International Cybersecurity Thermometer ticks one degree higher in 2024

Global cyber conflict is “superheated”

Last year, the Cybersecurity Tech Accord launched the “State of International Cybersecurity Thermometer,” an annual measure of how conflict online has escalated or deescalated. Following Russia’s widespread use of cyber operations in its invasion of Ukraine, we asserted in 2023 that the world had reached a metaphorical “boiling point” of cyber warfare and placed the first Thermometer reading at 100 degrees. In 2024, our coalition of cybersecurity professionals from across the tech industry assess that peace and security online has continued to deteriorate, despite some meaningful progress, on balance inching the International Cybersecurity Thermometer one degree higher, to 101 degrees.

This determination reflects an urgent situation and is due largely to the geopolitical tensions and conflict online that has continued to escalate in the past year. Overall, the sophistication and impact of nation state cyberattacks has increased without regard for international rules and norms. Nevertheless, there have also been encouraging developments in the past year worth noting, including technological advancements and evolutions in the international system that have helped improve security and give cause for hope looking forward. Advances in AI in particular are yielding some immediate security benefits for defenders. Meanwhile, governments and international institutions are increasingly working together to strengthen deterrence and promote responsible behavior online. We hope that these positive developments will continue and begin to have a meaningful impact on the state of conflict online in the next year.

The State of International Cybersecurity Thermometer aims to provide a clear and objective assessment of the current cyber landscape. It seeks to identify key trends and developments over the past year and outlines measures necessary to enhance stability and security in the digital realm moving forward. As with last year’s evaluation, the major developments considered in making our determination are spread across three categories: i) Diplomatic and institutional developments, ii) the scale and nature of conflict online, and iii) technological developments. Each of the major developments included in this year’s evaluation are detailed below, with an indication as to whether they have had a positive, negative, or neutral overall impact on the security landscape.

WHAT THE READING REFLECTS:

100° AND ABOVE: CYBER WARFARE

This “gaseous” state reflects chaotic and dangerous conditions past a boiling point. This suggests the use of cyber operations in the context of an armed conflict that has harmed and/or targeted civilians.

Ex:

  • Use of cyber operations in war in violation of international norms and/or law
  • Ineffective deterrence

0° – 99°: CYBER CONFLICT

This “liquid” state reflects a degree of cyber conflict short of warfare. It is characterized by a lack of clarity around international expectations online and/or an inability to uphold such expectations.

Ex:

  • Reckless cyber activity by nation states
  • Regularized abuses by nonstate actors
  • limited progress in diplomatic forums

LESS THAN 0°: CYBER STABILITY

This “solid” state reflects stability in international cybersecurity. It requires the existence of a clear rules-based order online with a robust international system to uphold such expectations.

Ex:

  • Scarcity of state sponsored cyber operations that violate international norms
  • Limited threats posed by other actors

Major indicators and developments in past year driving this evaluation:

Diplomatic and institutional developments

  • Limited progress and counterproductive developments at the United Nations (UN) (negative)

As the international organization responsible for maintaining global peace and security, member states of the UN in the past year have once again made limited progress towards a more secure online world as cyber conflict has continued to escalate. The UN working group tasked with setting and upholding expectations for responsible state behavior online failed to recognize any new norms or to support implementation of existing ones, and has been unable to facilitate regularized, meaningful multistakeholder inclusion. Meanwhile, separate negotiations of a UN cybercrime convention have raised significant concerns from industry and civil society around protections for human rights and the important work of security researchers.

  • Multistakeholder commitments on cyber mercenaries (positive)

After years of rapid growth in an uncontrolled market, governments – led by France, the UK and the US – are finally taking further steps to curb the market for cyber mercenaries. These groups make and sell offensive cyber tools, largely to government customers, in a business model that undermines the security of peaceful technology and discourages the responsible disclosure of vulnerabilities. New commitments by governments to place limits on these companies, and the launch of the multistakeholder Pall Mall Process, highlight important first steps on a promising path forward.

  • International Criminal Court to address cyber-enabled war crimes (positive)

Last fall, the Prosecutor of the International Criminal Court (ICC) announced that his office would expand its jurisdiction to include investigations of cyber-enabled war crimes. This initiative aligns with the evolving nature of modern warfare, where cyber operations increasingly play a pivotal role and can put civilians at serious risk. the Prosecutor’s office has subsequently hosted gatherings to develop this policy further. Such proactive measures by international justice bodies are needed to ensure they are able to meet their mandate and enforce international obligations online.

