenges even specialized cybersecurity firms face in safeguarding against sophisticated threat actors.

2. Cybersecurity Disclosure and Inaccurate Representations

2023 witnessed a concerning trend in the cybersecurity domain, marked by major companies downplaying the severity of data breaches. Two notable instances involved Okta (probably not good to be included in two different categories for this episode, but here we are) and 23andMe, and exemplify this worrying pattern.

Okta’s Continuously Expanding Breach

In their most recent data breach incident, Okta initially reported that only a few customers were affected by the security breach. However, this number drastically increased over time. From a handful to 150-180 customers, to eventually encompassing every one of their customers.

This gradual revelation of the true extent of the breach raised questions about transparency and accountability in cybersecurity incident reporting by Okta. Was the initial number an honestly produced estimate based on the information then available? Or was it a misrepresentation, an attempt to limit the potential PR backlash and stay far enough under the radar to avoid additional scrutiny?

23andMe’s Exploding “Not-A-Breach” Cyber Incident

23andMe’s case is particularly alarming, not just due to the nature of the breach, but also because of the sensitive data involved. Initially reported as a minor incident affecting a small portion of their customer base, it later emerged that up to 14 million (and potentially more) people’s data might have been compromised.

The breach itself was attributed to credential stuffing, where personal accounts were accessed using reused passwords, rather than a direct attack on the company. The breach’s significance lies in the nature of 23andMe’s service. The breach exposed a vast network of interconnected data, including ethnic backgrounds and other sensitive genetic information. Given the rise of AI tools being used for malicious purposes, AI’s capability to analyze and aggregate massive amounts of data means that the misuse of such sensitive information could have unprecedented consequences.

Adding insult to injury, 23andMe made a subtle change in their terms of service on the same date that their most recent update on the number of customers impacted was published. The change, which users have only 30 days from the date of the announcement to opt out of, limits customers’ options for legal recourse. This move, combined with the breach’s severity, further eroded trust in the company’s commitment to data security.

3. The Turbulent Year for OpenAI (and the Implications for the Future)

The year saw a significant shakeup at OpenAI, the company most known for its flagship product, ChatGPT, the most popular new software product of all time and the system that kick-started the Generative AI race. Sam Altman, one of the co-founders, was removed by the board governing the company. Although unconfirmed, it seems that the board’s decision was intended as a safeguard against any one individual wielding excessive influence over the direction of the company, emphasizing its commitment to safe and ethical AI development.

For-Profit Dynamics in a Nonprofit Structure

OpenAI operates under a unique structure: a for-profit entity wholly owned by a nonprofit. The board of OpenAI runs the non-profit entity. This arrangement was designed to maintain the ethical integrity of AI development. However, the events of 2023 have highlighted the complexity of maintaining this balance, especially given the massive financial interest and investment that LLMs and Generative AI have drawn.

The Reverse Coup and Microsoft’s Role

Following Altman’s ouster, a significant portion of OpenAI’s employees publicly opposed the board’s decision, threatening a mass exodus. (Their motives are impossible to know for certain, but it should be noted that most had a vested interest in the financial success of ChatGPT.) Microsoft, a major investor in OpenAI, played a crucial role in this drama by immediately offering employment to Sam Altman and other members of the OpenAI team. Microsoft’s actions and the employees’ unrest led to a reversal. Altman was reinstated, Microsoft gained a seat on the board, and several board members who sought Altman’s departure were dismissed.

The OpenAI saga of 2023 is a stark reminder of the delicate balance between maintaining ethical standards in AI development and the realities of corporate influence and profit motives. As we move forward, the unfolding story of OpenAI will undoubtedly continue to be a focal point in discussions about the future of AI and its governance.

4. A Pivotal Year in Cyber Warfare

2023 marked a significant escalation for the cybersecurity aspect of the Russia-Ukraine war.

Ukraine’s Bold Counterstrike

In a move likened to a David versus Goliath scenario, Ukraine landed a significant blow against Russia, one of the world’s most formidable cyber forces. The highlight of this cyber retaliation was the hacking and subsequent destruction of the Russian tax system’s servers, including their backups and related government agencies. This attack utilized a wiper utility, a type of malware designed for outright destruction, not espionage or data theft. The scale and effectiveness of this strike by Ukraine marked a notable shift in the cyber dynamics of the conflict.

Far-reaching Consequences

The attack’s repercussions extend beyond the immediate damage to Russia’s cyber infrastructure. It is expected to have a profound impact on Russian citizens and businesses, potentially influencing public opinion and causing substantial economic disruption. This cyber assault’s timing is particularly noteworthy, coinciding with an election year in both Russia and the United States. While the outcome of the Russian election may be predictable, the cyberattack’s fallout could still sway public sentiment and create substantial challenges for the government.

5. A New Era of Cybersecurity Challenges

2023 has been a landmark year in cybersecurity, witnessing the emergence of sophisticated tools and techniques in cyberattacks.

