Cybersecurity Risks

The National Institute of Standards and Technology (NIST) has released a draft of its “Cybersecurity Framework Profile for Artificial Intelligence” (open for public comment until Jan 30, 2026) to help organizations think about how to strategically adopt AI while addressing emerging cybersecurity risks that stem from AI’s rapid advance. Building on the #NIST Cybersecurity Framework 2.0, the Cyber AI Profile translates well-established risk management concepts into AI-specific cybersecurity considerations, offering a practical reference point as organizations integrate AI into critical systems and confront AI-enabled threats. The Cyber AI Profile centers on three focus areas: • Securing AI systems: identifying cybersecurity challenges when integrating AI into organizational ecosystems and infrastructure. • Conducting AI-enabled cyber defense: identifying opportunities to use AI to enhance cybersecurity, and understanding challenges when leveraging AI to support defensive operations. • Thwarting AI-enabled cyberattacks: building resilience to protect against new AI-enabled threats. The Profile complements existing NIST frameworks (CSF, AI RMF, RMF) by prioritizing AI-specific cybersecurity outcomes rather than creating a standalone regime.

Three weeks ago, our Devsinc security architect, walked into my office with a chilling demonstration. Using quantum simulation software, she showed how RSA-2048 encryption – the same standard protecting billions of transactions daily – could theoretically be cracked in just 24 hours by a sufficiently powerful quantum computer. What took her classical computer billions of years to attempt, quantum algorithms could solve before tomorrow's sunrise. That moment crystallized a truth I've been grappling with: we're not just approaching a technological evolution; we're racing toward a cryptographic apocalypse. The quantum computing market tells a story of inevitable disruption, surging from $1.44 billion in 2025 to an expected $16.22 billion by 2034 – a staggering 30.88% CAGR that signals more than market enthusiasm. Research shows a 17-34% probability that cryptographically relevant quantum computers will exist by 2034, climbing to 79% by 2044. But here's what keeps me awake at night: adversaries are already employing "harvest now, decrypt later" strategies, collecting our encrypted data today to unlock tomorrow. For my fellow CTOs and CIOs: the U.S. National Security Memorandum 10 mandates full migration to post-quantum cryptography by 2035, with some agencies required to transition by 2030. This isn't optional. Ninety-five percent of cybersecurity experts rate quantum's threat to current systems as "very high," yet only 25% of organizations are actively addressing this in their risk management strategies. To the brilliant minds entering our industry: this represents the greatest cybersecurity challenge and opportunity of our generation. While quantum computing promises revolutionary advances in drug discovery, optimization, and AI, it simultaneously threatens the cryptographic foundation of our digital world. The demand for quantum-safe solutions will create entirely new career paths and industries. What moves me most is the democratizing potential of this challenge. Whether you're building solutions in Silicon Valley or Lahore, the quantum threat affects us all equally – and so does the opportunity to solve it. Post-quantum cryptography isn't just about surviving disruption; it's about architecting the secure digital infrastructure that will power humanity's next chapter. The countdown has begun. The question isn't whether quantum will break our current security – it's whether we'll be ready when it does.

As I’ve been digging into the #CybersecurityFramework 2.0, and helping clients navigate the changes, I’ve found several areas where the new additions feel pretty significant. If you’re already using the #CSF and trying to figure out where to focus first, take note of these new Categories: ◾ The POLICY (GV.PO) Category was created to encompass ALL cybersecurity policies and guidance. Now, on one hand it might seem like a "well, of course" moment to consolidate all cybersecurity policies into one place - on the other hand, policies were previously sprinkled throughout the CSF, and were tied to specific actions like Asset Management or Incident Response. Now, it's all in one area, which makes a ton of sense and simplifies things, but also means we've got to remember that this one Category covers everything! ◾ Another significant addition is the PLATFORM SECURITY (PR.PS) Category which largely pulls together key topics from the previous Information Protection Processes & Procedures (PR.IP) and Protective Technology (PR.PT) focusing on security protections around broader platform types (hardware, software, virtual, etc.). If you’re looking for things like configuration management, maintenance, and SDLC – you’ll now find them here.  ◾ The TECHNOLOGY INFRASTRUCTURE RESILIENCE (PR.IR) Category pulls largely from the previous Information Protection Processes & Procedures (PR.IP) and Protective Technology (PR.PT) as well, but also pulls in key aspects from Data Security (PR.DS). This new Category highlights the need for managing an organization’s security architecture and includes security protections around networks as well as your environment to ensure resource capacity, resilience, etc. So, what does all this mean for your organization? Whether you're just starting out, or you're looking to refine your existing cybersecurity strategies, CSF 2.0 offers a more streamlined framework to use to bolster your cyber resilience. Remember, staying ahead in cybersecurity is a continuous journey of adaptation and improvement. Embrace these changes as an opportunity to review and enhance your cybersecurity posture, leveraging the expanded resources and guidance provided by #NIST! Have you seen the updated mapping NIST released from v1.1 to v2.0? Check it out here to get started and “directly download all the Informative References for CSF 2.0” 👇 https://lnkd.in/e3F6hn9Y