  • Targeted and collective cyber sanctions (positive)

This year marked a significant advancement with the initiation of the first trilateral cyber sanctions. In a coordinated effort, Australia, the UK, and the US imposed sanctions on a Russian threat actor responsible for a 2022 ransomware attack against an Australian healthcare insurer. This joint action underscores the importance of international collaboration in combating cyber threats and sets a precedent for future cooperative sanctions. The commitment of countries to stand together with their partners underscores the importance of collective responses in maintaining cybersecurity and deterrence.

  • NATO Cyber Defense Pledge (positive)

Especially amid the widespread use of cyber operations in Russia’s invasion of Ukraine, it is encouraging to see the NATO alliance enhance its cooperation on cyber defense. At the NATO Summit last summer, allied nations announced a new vision for how cyber defense will contribute to NATO’s overall deterrence and defense posture, in the face of rising threats. This includes commitments to strengthen national cyber defenses as a priority.

  • The EU Cyber Resilience Act (CRA) (neutral)

The CRA is a landmark piece of legislation to be finalized in the second half of 2024 in the European Union (EU) establishing significant cybersecurity requirements for manufacturers of products with digital elements throughout their product lifecycle. Like the General Data Protection Regulation (GDPR) in 2018, compliance with the CRA will set a de facto minimum standard for companies operating across regions. While much of the CRA’s contents will certainly improve cybersecurity, there remain concerns that the required reporting of unpatched vulnerabilities could increase cyber risk. Ultimately the impact of the CRA will depend on how it is implemented in the months ahead.

Scale and nature of conflict online

  • Evolution of cyber operations in warfare (Ukraine and beyond) (negative)

The unrestrained use of cyber operations in an armed conflict by Russia in Ukraine continued throughout the second year of the war and is once again the leading reason why we have determined the state of international cybersecurity to be past a proverbial “boiling point.” The cyber operations aligned with kinetic strikes that targeted Ukrainian agriculture last summer is just one example of how these attacks can cause widespread and indiscriminate harm. Moreover, given escalating tensions in other regions, there are increasing concerns about the imminent use of cyber operations in other geopolitical conflicts that have been escalating as well.

  • Trends in nation state activity (negative)

The overall volume of nation state threat activity has persisted over the past year at roughly the same level, according to data maintained by the Center for Strategic and International Studies (CSIS) tracking the number of significant cyber incidents each year. However, while the total number of nation state cyberattacks remained consistent, the attacks themselves demonstrated a growing willingness to target critical infrastructure and increasing sophistication. The last year saw notable attacks against civilian water utilities, elections infrastructure, and energy systems, all in apparent violation of established international norms. And state-sponsored cyber operations are increasingly using living-off-the-land techniques to maintain access to systems over a longer period of time, effectively pre-positioning for potentially more damaging attacks in the future.

  • Development of cybersecurity in the financial and insurance markets (neutral)

Financial and insurance markets are also responding to the risks posed by escalating cyber conflict. Last summer, the Securities and Exchange Commission (SEC) adopted new transparency and disclosure rules to better inform investors. New legislation is also aimed at improving resilience in the financial sector, such as DORA in Europe (also impacting the IT sector), which entered into force in 2023. The cyber risk insurance market is also growing alongside threats – this includes expanded insurance coverage and growing insurance premiums (IMF – Chap3), with a widening gap in the inclusion of SMEs in cyber protection and increased reliance on cyber rating agencies, which are growing in number  though they remain unregulated and not subject to transparency measures. It is too early to tell what ultimate impact these changes will have on the overall security landscape.

Technological developments

  • Artificial Intelligence (AI) adoption to augment security/amplify attacks (positive)

New AI models are increasingly being integrated into security architecture in ways that are giving advantages to defenders working to identify and mitigate malicious code in a vast sea of data. This includes leveraging AI to discover of the most advanced threats and attacks that pose a national security risk. As with any new and consequential technology, there are malicious uses of AI as well, perhaps most notably to improve social engineering for phishing attacks. However, early research suggests that AI is currently doing far more to improve security than undermine it.

  • Increasingly sophisticated ransomware attacks (negative)

While the overall number of ransomware attacks in the past year not increased, there has been a marked rise in the number of human-operated ransomware attacks and in the sophistication of the campaigns themselves. Attackers are using complicated methods of evading detection and appear to be conducting more narrowly tailored hands-on-keyboard attacks and, unfortunately, finding more success in the process.