Preparing for the Current and Future Cybersecurity Threat Landscape: ENISA Efforts

Hello. Good afternoon everyone. I hope you can hear me and thank you very much for the great opportunity to, to virtually be with you, unfortunately could not make it in person this time. So my name is RAs and I'm still talk to you about the current and the future cyber threat landscape. The way Indonesia, the EU Agency for cybersecurity has been, has been mapping, it, has been working on monitoring the threat landscape, probably singing to the choir here, but a little bit on who is in and what is in and what they're doing.

For those of you who are not familiar, we're the EQ agency for cybersecurity, and we work on a lot of different things from spanning, from capacity building, supporting policy implementation, operational cooperation, and of course certification and trusted solution. In order to do that, we need to have a very, very good understanding of what is the cybersecurity threat landscape, what is happening, and we're doing this in order to make sure that to we fulfill our mission, which is to achieve a high common level of cybersecurity in Europe.

In order for an Nitish to do that, we look, first of all to understand the, what is the current state of cybersecurity and try to raise that level of cybersecurity to increase that. We tell first look at the today's threats, today's challenges, what are our cybersecurity, what are our digital systems faced against, and what are the potential threats that they have to, to, to defend, and the ones that we need to mitigate the impact. So we do that by means of what we call a threat landscape. A threat landscape is something that Anisa has been doing for the past 11 years.

Just last week we published our 11th edition of the 2023 threat landscape, where through an open source intelligence analysis and publicly available information, we, we, we, we identify the top 10, usually, sometimes a bit more, sometimes a bit less threats to the European Union. This is complemented by, by specific deep dives on, on, on particular types or types of threats such as ransomware, DDoS, but also technologies such as artificial intelligence and five G, where we try to, to see the specific attacks on those sectors and on those technologies.

One of the issues to do that, as I said, is to, to fuel, to, to provide to, to the industry, to you people, to provide the hour and our assessment of what they, what are the main threats I, in order to, to adjust and reflect on your risk, on your risk assessments. Second reason is to be able to understand what is coming down the horizon. It's not only about pre improving resilience and preventive efforts, it's also about being reactive, reactive and proactive to future threats that will sit down the horizon.

For this, we do this via strategic foresight and I'm going to give you a snapshot of what we see as threats in 2030, but before we move into the future, let's look into the present, first of all. So when it comes to today's threats for 2023 and is identified the following eight main categories of threats, namely the ones against the, the ones related to ransomware, ones related to malware, threats against data, targeting, data structures and databases, social engineering threats, supply chain attacks, threats against availability such as denial of service and also against the internet.

And of course, information manipulation inform, which is essentially disinformation and misinformation. The, the threats that we, we see here are based analysis is based on, on, on few more, five to 6,000 publicly disclosed instance over the course of the year, which we analyzed de composed and tried to understand their impact, their motivation, the threat actors behind, and from that we extract different trends. We also looked into, and I will tell you a little bit in a bit on, on on this aspect, the sectors that are most affected, but also the different threat actors involved.

All of this, as I said, is, is based on, on, on audit information and is based on, on a methodology that have made publicly available. The reason for doing that is we want to, to improve transparency of our work and to make sure that basically that you believe us, that you, you have a bit of confidence in the work we do, and you can, if we're making a mistake, you can reach out to us and let us know while based on what you did, this is wrong, so fix it.

At the same time, all of these traits will have analyzed in all of these instance against the, the Mitre attack framework to see the different TTPs that that that will have witnessed in different attacks. And accordingly, we have provided the recommendations to, to mitigate the adverse impact of, of these threats. In terms of standards such as ISO needs cybersecurity framework, the threat landscape is complemented also by CV analysis because vulnerabilities are an, an essential piece of the threat landscape.

So in our analysis, we distinguish between four different types of threat actors, namely state nexus actors, cyber criminals, hacker for higher actors and hacktivists. And the past year we have seen an increased activity of state nexus actors related to the war of aggression in Ukraine, Muslim, and, and that's a, that's a little bit of a, of a sad trend that we, we've observed. We saw a lot of collaboration and a lot of coordination of activities between cyber criminals, state nexus actors.

