Month: January 2022

Cyberthreats and the growing space race are emerging risks to the global economy, adding to existing challenges posed by climate change and the coronavirus pandemic, the World Economic Forum said in a report Tuesday.  

The Global Risks Report is usually released ahead of the annual elite winter gathering of CEOs and world leaders in the Swiss ski resort of Davos, but the event has been postponed for a second year in a row because of COVID-19. The World Economic Forum still plans some virtual sessions next week. 

Here’s a rundown of the report, which is based on a survey of about 1,000 experts and leaders:  

World outlook 

As 2022 begins, the pandemic and its economic and societal impacts still pose a “critical threat” to the world, the report said. Big differences between rich and poor nations’ access to vaccines mean their economies are recovering at uneven rates, which could widen social divisions and heighten geopolitical tensions. 

By 2024, the global economy is forecast to be 2.3% smaller than it would have been without the pandemic. But that masks the different rates of growth between developing nations, whose economies are forecast to be 5.5% smaller than before the pandemic, and rich countries, which are expected to expand 0.9%.  

Digital dangers 

The pandemic forced a huge shift — requiring many people to work or attend class from home and giving rise to an exploding number of online platforms and devices to aid a transformation that has dramatically increased security risks, the report said.  

“We’re at the point now where cyberthreats are growing faster than our ability to effectively prevent and manage them,” said Carolina Klint, a risk management leader at Marsh, whose parent company Marsh McLennan co-authored the report with Zurich Insurance Group and SK Group.  

Cyberattacks are becoming more aggressive and widespread, as criminals use tougher tactics to go after more vulnerable targets, the report said. Malware and ransomware attacks have boomed, while the rise of cryptocurrencies makes it easy for online criminals to hide payments they have collected.  

While those responding to the survey cited cybersecurity threats as a short- and medium-term risk, Klint said the report’s authors were concerned that the issue wasn’t ranked higher, suggesting it’s a “blind spot” for companies and governments. 

Space race 

Space is the final frontier — for risk.  

Falling costs for launch technology has led to a new space race between companies and governments. Last year, Amazon founder Jeff Bezos’ space tourism venture Blue Origin and Virgin Galactic’s Richard Branson took off, while Elon Musk’s Space X business made big gains in launching astronauts and satellites.  

Meanwhile, a host of countries are beefing up their space programs as they chase geopolitical and military power or scientific and commercial gains, the report said.  

But all these programs raise the risk of friction in orbit.  

“Increased exploitation of these orbits carries the risk of congestion, an increase in debris and the possibility of collisions in a realm with few governance structures to mitigate new threats,” the report said.  

Space exploitation is one of the areas that respondents thought had among the least amount of international collaboration to deal with the challenges.  

Experts and leaders responding to the survey “don’t believe that much is being done in the best possible way moving forward,” World Economic Forum’s managing director, Saadia Zahidi, said at a virtual press briefing from Geneva.  

Other areas include artificial intelligence, cyberattacks and migration and refugees, she said.  

Climate crisis  

The environment remains the biggest long-term worry.  

The planet’s health over the next decade is the dominant concern, according to survey respondents, who cited failure to act on climate change, extreme weather, and loss of biodiversity as the top three risks.  

The report noted that different countries are taking different approaches, with some moving faster to adopt a zero-carbon model than others. Both approaches come with downsides. While moving slowly could radicalize more people who think the government isn’t acting urgently, a faster shift away from carbon intense industries could spark economic turmoil and throw millions out of work.  

“Adopting hasty environmental policies could also have unintended consequences for nature,” the report added. “There are still many unknown risks from deploying untested biotechnical and geoengineering technologies.” 
…

U.S. cybersecurity officials are still sounding an alarm about the so-called Log4j software vulnerability more than a month after it was first discovered, warning some criminals and nation state adversaries may be waiting to make use of their newfound access to critical systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday that the vulnerability, also known as Log4shell, has been subject to widespread exploitation by criminals over the past several weeks, but that more serious and damaging attacking could still be in the works.

“We do expect Log4Shell to be used in intrusions well into the future,” CISA Director Jen Easterly told reporters during a phone briefing, adding, “at this time we have not seen the use of Log4shell resulting in significant intrusions.”

“This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert,” she said.

The vulnerability in the open-source software produced by the U.S.-based Apache Software Foundation, was first discovered in late November by the Chinese tech giant Alibaba. The first warnings to the public went out in early December. 

Cybersecurity officials and experts initially described the flaw in the software as perhaps the worst vulnerability ever discovered, noting the software’s widespread use – in at least 2,800 products used by both private companies and governments around the world.

CISA on Monday said the vulnerability has impacted hundreds of millions of devices around the world, with many software vendors racing to issue security patches to their customers.

So far, U.S. agencies appear to be unscathed.

“We, at this point, are not seeing any confirmed compromises of federal agencies across the broader country, including critical infrastructure,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein told reporters.

But he cautioned the danger has not yet passed despite the lack of destructive attacks by sophisticated hacking groups and foreign adversaries.

“It is certainly possible that that may change, that adversaries may be utilizing this vulnerability to gain persistent access that they could use in the future, which is why we are so focused on remediating the vulnerability across the country and ensuring that we are detecting any intrusions if and when they arise,” he said.

Yet there are reports that other countries have already been targeted by cyber actors seeking to exploit the software vulnerability.

Belgium’s Ministry of Defense said last month that some of its computer systems went down last month following an attack, in which the Log4j vulnerability was believed to be exploited.

And some security experts warn other countries, including China, Iran, North Korea and Turkey, have sought to exploit Log4j.

“This activity ranges from experimentation during development, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” Microsoft’s Threat Intelligence Center wrote in a blog post last week.

In particular, Microsoft said the Iran cyber threat actor known as Phosphorus, known for launching ransomware attacks, has already modified the Log4j vulnerability for use in attacks, while the Chinese group known as Hafnium has also used it for some targeting activities.

The private cybersecurity firm CrowdStrike separately assessed that a Chinese-based group called Aquatic Panda sought to use the Log4j vulnerability to target an unnamed academic institution.

CISA on Monday said it could not independently confirm such reports, and further said it had yet to discover any ransomware attacks in which the attackers used the Log4j vulnerability to penetrate the victim’s systems.

CISA’s director said one reason could be that “there may be a lag between when this vulnerability is being used and when it is being actively deployed.”

Easterly also warned about information that U.S. officials are unable to see due to the failure of Congress to pass legislation that would require private companies to report cyberattacks – something the White House and many lawmakers have been advocating for some time.

“We are concerned that threat actors are going to start taking advantage of this vulnerability and having impacts in particular on critical infrastructure, and because there is no legislation in place, we will likely not know about it,” she said. 
…