CISA has released its new Operational Technology (OT) Cybersecurity Guide, and it deserves board-level attention. For years, OT systems, the technology behind our power grids, water systems, manufacturing plants, and pipelines, were designed for reliability and safety, not cybersecurity. But as IT and OT environments have converged, the attack surface has expanded dramatically. We’ve already seen what this means in practice: ⚠️ Colonial Pipeline (fuel supply disruption) ⚠️ Oldsmar Water Plant (attempted poisoning) ⚠️ Ransomware groups are increasingly threatening physical operations to force payment. The CISA guide is a practical step forward, outlining what every OT-dependent organization should do: ✔️ Know your assets. Visibility is the foundation of OT security. ✔️ Segment IT and OT networks. Strong separation is essential. ✔️ Secure remote access. Enforce MFA, monitor, and log everything. ✔️ Patch with care. Use compensating controls when downtime isn’t possible. ✔️ Prepare for incidents. OT-specific monitoring, response plans, and recovery options must be in place. ✔️ Build resilience. Backups, redundancy, and even manual controls as a fallback. ✔️ Train people. Both IT and OT teams need a shared understanding of cyber risk. This isn’t just a technology problem. It’s a resilience problem. For executives, OT risk belongs on the same agenda as financial, legal, and regulatory risk. The impact of failure isn’t just data loss; it’s downtime, safety hazards, and national security implications. CISA’s guide is a reminder that OT security is no longer optional. It is a core part of modern business continuity. Please feel free to contact me if you need help or want more information on this. 🔔 Follow me for more real-world takes on cybersecurity, leadership, and tech strategy ♻️ Useful? Share to help others! #CyberSecurity #OperationalTechnology #RiskManagement #CriticalInfrastructure #CISA #BusinessContinuity

Headline: China Cracks RSA Encryption Using Quantum Annealing—Global Data Security Now Under Pressure ⸻ Introduction: A Chinese research team has achieved a milestone with profound cybersecurity implications: successfully cracking a small RSA-encrypted integer using a quantum computer. Though modest in scale, this experiment signals that quantum systems are starting to undermine the very cryptographic foundations that secure today’s banking, commerce, and communication systems. The race to build quantum-resistant encryption is no longer theoretical—it’s urgent. ⸻ Key Details 🔓 Cracking RSA with Quantum Annealing • Researchers: Wang Chao and team from Shanghai University. • Hardware Used: A D-Wave Advantage quantum annealer, built by D-Wave Systems. • Achievement: The team factored a 22-bit RSA semiprime integer, a task previously unsolved on this class of hardware. 🔐 What Makes RSA Strong—and Vulnerable • RSA Encryption: Based on the difficulty of factoring large semiprime numbers (products of two primes). • Classical Challenge: Conventional computers require subexponential time to factor 2048-bit keys—considered secure for now. • Largest Cracked Classically: RSA250 (829-bit key) using supercomputers over weeks. • Quantum Approach: The Chinese team translated factorization into a QUBO (Quadratic Unconstrained Binary Optimization) problem, solvable by quantum annealing. 🧠 Why This is a Warning Shot • Early Stage, But Symbolic: While a 22-bit number is trivial by today’s standards, the methodology proves scalability potential. • First Step Toward Quantum Decryption: Demonstrates quantum annealers can be adapted for cryptographic tasks—not just optimization. • Signals Future Risk: Today’s encryption might withstand current tech, but scalable quantum systems could break RSA entirely in years, not decades. ⸻ Why It Matters • Global Cybersecurity Threatened: Banking, defense, healthcare, and internet infrastructure all rely on RSA and similar public-key systems. This experiment shows those systems may soon be obsolete. • Quantum Arms Race Accelerates: The demonstration by Chinese researchers will likely intensify global investment in both quantum computing and post-quantum cryptography. • Urgent Need for Migration: Governments and corporations must begin transitioning to quantum-resistant encryption standards, or risk catastrophic breaches in the near future. • Tactical and Strategic Implications: Countries that master quantum decryption first may gain unparalleled capabilities in espionage, warfare, and economic control. ⸻ Keith King https://lnkd.in/gHPvUttw Arzan Alghanmi

The biggest threat to your data isn’t happening tomorrow. It happened yesterday. If you haven’t heard of HNDL (Harvest Now, Decrypt Later), your long-term data strategy has a massive blind spot. Here is the reality: State actors and cybercriminals are capturing your encrypted data today. They can’t read it yet, so they’re storing it in massive data vaults, waiting for the "Qday"—the moment quantum computers become powerful enough to break current encryption. If your data needs to stay private for 5, 10, or 20 years, it’s already at risk. What’s on the line? ↳ Intellectual Property (IP) and trade secrets. ↳ Government and identity data. ↳ Long-term financial records and contracts. ↳ Sensitive customer health data. How do we solve it? 🛠️ We cannot wait for quantum supremacy to react. The fix starts now: ↳ Inventory: Identify which data has a long shelf-life. ↳ Crypto-Agility: Move toward systems that can swap encryption methods without a total overhaul. ↳ Hybrid PQC: Implement Post-Quantum Cryptography alongside classical methods to ensure traffic captured today remains a mystery tomorrow. The transition to quantum-resistant security is a marathon, not a sprint. Are you tracking HNDL on your current risk register? Let’s discuss in the comments. 👇 P.S. If you want help mapping your exposure or building a PQC migration plan, drop me a message. ♻️ Share this post if it speaks to you, and follow me for more. #QuantumSecurity #PQC