The Rise of Generative AI in Social Engineering

Social engineering remains a primary method for initiating cyberattacks, but the landscape has evolved with the advent of generative AI. This technology has significantly improved the quality of phishing emails, making them more convincing and harder to detect. The use of generative AI in crafting authentic-looking emails marks a notable shift from the easily identifiable scams of the past, like the infamous Nigerian prince emails. Moreover, generative AI’s ability to develop and refine code has enhanced the arsenal of cybercriminals, improving their capabilities in finding exploits and enhancing their attack tools.

QR Codes: A Double-Edged Sword

The widespread adoption of QR codes, especially accelerated during the COVID-19 pandemic, has opened new avenues for cyberattacks. These codes, while incredibly useful for businesses and consumers alike, have become a potent tool for cybercriminals. The ease of embedding malicious links in QR codes and the public’s willingness to scan them without suspicion has raised significant security concerns. The potential for QR code-based phishing attacks, especially in high-visibility platforms like Super Bowl advertisements, underscores the need for caution and awareness among users.

Targeting Critical Infrastructure

Perhaps the most alarming trend of 2023 is the increased focus of cybercriminals on critical infrastructure. Incidents like the Colonial Pipeline attack and attempts to poison water supplies highlight the vulnerability of essential services. These attacks are not just about causing disruptions; they pose direct threats to public safety. The fact that many industrial control systems were not originally designed with cybersecurity in mind, and their increasing connection to the internet, makes this an urgent area of concern.

6. A Positive Shift in Cybersecurity Policy

2023 has been a pivotal year for cybersecurity in the United States. While Congress has been slow in enacting comprehensive privacy or cybersecurity legislation, there has been notable progress at the executive level.

The National Cybersecurity Strategy marks an important initial step in integrating security into the increasingly internet-connected fabric of our society. It aims to provide a comprehensive framework to address the growing and complex cybersecurity threats. This strategy is not just about protecting government systems and critical infrastructure; it extends to establishing guidelines and control mechanisms for businesses and other sectors.

The strategy provides much-needed guidance to businesses and various sectors, laying the groundwork for a more secure digital environment. A notable concern is the enforceability of this strategy. A framework, however impactful in theory, requires strong enforcement mechanisms to be effective. Ongoing review and maturation of the strategy are essential for it to stay relevant and effective against evolving cyber threats.

While this strategy is a significant first step, the absence of concrete legislative action from Congress remains a gap. The podcast hosts express hope that this initiative will not become politicized and that it will be recognized as a crucial part of ensuring effective cybersecurity in a connected world.

7. A New Era in Cybersecurity Accountability

The recent legal action taken by the Securities and Exchange Commission (SEC) against SolarWinds and its Chief Information Security Officer (CISO) has sparked a significant conversation in the cybersecurity community. This case is noteworthy not for its criminal implications (it is a civil case, after all), but for the way it signals a shift in how corporate cybersecurity responsibility is assigned and perceived.

Traditionally, CEOs have been viewed as the ultimate responsible parties in corporate structures, especially in matters involving government interaction. However, this case marks a departure from that norm by directly holding a CISO accountable. The move elevates the role of the CISO, historically seen as a ‘junior partner’ in the C-suite, to one of significant legal and operational responsibility.

Implications for this approach are a bit of a double-edged sword for CISOs. CISOs are now front and center in the eyes of regulatory bodies like the SEC. This heightened responsibility implies that CISOs have an influential voice in a business. However, if companies do not elevate the status and decision-making power of CISOs, these professionals risk becoming scapegoats for cybersecurity failings. For CISOs to effectively manage the immense responsibility of protecting company data and systems, they need an equal seat at the executive table. Their recommendations and policies must be taken seriously.

While the focus on the CISO by the SEC in the SolarWinds case is unprecedented, it’s unclear if this will set a lasting precedent. Ideally, cybersecurity responsibility should be shared across the C-suite. However, the case undeniably alters the landscape, hopefully giving CISOs and prospective CISOs more leverage in negotiations, including compensation discussions, due to the potential liability.

8. A Rare Convergence in the World of Espionage

In a development that seems like it’s straight out of a spy novel, the recent meeting of the Five Eyes intelligence alliance has sparked intrigue and speculation in the cybersecurity community.

The Five Eyes Alliance

The Five Eyes is an intelligence-sharing apparatus that operates on a global scale. It facilitates the exchange of crucial information among its member nations, enhancing their collective capabilities in monitoring and responding to international security threats. This alliance is a testament to the increasingly interconnected nature of information security in the digital age, where collaboration across borders is key to effective espionage and counterintelligence efforts.

The Significance of the Meeting

While the Five Eyes have long collaborated, the physical convening of its leaders is a rare occurrence. This meeting signifies the importance of face-to-face interactions, even in an age dominated by digital communication. Contrary to popular imagination, these meetings are less about hooded figures in dark rooms and more about high-level strategy discussions among the ‘CEOs’ of intelligence agencies. They are likely to focus on bureaucratic and strategic aspects rather than hands-on espionage tactics.

The public awareness of such a meeting is unusual for organizations that operate in secrecy. Its disclosure in the media adds an element of transparency, albeit limited, to these typically shadowy operations.

We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.

Episode Resources:

We aim…

to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.

Contact Us

©2024 Fearless Paranoia