Click for more special coverage
Melissa. The ILOVEYOU worm. Code Red.
Those of us of a certain age are familiar with these names without clicking on the links, but at the turn of the 21st century, they were major news – part of a series of destructive cyberattacks that surprised an America largely unaware of growing internet security threats.
The attacks, which caused billions of dollars in damage, coincided with a heightened U.S. focus on cybersecurity as a critical element of homeland security after 9-11. Together, they awakened businesses and governments to the need to build up their digital defenses.
The rest is history. Cyberattacks such as ransomware and phishing have become not only disturbing, but pervasive, and the risk they bring in an increasingly connected world now figures prominently in the national conversation.
But that wasn’t the case 20 years ago, and that’s why in 2004, President George W. Bush and Congress designated October as Cybersecurity Awareness Month (CSAM).
Led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA), CSAM was described as a "dedicated month for the public and private sectors and tribal communities to work together to raise awareness about the importance of cybersecurity."
On the 20th Cybersecurity Awareness Month in 2023, let’s reflect on all that has changed in cybersecurity over the last two decades, as well as the surprising number of things that haven’t really.
Let’s start with three dramatic differences:
- The mobile revolution. The iPhone wasn’t introduced until 2007. Today, there are more than 4.6 billion smartphones worldwide, according to Statista. Add the more than 14.4 billion Internet of Things devices – connected cars, smart appliances, smart city technologies, and intelligent healthcare monitors – and we now have a threat landscape that few could have imagined 20 years ago. Furthermore, working remotely on mobile devices has become more widespread, forcing organizations to examine how they protect their data in a distributed workforce.
- Digital payments. While the growing popularity of digital payments has changed how people interact with money, it has also opened up new opportunities for phishing scams, card information theft, and payment fraud. And, cryptocurrency, which didn’t exist until the late 2000s, accounts for the vast majority of payments to ransomware attackers. A U.S. government contractor has estimated that cybercriminals received at least $692 million in cryptocurrency extorted as part of ransomware attacks. And that was in 2020.
- Artificial Intelligence. Today, we’re all talking about AI, but that wasn’t the case two decades ago. Now, AI has given cybercriminals a powerful new tool to execute attacks, while also becoming an excellent tool for defenders.
And yet the more things change, the more they remain the same. Three examples:
- On-premises data. Despite the rise of cloud computing, many companies continue to house critical data in their own private databases and servers. This means protecting on-prem data remains, then as now, an important part of the security equation.
- Public infrastructure. The White House’s “National Strategy to Secure Cyberspace” in 2003 warned that cyberattacks threaten the nation’s critical infrastructure. We still worry a great deal today about how to defend energy systems, dams, and other assets from cyberattack.
- Security infrastructure. The cybersecurity industry used to focus on infrastructure security solutions involving the network, the applications, the end points, the cloud, and the logs. It still does. Those solutions remain core to a solid security strategy, though there is growing awareness that newer data security frameworks like zero-trust are needed for fully-realized defenses.
Viewed another way, much of the language we hear to describe the importance of data – “crown jewels,” and the like has changed little over the last 20 years. That’s because it’s still so true. Data is everything. We have to protect it these days across a more complex environment, but early identification and investigation of threats against data and rapid, complete recovery of workloads if a breach occurs remain paramount.
As my lists show, the cybersecurity journey has seen many twists and turns over the last 20 years. The field is so dynamic that I think we still need a Cybersecurity Awareness Month. It’s a good time to take stock of where we’ve been, where we are, and where we still need to go.
Arvind Nithrakashyap, co-founder and CTO, Rubrik