So the, the lines are blurring a little bit a consistent rise over the last few years on the hacker for higher actors. So basically these are the people that even if you don't know how to mount a cybersecurity attack, you can actually go to the dark web, but hire somebody to launch a ransomware already. This for you at, at a very, very low cost. This lucrative for the Aries business model is gaining popularity.

The threat actors is for us an integral part of the overall threat assessment because if we don't know how they work and what are the trends in the, in the different ransomware gangs and in the different DDoS groups that are happening, we cannot understand how the threat landscape will evolve. Usually the way they do, they exploit different types of vulnerabilities, but for us, the main reason why we do this analysis, and you will find the detail, the description in in the publicly available report is we try to understand how they think and, and how they act.

What, what are their goals, what do they want to achieve? Perhaps we see a trend that they're targeting a lot of public administrators, administration or they're targeting a lot of the critical sectors like transport and energy. This is essential piece of information for us in order to be able to prioritize, to prioritize different actions and, and you will see that the stated exercise are increasing, indeed increasing their activities.

When it comes to the top threats, the the top, the top threat for 2023 and actually continues the trend from 2022 is that of ransomware followed closely by that of denial of service attacks, denial of service attacks were particularly linked with the war of aggression in Ukraine and were targeted against critical infrastructures in Europe. Here, this is the, the, the, the classification, the clustering that you see here involves only EU related instance, not global ones.

In the report we see also the global ones, so attacks against data rank also high with almost 17% of the different attacks we witnessed and followed by social engineering, malware, information manipulation, web threats and supply chain ones. Just to mention that this is based as I said, on the public level information that we found, but as an have consistently been saying that we need a bit further information.

Also on instance, reported in order to get a better understanding of the threat landscape, this something that we're working on and with the NAS two directive, we hope we get better information when it comes to the affected sectors. Surprisingly or unsurprisingly, one out of five incidents in the EU affected public administration, so public authorities, municipalities, governmental business and so forth.

Then we had the target individual, one out of 10 incidents and manufacturing the same OT technology attacks against OT technologies show an increase this year and healthcare and transport at eight and 7% respectively. You see there though what for me it's a bit quite interesting is that no sector is unaffected. Even space had the 2% number of instance noticed this year, and we see that there are also sectors that are not covered by legislative instruments such as the NIS two directive.

So for example, have retail there and other like marketing services, media and entertainment, 5% of the instance there. These are not covered by the NAS directive, so they don't have any mandatory obligations for baseline security measures.

However, it's important to know that, okay, there is a famous cliche, cybersecurity knows no borders and no sectors, so cross sector instance could take place so they merit further attention when it comes to the impact, the, the, for the majority of the instance, the impact was digital to bring down availability and of the service for, for, for quite a high number of instance, particularly those related to ransomware. Economic financial impact was, was what drove the attackers to, to launch their attacks.

And of course, again, I will mention the, the, the geopolitical environment that plays a role nowadays in the cybersecurity threat landscape, social impact and reputational. Trying to to to show this course and to to, to manipulate, to manipulate the society was a big part of the, of the impact in terms of motivation. The motivation was mainly financial gain, it's face. So I mean people, most of the people do this to, to get money outta this. It's becoming a lucrative business to to be, to be an attacker.

Also disruption ranked high and we're, we're a bit worried about the fact that around 20% of the cases, despite our analysis, we, it's still unknown to us why some SEC cybersecurity attacks took place. The, again, raises the concern for what we have that there is a need for, for better. Why is it not?

Why we, we want to get a bit better information. So some of the key trends of this year's threat landscape is that there is a con as we, as we improve in our defenses, the attackers are also improving their capabilities to, to launch more sophisticated attacks and adapt it to new technologies. We saw a lot of use of artificial intelligence in this year's cybersecurity landscape. For example, AI and LLMs were used to draft very, very convincing phishing emails. So phishing in 20 23, 1 would have thought that this problem has been solved.

Phishing, again, increasing in importance because of, of artificial intelligence. For us, it is important and as I said before, that's why we have a lot of sectors and we need to, to look at the problem holistically, to have coordinated approach and harmonized approaches towards a high common level of cybersecurity. This year we saw more attacks compared to last year. We still lack visibility. That's why for us it's very important what we say to share more information.

