2025 Public Sector Perspectives

Today, more than five years since I said “bundle up,” the blizzard has arrived. Let me describe what we are seeing today, and every day that signals that winter is upon us, and the global central bank community: Sign one: Attacks are simply unabated across sectors The speed, breadth, damage level, and variability of cyberattacks continue to surprise even the experts. Multi- national manufacturing giants can be forced to shut down food production; pharmaceutical giants can have their distribution disrupted; car manufacturers can lose the PII of thousands of employees; software firms can have client data compromised; and banks can have ATMs, mobile banking, and branches compromised. From airlines to biotech, no sector is immune from having large quanta of customer data exposed, reputations damaged, and operations shut down. Sign two: Geopolitical and the nation state elephant in the room Recently, I asked a minister of finance of a large country what economic and financial challenges keep him awake at night. The minister replied, “They are all geopolitical.” Remember, this was a finance minister, not a minister of foreign affairs or defense. The minister’s answer captures one of the greatest paradigm shifts of our new cyber world: Everything is geopolitical at the core. Economic, finance, and technology issues can no longer be addressed in a silo. While the other types of cyber actors aren’t slowing down, the nation state actors are clearly operating in hyperdrive. The full-scale invasion of Ukraine changed things. In fact, Ukraine changed everything. Nancy Pelosi’s trip to Taiwan also changed things. Then Gaza changed things. It put nation state actors in the center of development, climate, technology, capital flows and, of course, in the center of the cyber room. Nation state actors are well funded; they have access to significant resources and cutting-edge technology; they are not deterred by law enforcement; and they are outsourcing specialized activities to sub actors. We are also seeing nation state actors employ the tactics, techniques, and procedures (TTPs) of hacktivists, known as “faketivism.” Sign three: From “phishing minnows” to whaling Attack vectors have evolved from broad-based phishing to targeted “spear-phishing” to now, what is being called “whaling.” The term “whaling” is used to describe when a C-suite or empowered senior corporate executive is methodically and systematically selected and targeted by a combination of electronic and human assisted phishing campaigns, that often leverage GenAI to create complex, social engineering schemes. This combination approach is often referred to as an “interactive intrusion technique” whereby the adversarial machine can be aided by human creativity to boost the success of attack outcomes. Sign four: Generative AI, perfection and advantage to offense I remember asking a question to U.S. Cyber Command a few years ago about who wins in an AI world – the offense or the defense. I remember the answer clearly: “We hope that the advantage will be to the defense.” Yet with GenAI in the public domain, that is not what we are seeing. Instead, we see AI perfecting the adversary’s language communication to make it indistinguishable from human capability—in any language. We can no longer rely on the traditional clues to spot a cyberattack, like nonsensical phrases, easy misspellings, or grammatical errors, as we had become accustomed to in the previous era of business email compromise attacks. Although threat actors have not deciphered how to use AI for intrusion operations, they have cracked how to deploy GenAI for various cybercrimes at different stages of attack. Some examples include developing and improving stealer malware, helping to manage infrastructure, and by leveraging open-source information and tools to create highly tailored operational plans for threats like ransomware. Malware developers are even learning to leverage AI to make subtle code changes that evade signature-based detection. Overall, the emergence of AI has provided cybercriminals powerful tools to carry out attacks with greater efficiency and sophistication. We are in a race between organizations and cybercriminals to see who can adopt AI as quickly and effectively as possible. Sign five: The cloud as the target of the day Cloud intrusions are a new focus area for a wide range of adversaries—from nation-state actors to cybercriminals – as more entities increasingly adopt cloud solutions, especially for data storage. Cloud servers are the target of the day with service providers facing cloud tunnel exploitation and cloud software hacking. Attacks on the cloud environment have motivated threat actors to be more persistent, an increase in the ability to move laterally and an increased ability to exfiltrate data. Sign six: Back to identity basics The threat actor focus on credentials and identity targeting has also surged. Techniques like brute force, credential surfing, targeting of tokens, session cookies, and password spraying are helping cybercriminals to compromise a myriad of credentials at a high attack outcome success rate. SIM swapping has taken identity risk to a new level. 32 Cyber Winter: Are Central Bankers Ready?