Top 10 cyber security stories of 2021

1. How SolarWinds came through its darkest hour

In December 2020, it emerged that SolarWinds had been the victim of possibly the biggest state-orchestrated cyber attack in history, after a Russia-backed group compromised its Orion platform and used it to target government bodies. The fallout from this attack persisted throughout 2021, and through it all, SolarWinds’ new CEO, Sudhakar Ramakrishna, emerged as a bit of a security hero for his frank and honest response. Later in the year, in his first major UK press interview, he told Computer Weekly all about his experience.

2. US cyber security agencies get $9bn in Biden plan

In January, as Joe Biden prepared for his inauguration amid the fall-out from the damaging SolarWinds attack, the then president-elect earmarked $9bn to shore up the US’ cyber defence capabilities. Biden’s early actions on security issues centred cyber as a key issue for the incoming administration after the Donald Trump years, setting the agenda for much more to come.

3. Half of MS Exchange servers at risk in ProxyShell debacle

In August, Microsoft came under fire after a series of miscommunications resulted in a situation where users failed to patch their Microsoft Exchange servers properly, leaving them exposed to three distinct vulnerabilities. Redmond had patched two of the bugs – which together could be chained to achieve remote code execution on a target system – in April 2021, but did not disclose them or assign them a CVE number, meaning IT security teams missed their significance until much later.

4. Pegasus mobile RAT abused to monitor journalists and activists

In July, questions were asked over the work of Israel-based cyber surveillance specialist NSO Group after the exposure of more than 50,000 phone numbers belonging to activists, journalists and other people deemed “of interest” to some of the world’s most repressive regimes that had allegedly been using its Pegasus remote access trojan (RAT). While NSO Group denies wrongdoing, it has haemorrhaged support and investment, and become the subject of US government sanctions.

5. Privacy experts concerned over NHS data collection plans

At the end of May, security and data privacy experts were quick to warn the public of proposed NHS Digital plans to scrape medical data on 55 million patients in England into a new database. The GPDPR database would have contained swathes of sensitive information, such as data on diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments. It was also supposed to have included information on physical, mental and sexual health, data on gender, ethnicity and sexual orientation, and data on staff who had treated patients. The plans were later put back pending changes, but for IT leaders the story highlighted the importance of appropriate data collection, consent, and transparency in service development.

6. Should I be worried about PrintNightmare?

One of 2021’s biggest cyber scares, the so-called PrintNightmare vulnerability emerged over the summer. The remote code execution vulnerability in Windows Print Spooler seemed like a relatively low-impact vulnerability at first, but thanks to an utterly botched disclosure process and a series of unfortunate mistakes, it emerged as a live and potentially dangerous threat, showing that even the security community messes up now and then. PrintNightmare was particularly impactful of course, because of the prevalence of printers across organisational IT estates. Fortunately, it was easily fixed.

7. UK GDPR faces changes under planned reforms

In September, the UK government initiated a major consultation on post-Brexit changes to the UK’s data protection regime, and reforms to the scope of the Information Commissioner’s Office, that, should the proposals come to fruition, will have a deep and lasting impact on organisational data privacy and cyber strategies. The wide-ranging set of proposals supposedly build on the provisions of the General Data Protection Regulation (GDPR) and 2018 Data Protection Act (DPA), and are intended to address a lack of clarity as to how the GDPR is applied and reduce the burden on organisations that are trying to do the right thing. We looked at some of the proposals and explored some concerns.

8. How the UK Cyber Security Council plans to professionalise security

In the spring of 2021, the UK Cyber Security Council, a new government-mandated body for cyber security professionals, officially launched with a remit to seek to broaden representation for the sector, accelerate awareness and promote excellence in the profession through a mix of thought leadership, career tools, education and lobbying government, industry, and academia to develop and promote the UK’s cyber sector. The group’s chair, cyber veteran Claudia Natanson, told us all about her plans.

9. Cyber experts on how to nobble a Nobelium attack

Nobelium, the Russian APT that attacked SolarWinds, has been the subject of much research and analysis during 2021, and towards the end of the year, a renewed surge in activity targeting organisations operating in the IT channel prompted fresh warnings from the community, and security experts shared their insight, and advice for CISOs on how to thwart a Nobelium-style supply chain attack, with Computer Weekly.

10. Travel-themed phishing lures spiked this summer

And finally, with Covid-19 still hanging around like an unwelcome guest, much has been written about the significant impact of the pandemic on cyber security. Conversations about how to secure remote workers are of course mostly played out by now, but there are still other impacts to consider, such as, what happens when things go back to normal?

In September, we reported on Palo Alto Unit 42 research that showed how, with the return of summer holidays abroad in 2021, cyber criminals pivoted to exploiting people’s desires to get away from it all in their campaigns – a timely warning for CISOs that they must always pay attention to what their end-users are clicking on.