It helps not only the victims to, to, to understand the, and to get support from the national authorities, from the national C it helps us reset it, it helps us as well to understand the landscape and prioritize our actions accordingly. But this is what happens in 2023.

For 2030, the picture is slightly different and this started a couple of years ago with a strategic objective to, to conduct strategic foresight exercises to see the future of cybersecurity in Europe. And this we, we could have taken days away and I dunno, try to see the science of the, of the zodiac or do a crystal ball.

Instead, we try to follow a method, methodological approach that of strategic foresight. And together with our, and we built a, an open methodology for cybersecurity ForSight. So monitoring events of today, we try to understand trends that are coming in the, in the next couple of years and from that mega trends that drive different aspects of, of, of, of, of the spectrum In the future we see also the there as input. We have the different technologies that are changing ai, post quantum, other, other disruptive, disruptive technologies.

Of course the threat actors and their motivation in the context. So to do that, last year we conducted one of the biggest cybersecurity foresight exercises in Europe, where with around 500 cybersecurity operational people, operational professionals, and through a series of collaborative workshops, we try to understand the, the, the cybersecurity trends across not only technologies, but also at the political level, economic, financial, social, legal, and even environmental.

And from that with I would try to identify the different threats that we see in the future in order to and prioritize them in terms of their potential impact. In order to come up with the list of, of the top 10 threats for 2030, at the top of this list is supply chain compromise of software dependencies. We still will have seen such attacks already materialized in the past couple of years.

Log four JI will remind, I will remind the audience, of course this is expected to increase in the coming years because the dependencies becoming more and more complex in terms of software and most of the software is component based nowadays. So these trends expect to increase. At the second position we'll have advanced disinformation campaigns with advent of artificial intelligence.

It's very, very easy to make fake videos and fake audios and fake texts. And accordingly the cybersecurity landscape will, will become far more complex with information manipulation. At number three, we see a rise of digital surveillance and exploitation of privacy concerns. At number four, we see human errors and legacy systems, OT in particular as the years pass, the expertise and the technical know-how of how to maintain the systems is going to increase. So we need to make sure that we don't have any human errors for maintaining and patching such legacy systems.

At number five, with smart devices that everybody's carrying on top of us, from our smartphone to our smartwatch, a lot of personal information is collected. This has already started to be manipulated by adversaries. In order to personalize cybersecurity attacks, you get personalized ransomware or phishing attacks that make it more convincing to fall victim to. And number six, we saw, we, we see a potential threat in the future in 2030 related to space, space-based infrastructure and objects, not only satellite, but also communications.

This was ranked of particular high impact because as our stakeholders told us, as these 500 people told us, was that for cybersecurity professionals, this is like a tear of we, we don't really have a very good understanding of how these things work. So it makes it extra difficult to defend and mitigate the potential impact of attacks against space. Infrastructures then, and this you can imagine from the information manipulation being there, have more advanced and high threats. This is already the case. It's going to be more and more complex nowadays.

Even even our cybersecurity threat landscape, we speak about geopolitics, the impact we speak about other stuff that are not typical cyber threats, but it's important to consider. And the, at the, the last 3, 8, 9, and 10 will have the skill shortage. This is already the case. The it's expected with, with the fact that cybersecurity is becoming a, a more horizontal thing for many sectors, for many different topics. You see many different pieces of legislation, more and more cybersecurity professionals will be needed.

So unless action is taken, then we will have a severe shortage of skills and have also number nine, cross border issues. So service providers as cross borders and how you coordinate, how they serve as a single point of failure in potential tax. And last but certainly not least, the abuse of artificial intelligence. This is already the case. We already see attacks, adversarial attacks against machine learning. We see attacks against, against algorithms, but with the, with the expected rise in the last year, we saw a huge rise in artificial intelligence being used.

The fact that how this can be abused from a cybersecurity point of view is something that worries us significantly for the, for the years to come. And with that, try to keep it short so that we have some time for questions. I'd like to thank you so much for your attention and yeah, welcome any questions you might have.