Ransomware attacks may have frozen fewer bits of data in 2022, but that doesn’t mean cybercriminals are resting on their laurels. Indeed, new threats are waiting in the wings and demanding new responses, which is one reason why the U.S. Government is boosting spending for the Cybersecurity and Infrastructure Security Agency (CISA) by 12% this year.
CISA’s $313 million increase, which was contained in the omnibus spending bill signed by President Joe Biden at the end of December, brings the fledgling agency’s total 2023 budget to $2.9 billion, which is 15% higher than the White House sought. By comparison, the Department of Defense’s 2023 budget was increased by 8% to $817 billion, or 6% more than Biden’s administration initial ask.
While the DOD’s presence is palpable, with physical ships, aircraft, and rockets to show for it, CISA’s impact is harder to see. The nation’s top cybersecurity agency, which was created in 2018, works more in the shadows. Its broad goal, as laid out in its strategic plan for 2023 to 2025, is to work with other governmental agencies and private organization to identify and stop cybersecurity threats as well as threats to physical infrastructure.
Security experts applaud the step-up in cyber spending at the national level.
“The 12% increase in federal cybersecurity spend is an important step in the right direction and should encourage other organizations to do the same,” says Marie Wilcox, a security evangelist with security software and services provider Panaseer. “Cybercriminals are diversifying, ransomware continues to be a critical threat, and security professionals are still under-resourced and overstretched. In this environment, increased investment in security from the public and private sectors has never been more important.”
However, Wilcox urged caution in how private firms should spend on security. Most organizations already have the tools they need to enforce security, she says. What’s needed more now is a way to monitor and measure effectiveness of existing tools.
Amy Baker, a security education evangelist with Security Journey, says it’s good to see federal cybersecurity spending on the rise, especially considering the Log4Shell exploit from early 2022 and the fact that global attacks increased 42% in the first half of 2022 alone.
“We hope this investment inspires other enterprises to follow suit, given that budgets are under scrutiny due to the economic climate and the threat from cybercriminals continues at an alarming pace,” Baker says.
Companies can do a lot to curb the security problem by remediating known vulnerabilities in Web and mobile apps. Baker says the NIST database shows that vulnerabilities in Web applications increased by 210% over the past several years.
“Given that 90% to 95% of data breaches are due to Web application vulnerabilities, spend on secure coding training for everyone across the software development lifecycle (SDLC) will be invaluable for protecting software and data in the ever-evolving threat landscape,” Baker says.
Security spending is up broadly across the country in response to increased awareness of cybersecurity threats. According to Gartner, total U.S. security spending is expected to total about $30 billion this year, representing a 20% increase over last year.
However, the ever-increasing pace of data collection is raising concerns among security professionals. While business leaders are confident that their data collection and usage practices are sound, the general public isn’t so sure, according to KPMG.
“One fundamental finding that comes as no surprise to anyone is that the vast majority of Americans are worked about their data, with 92% of the U.S. general population acknowledging they are very or somewhat concerned about protecting their personal information,” KPMG says in its Corporate Data Responsibility Survey 2022. That’s an increase from 86% in 2021, KPMG adds.
A move toward more transparency from companies doesn’t seem to be helping. While 62% of business leaders say they’re sharing more information about how they process consumers’ data, 80% of Americans say they’re concerned about transparency, and nearly 90% want more details on how their data is used.
Among the new and evolving security threats that experts predict could blow up in 2023 include:
- Ransomware that targets intellectual property;
- Attacks on operational technologies and IoT;
- Attacks on “smart city” and smart manufacturing infrastructure;
- Combined attacks on physical and cyber assets;
- Automation of pre-built exploit kits on the dark Web;
- Synthetic identity fraud that leverages completely made-up credentials.