Cyber Experts Talk Attack Trends, Meeting the Threats

Cybersecurity officials from federal and state agencies and industry shared the trends they are seeing in the threat space during the California Cybersecurity Education Summit* last Thursday.

The discussion, led by California Highway Patrol CIO Josh Ehlers, included input from FBI Assistant Special Agent in Charge Nate Le, California Cybersecurity Integration Center (Cal-CSIC) CTI Branch Manager Maria Lipana, and Halcyon Research Director Anthony Freed.

Asked about the general themes repeating in the cyber threat space, Le said many nation-states and their affiliates have adopted an asymmetrical attack strategy, where they can cause damage without having to match U.S. military might.

These attacks can take many forms — especially as the technology needed to launch them becomes more accessible and easier to use — and increasingly target the kinds of critical infrastructure found in less sophisticated, unhardened organizations. Le noted that attacking sectors such as water, power or health care can have a big impact without a large investment.

“There's just a lot of pain that's involved. What does pain equal? Money, right?” Freed said. “And it increases the incentive for these victims to pay and pay big and pay fast.”

Successful attacks against this sort of infrastructure are not uncommon. Lipana said that there have been 239 incidents impacting critical services in California since January 2024, with 411 reported at the national level. She noted that underreporting is common in this area.

As with many crimes, cyber attacks are driven by a number of motivations. Some state actors, such as China and Russia, could be focused on undermining U.S.-based infrastructure, while others, such as North Korea, are focused more on funding their own military through ransom payouts, panelists said.

Just as troubling as the attacks themselves is the fact that successful tactics are often shared between bad actors, whether they are nation-backed or freelancers.

For cyber criminals operating in their own interests, the landscape has evolved from highly skilled, lone attackers to an illicit industry complete with teams of developers, HR departments and even customer service, said Halcyon’s Freed.

“What's scary about this is that we are just at the beginning of this arc, right? They're just starting to get organized and scale,” said Freed. “This has become basically like a disruptive industry. It's organized like a SaaS company.”

When the panelists were asked about the proactive and reactive steps that can be taken to better secure their networks, Le likened cybersecurity to the parable of the blind men describing an elephant based only on the part they touched.

“None of us sees the entire animal unless all of us tell others what we see,” he said.

Lipana said Cal-CSIC has several resources available to partners, including the Indicators of Compromise Exchange, which shares alerts about incoming threats in real-time, and Security Operations Center as a Service.

Freed added that planning and preparation are critical for any organization, especially as it relates to final authority on post-incident decision-making. Oftentimes, he said, Halcyon will respond to an incident only to have the victim stumble over who is able to make time-sensitive decisions.

“Time is of the essence,” he said. “You need to respond to these things fast, and everybody needs to know exactly what they need to do at every stage of the incident response, and the recovery is super important.”

Halcyon is currently building the Ransomware Research Center for this very reason. That center will leverage partnerships from across law enforcement and cybersecurity to consolidate intelligence for end users.

“Everybody who is concerned about this problem has intelligence or needs to adjust the intelligence and make it easier, because right now, there's no single source where you can get all the information,” Freed said.

As far as hardening networks is concerned, the panel said knowing the stack is half of the battle. Le compared it to a home with a safe, where valuable items are insulated from immediate intrusion.

“My advice would be to know your tech stack, and be intentional about what it is you're trying to protect,” Le said.

*The California Cybersecurity Education Summit is hosted by Government Technology, Industry Insider — California's sister publication.