Cyber experts often emphasize that there’s no silver bullet for improving the security of government systems. The problem is not that technology always falls short. Instead, it’s that the cyber threats are so varied and always evolving. Here is a look at the current threat landscape, based on recent cyber-related news and events.
A High-Level View
According to the 2022 (ISC)2 Cybersecurity Workforce Study, the global cyber workforce has reached 4.7 million workers, but that still leaves 3.4 million positions unfilled. In the United States, the number of unfilled jobs stands at about 410,000, a 9% increase over 2021. As Fortune points out, these shortages are good news for cyber wages — and bad news for government agencies competing for talent.
Shadow IT — that is, technology that the IT department does not approve or manage — continues to be a bugaboo. In February 2023, for example, the Defense Department’s inspector general found that “DoD personnel are downloading mobile applications to their DoD mobile devices that could pose operational and cybersecurity risks to DoD information and information systems.”
Another persistent problem: Agencies aren’t applying patches to known vulnerabilities. A recent study by Tenable Research found that many organizations were falling victim to attacks that exploited well-known vulnerabilities, including some dating to 2017. In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) debuted a catalog of nearly 300 known, exploited vulnerabilities; that list now stands at around 900.
The federal government has increased efforts to improve the security of the software supply chain. Beginning in September 2023, software vendors must attest that they are using secure development practices identified by the National Institute of Standards and Technology. But recent media reports suggest the deadline might be elusive.
Just the sheer volume of remaining work can be daunting. In a January 2023 report, the U.S. Government Accountability Office notes that its auditors have made 712 recommendations to federal agencies since 2010, 21% of which have not been implemented. “Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” the report states.
Specters of a Cyber War
On Feb. 20, 2022, with the Russian invasion of Ukraine seen as imminent, New York Gov. Kathy Hochul said the state was strengthening its cyber defenses against possible Russian state- sponsored attacks against public institutions and critical infrastructure.
On Feb. 25, the day after Russian invaded Ukraine, Texas Gov. Greg Abbott directed the state’s departments of Information Resources and Public Safety “to use every available resource to safeguard the state’s critical infrastructure and to assist local governments and school districts with their needs.”
Around the same time, CISA issued an advisory warning about an Iranian state-sponsored threat group known as MuddyWater, which was conducting cyber espionage and other malicious cyber operations targeting government and private-sector organizations worldwide. MuddyWater was a subordinate element within the Iranian Ministry of Intelligence and Security, according to CISA.
Meanwhile, in March 2022, cybersecurity firm Mandiant reported that a state-sponsored threat group in China had successfully hacked the defenses of six state governments in the United States during a 13-month stretch. The group exploited a well-known vulnerability called log4j.
In April 2022, two months after the invasion began, the United States and four other countries issued a joint cybersecurity advisory warning that Russian state-sponsored cyber actors could target critical infrastructure both within and beyond the region. The joint advisory provided links to more information about known threat groups.
This article appeared in our guide, “A New Cyber Game Plan Takes Shape.” To see the rest of “Mapping the Cyber Threat Landscape” and learn more about how respond to — and head off — the latest threats, download the guide: