ENISA reports that skills shortage and unpatched systems are among top cyber threats for 2030

The European Union Agency for Cybersecurity (ENISA) published this week an executive summary of the second iteration of this year’s ‘Foresight Cybersecurity Threats for 2030’ presenting an overview of key findings in the top 10 ranking. The study reassesses the previously identified top ten threats and respective trends whilst exploring the developments over a year.

The comprehensive study offers a thorough analysis of emerging cybersecurity threats anticipated for the year 2030. Aligned with ENISA’s mission to provide expertise on future cybersecurity challenges, the report serves as a valuable tool for gaining a comprehensive understanding of the evolving threat landscape. The involvement of experts and stakeholders enhances the study’s value, enabling informed actions and enhancing preparedness. This initiative contributes to the ongoing development of robust cybersecurity frameworks and adaptable best practices.

The top ten list includes a revised line-up of the emerging cybersecurity threats to have an impact by 2030 including supply chain compromise of software dependencies; skill shortage; human error and exploited legacy systems within cyber-physical ecosystems; the rise of digital surveillance authoritarianism/loss of privacy; cross-border ICT service providers as a single point of failure; advanced disinformation/influence operations (IO) campaigns; rise of advanced hybrid threats; and abuse of AI. 

Two new emerging cybersecurity threats were added to the list. These include the exploitation of unpatched and out-of-date systems within the overwhelmed cross-sector tech ecosystem; and the physical impact of natural/environmental disruptions on critical digital infrastructure. These reflect a heightened awareness of the vulnerabilities associated with outdated systems and the potential physical impact of environmental disruptions on digital infrastructure.

Lack of analysis and control of space-based infrastructure and objects and targeted attacks enhanced by smart device data were excluded from the top 10 threats. This suggests a reassessment of their immediate impact compared to other emerging threats.

Despite a slight decline compared to past years’ results in the overall score of impact and likelihood, ‘Supply Chain Compromise of Software Dependencies’ remains the highest-ranking threat. This is considered an after-effect of the expanding integration of third-party suppliers and partners in the supply chain, leading to new vulnerabilities and opportunities for attacks. ‘Cross-border ICT Service Providers as a Single Point of Failure’ threats have significantly moved up due to growing concerns that can emanate from the growing ICT interconnectedness in critical infrastructure between Member States.

It is also notable that ‘skill shortage’ threats have significantly moved up the ladder to the top threats, moving from the end of the list to the second place. While efforts have been focused on fulfilling the skills shortage challenge, organizational willingness to develop talent and bridge the educational gap remains a concern in cybersecurity. This appears to be closely connected to threats related to unpatched systems, as it interferes with the familiarization of staff with the multitude of tools at hand to update unpatched services that are vulnerable to exploitation.

Other key takeaways of the threats review are the addition of the ‘Exploitation of Unpatched and Out-of-date Systems within the Overwhelmed Cross-sector Tech Ecosystem’ and the ‘Physical Impact of Natural/Environmental Disruptions on Critical Digital Infrastructure’, as a result of a shift in perceived impact and likelihood score.

Likewise, the rise of the ‘Abuse of AI’ threat can be considered an expected outcome of the widespread emergence of AI models in our lives and the relevant concerns regarding the growing reliance on AI. This led to the exclusion of the ‘Lack of Analysis and Control of Space-based Infrastructure and Objects’, and ‘Targeted Attacks (e.g. Ransomware) Enhanced by Smart Device Data’ threats from the top ten list.

“Persistent observation and assessment of the current threats and trends is key to achieve a higher level of cybersecurity,” Juhan Lepassaar, executive director at the EU Agency for Cybersecurity, highlighted in a media statement. “In this way, we better withstand today’s challenges and enhance our mitigation plans for the years to come.”

The summary identified that the trend of the increased political power of non-state actors is characterized by the anticipation that global interconnectedness will accelerate, fostering interactions among non-state actors at a pace that may surpass the regulatory capacity of nation-states. This acceleration is expected to result in a diminishing influence of traditional nation-states, particularly in their ability to control and regulate these evolving forms of interactions. 

While the trend points towards an increase in the political power of non-state actors, there are nuanced perspectives. Positive elements include state initiatives to assert control, and cyber diplomacy is seen as a mitigating force against potential adverse consequences. The evolving landscape emphasizes the need for diplomatic and regulatory strategies to address the challenges of increased non-state actor influence. 

Additionally, the trend of collecting and analyzing data to assess user behavior is experiencing a significant increase, particularly in the private sector. This trend involves leveraging data for automated decision-making processes, primarily focused on improving customer targeting and reducing operational costs. The increasing digitalization of various aspects of life and advancements in AI algorithms contribute to the growth of this trend. While this trend presents significant opportunities, experts highlight the importance of addressing inherent challenges. 

While the trend of decision-making relying on automated data analysis holds significant potential, experts emphasize the need to address associated pitfalls. These include concerns about data quality, the changing dynamics of decision-making, the balance between quantifiable metrics and optimal decisions, and the potential lack of accountability in the face of suboptimal outcomes.

It also added that while the increasing number of satellites opens up new possibilities for technology and exploration, it also brings challenges and concerns. These include the need for regulatory frameworks, addressing space traffic and ecological impacts, coordinating satellite operations, and enhancing cybersecurity measures to safeguard satellite infrastructure.

The trend of controlling personal data reflects a multifaceted landscape influenced by various factors such as technological advancements, societal priorities, regulatory frameworks, and individual awareness. Addressing the challenges and complexities regarding data control requires a nuanced approach that considers the evolving nature of the digital ecosystem.

The trend of increasing energy consumption in digital infrastructure reflects a balance between technological advancements, efforts towards energy efficiency, regulatory landscapes, and uncertainties about future breakthroughs. The dynamic nature of this trend necessitates ongoing monitoring and adaptability to address emerging challenges and opportunities.

Lastly, the experts involved in the scenario analysis of the ENISA Foresight Cybersecurity Threats for 2030 have articulated the need for a more nuanced exploration of technological advancements. Their concerns revolve around key thematic areas, emphasizing the importance of addressing trust, privacy, technology misuse, and environmental impacts. 

Additionally, they call for specific scenarios addressing water and raw-materials scarcity leading to the collapse of hardware value chains, ethical dilemmas in data-driven decision-making, decentralization in energy generation, and the role of space technologies in dependencies and vulnerabilities.

The ENISA played a key role last year in addressing cybersecurity challenges within the critical infrastructure sector, as the agency emphasized implementing robust cybersecurity measures. Jurgita Skritaite, a cybersecurity expert at ENISA, pointed out to Industrial Cyber in January how the NIS directive has increased the overall level of cybersecurity maturity of critical infrastructure companies. She also addressed the efforts that have been undertaken by critical infrastructure companies to adhere to existing regulations and their preparations for upcoming directives.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.