🚀 Strengthening Cybersecurity with Zero Trust: Key Highlight from the FY26 Federal Cybersecurity Priorities 🚀 The Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) have released their FY26 Cybersecurity Priorities, focusing on enhancing the Nation's cybersecurity posture through strategic investments and initiatives. Here's a deep dive into the crucial aspects of their Zero Trust strategy: 🔹Modernizing Federal Defenses: The U.S. Government is transitioning towards fully mature Zero Trust architectures. This involves prioritizing technology modernization, implementing encryption and multifactor authentication, and leveraging government-managed cybersecurity shared services. 🔹Increasing Maturity of Information Systems: Agencies are required to submit updated Zero Trust implementation plans within 120 days, documenting current and target maturity levels in each pillar for all high-value assets and high-impact systems. These plans will be reviewed by OMB, ONCD, and CISA. 🔹Reducing Risk and Enhancing Security: Budget submissions must demonstrate how agencies are reducing risks by increasing the maturity of information systems based on the pillars outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model. Quotes from the Memo: 🔹"Agency investments should lead to demonstrable improvements reflected by agency FISMA reporting or similar metrics." "🔹Agencies with federated networks should prioritize investments in department-wide, enterprise solutions to the greatest extent practicable in order to further align cybersecurity efforts, ensure consistency across mission areas, and enable information sharing." 🔹"Within 120 days of the date of this memorandum, agencies must submit an updated zero trust implementation plan to OMB and ONCD." By aligning with CISA's Zero Trust Maturity Model and leveraging these strategic priorities, federal agencies can significantly enhance their cybersecurity posture, ensuring robust defense mechanisms and resilience against evolving threats. #Cybersecurity #ZeroTrust #Technology #CISA #Innovation #DigitalTransformation

If “best practices” were enough, why are ransomware attacks still shutting down plants and critical infrastructure? The OT security industry loves buzzwords: “Zero Trust will secure everything!” (Most industrial control systems can’t even support modern authentication.) “AI will detect every threat in real-time!” (If it can untangle decades of undocumented network changes.) “Follow best practices and you’ll be secure!” (Except compliance ≠ security, and the best organizations know it.) Where OT Security Strategies Fail 🔹 Security programs are built for frameworks, not business risks. → If your strategy isn’t tied to actual production risks, you’re wasting budget on ineffective controls. 🔹 One-size-fits-all security ignores real threats. → A refinery and a food processing plant face different risks, but security investments are often misallocated. 🔹 Compliance doesn’t stop attacks. → Security maturity is about risk reduction, not passing an audit. What High-Maturity OT Security Looks Like ✅ Prioritized Security Investment—Critical production assets get targeted protection, not generic policies. ✅ Risk-Based Metrics—OT security is measured by downtime prevention and financial exposure, not just compliance scores. ✅ Tested, Not Just Documented—Mature teams simulate real attacks to validate controls. ✅ Integrated Into Operations—Security is part of business continuity planning, not just IT. The Bottom Line: Get Moving or Get Breached The best companies: ✔ Invest in cybersecurity talent that understands operations. ✔ Measure security maturity in business terms. ✔ Focus on execution, not paperwork. The other companies? ❌ Treat compliance as the goal instead of a starting point. ❌ Apply generic security strategies across all sites. ❌ See security as an IT issue rather than a business enabler. If your security program isn’t reducing real risk, it’s just compliance theater. What’s Next? My team and I are in stealth mode, developing a platform to strengthen CNI security against evolving OT threats. Our prototype is coming in April. Watch this space! #CNI #CyberSecurity #OTSecurity

"Disinformation campaigns aimed at undermining electoral integrity are expected to play an ever larger role in elections due to the increased availability of generative artificial intelligence (AI) tools that can produce high-quality synthetic text, audio, images and videos and their potential for targeted personalization. As these campaigns become more sophisticated and manipulative, the foreseeable consequence is further erosion of trust in institutions and heightened disintegration of civic integrity, jeopardizing a host of human rights, including electoral rights and the right to freedom of thought. → These developments are occurring at a time when the companies that create the fabric of digital society should be investing heavily in, but instead are dismantling, the “integrity” or “trust and safety” teams that counter these threats. Policy makers must hold AI companies liable for the harms caused or facilitated by their products that could have been reasonably foreseen. They should act quickly to ban using AI to impersonate real people or organizations, and require the use of watermarking or other provenance tools to allow people to differentiate between AI-generated and authentic content." By David Evan Harris and Aaron Shull of the Centre for International Governance Innovation (CIGI).