Cyber security was once again top of the agenda for IT leaders in 2021, with a barrage of news and analysis making it hard to separate the wheat from the chaff and the genuine insight from the self-promotional nonsense. If IT buyers struggled to make sense of it all, imagine how reporters felt.
But this said, there were some stand-out security stories in the past 12 months that were indubitably worthy of attention. We learned new lessons from SolarWinds’ experience at the hands of Russian spooks, followed the news from the US as the new president Joe Biden stood up to cyber criminals, looked in-depth at impactful vulnerability disclosures, worried over our privacy and shook our heads over the NSO Group spyware revelations. In that spirit, here are Computer Weekly’s top 10 cyber security stories of 2021:
In December 2020, it emerged that SolarWinds had been the victim of possibly the biggest state-orchestrated cyber attack in history, after a Russia-backed group compromised its Orion platform and used it to target government bodies. The fallout from this attack persisted throughout 2021, and through it all, SolarWinds’ new CEO, Sudhakar Ramakrishna, emerged as a bit of a security hero for his frank and honest response. Later in the year, in his first major UK press interview, he told Computer Weekly all about his experience.
In January, as Joe Biden prepared for his inauguration amid the fall-out from the damaging SolarWinds attack, the then president-elect earmarked $9bn to shore up the US’ cyber defence capabilities. Biden’s early actions on security issues centred cyber as a key issue for the incoming administration after the Donald Trump years, setting the agenda for much more to come.
In August, Microsoft came under fire after a series of miscommunications resulted in a situation where users failed to patch their Microsoft Exchange servers properly, leaving them exposed to three distinct vulnerabilities. Redmond had patched two of the bugs – which together could be chained to achieve remote code execution on a target system – in April 2021, but did not disclose them or assign them a CVE number, meaning IT security teams missed their significance until much later.
In July, questions were asked over the work of Israel-based cyber surveillance specialist NSO Group after the exposure of more than 50,000 phone numbers belonging to activists, journalists and other people deemed “of interest” to some of the world’s most repressive regimes that had allegedly been using its Pegasus remote access trojan (RAT). While NSO Group denies wrongdoing, it has haemorrhaged support and investment, and become the subject of US government sanctions.
At the end of May, security and data privacy experts were quick to warn the public of proposed NHS Digital plans to scrape medical data on 55 million patients in England into a new database. The GPDPR database would have contained swathes of sensitive information, such as data on diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments. It was also supposed to have included information on physical, mental and sexual health, data on gender, ethnicity and sexual orientation, and data on staff who had treated patients. The plans were later put back pending changes, but for IT leaders the story highlighted the importance of appropriate data collection, consent, and transparency in service development.
One of 2021’s biggest cyber scares, the so-called PrintNightmare vulnerability emerged over the summer. The remote code execution vulnerability in Windows Print Spooler seemed like a relatively low-impact vulnerability at first, but thanks to an utterly botched disclosure process and a series of unfortunate mistakes, it emerged as a live and potentially dangerous threat, showing that even the security community messes up now and then. PrintNightmare was particularly impactful of course, because of the prevalence of printers across organisational IT estates. Fortunately, it was easily fixed.
In September, the UK government initiated a major consultation on post-Brexit changes to the UK’s data protection regime, and reforms to the scope of the Information Commissioner’s Office, that, should the proposals come to fruition, will have a deep and lasting impact on organisational data privacy and cyber strategies. The wide-ranging set of proposals supposedly build on the provisions of the General Data Protection Regulation (GDPR) and 2018 Data Protection Act (DPA), and are intended to address a lack of clarity as to how the GDPR is applied and reduce the burden on organisations that are trying to do the right thing. We looked at some of the proposals and explored some concerns.
In the spring of 2021, the UK Cyber Security Council, a new government-mandated body for cyber security professionals, officially launched with a remit to seek to broaden representation for the sector, accelerate awareness and promote excellence in the profession through a mix of thought leadership, career tools, education and lobbying government, industry, and academia to develop and promote the UK’s cyber sector. The group’s chair, cyber veteran Claudia Natanson, told us all about her plans.
Nobelium, the Russian APT that attacked SolarWinds, has been the subject of much research and analysis during 2021, and towards the end of the year, a renewed surge in activity targeting organisations operating in the IT channel prompted fresh warnings from the community, and security experts shared their insight, and advice for CISOs on how to thwart a Nobelium-style supply chain attack, with Computer Weekly.
And finally, with Covid-19 still hanging around like an unwelcome guest, much has been written about the significant impact of the pandemic on cyber security. Conversations about how to secure remote workers are of course mostly played out by now, but there are still other impacts to consider, such as, what happens when things go back to normal?
In September, we reported on Palo Alto Unit 42 research that showed how, with the return of summer holidays abroad in 2021, cyber criminals pivoted to exploiting people’s desires to get away from it all in their campaigns – a timely warning for CISOs that they must always pay attention to what their end-users are clicking on.