A new report by the Bipartisan Policy Center (BPC) finds that the nation’s top cyber risks for 2023 range from a patchwork of conflicting cybersecurity regulations to a shortage of trained cyber professionals.
The Washington-based think tank’s report identified America’s eight “top macro risks” in cybersecurity, and framed them “for the strategic audience of business and government decision-makers.”
BPC determined that this year’s top cybersecurity risks also include an evolving geopolitical environment; the accelerating cyber arms race; global economic uncertainty; insufficient corporate governance; lack of investment, preparation, and resilience; and vulnerable infrastructure.
“We intentionally focused on identifying risks, not solutions, because various stakeholders may need to take different approaches. There are no one-size-fits-all fixes,” the Feb. 12 report says.
“Rather, these top risks must be considered individually by companies and collectively by the nation,” BPC said. “Many will require a multifaceted response, across business and government, who will need to work various levers including policy, organizational culture, technology, and processes.”
The BPC report draws on the expertise of a working group made up of state government officials, former Federal government leaders, and representatives from civil society groups and corporate giants to ensure “every sector with a stake in cybersecurity was included.”
Increasing international conflict and a broader trend toward nationalism is one top macro risk to cybersecurity in 2023, the report says.
Russia’s war in Ukraine is the biggest factor, with the potential for cyberattacks to spill out of the borders of that conflict. But conflicts between China and Western nations, as well as conflict in the Middle East, are other drivers of risk. The report named cyberattacks on critical infrastructure and misinformation campaigns as some of the key risk factors to the evolving geopolitical environment.
The ever-evolving cyber landscape and advances in technology require defense against old and new attacks in an ongoing arms race, the BPC stated.
“Advances in artificial intelligence simultaneously offer great opportunity and danger, the democratization of advanced attack techniques, and unprecedented automation/scalability,” the report says.
The report’s authors worry that global economic headwinds could lead investors to avoid putting money into cybersecurity startups in 2023, and as a result the nation could be less able to keep pace with necessary innovations.
The center also found that overlapping, conflicting, and subjective cybersecurity regulations are a major risk to cyberspace in 2023.
“As governments and regulators aim to mitigate cyber risks, they might apply a generalized approach that misses key vulnerabilities in some sectors and creates burdensome compliance costs in others,” the report says.
Large private sector firms have made “modest headway” toward adding cyber expertise to senior leadership, but too many still haven’t, the BPC concluded. Small- and medium-sized businesses have a particular lack of expertise, which represents a major risk to the cybersecurity landscape in 2023.
Both the public and private sectors have insufficiently prepared for, or invested in resilience against, a significant cybersecurity disaster – like ransomware – creating a major vulnerability that continues into 2023, the report says.
The BPC lists vulnerable infrastructure as a top cyber risk in 2023 due to the systems relying heavily on state and local agencies and third- and fourth-party vendors who may lack necessary cybersecurity controls.
The report highlights talent scarcity as its final top macro risk for this year. Without the right security talent, organizations’ cybersecurity posture will decline, the BPC said.
The center also pointed out other smaller but notable risks like ineffective information sharing and cryptocurrency, among 17 others.
However, the think tank stopped short of making recommendations to address all the risks it laid out.
“It doesn’t prescribe solutions, but a core part I found is a lot of people just don’t even know what the risks are,” Christopher Painter, a former State Department cybersecurity and a contributor to the report, said today during a panel discussion promoting BPC’s report. “This calls out certain things in plain English that they can understand, and that’s helpful.”
“The report’s written in such a way that you don’t need to be a coder to understand it, and that’s deliberate. People in Congress can look at this,” Painter continued, “and it can help them inform their decisions.”
“It has multiple audiences and it’s valuable because it’s written at a more understandable level,” he said.
“What I hope this report does is create a vision for 2023 that is at the level that can translate across the sectors that we have,” Tom Romanoff, Director of the Technology Project at BPC, and co-author of the report, said during the panel. “We worked very hard not to have solutions put into the report, and that was done intentionally.”
“As long as you maintain the vision and are able to communicate it across different stakeholder groups, that’s what’s important,” Romanoff said.