6 Predictions for Cybersecurity in 2023
Plus three bonus mini-predictions
Predictions for the future are always tricky, but when it comes to cybersecurity, there are a few things we expect to see in 2023.
But first, a quick review of the predictions we made last year:
- ✅ NFT fizzle — a casualty of the crypto sell-off
- ✅ Metaverse fizzle — a casualty of billionaires with more money than sense
- ✅ Web 3.0 fizzle — a casualty of the crypto sell-off
- ✅ Inflation and chip shortages (more of the former than the latter)
- ✅ More and more diverse electric cars on the road
- ◐ WFH becomes a permanent — mixed bag of results
- ◐ AppSec focus — a mixed bag of results
- ❌ HTTP/3 takeover — miss: adoption stayed steady at 25% of websites
- ❌ Take off of local first / privacy-first apps — sadly did not materialize, though to be fair, we said this would be over the next few years
1. The Rise of AI-powered Attacks
Generative AI has enabled a new class of software capable of producing text, images, and code. On the code front, ChatGPT has already shown great promise in generating exploits for vulnerabilities, which is very worrisome.
Crafting working exploits has traditionally been a task that requires considerable expertise and skill. If you hold aside nation-state attacks by professional hackers working for their country’s national security apparatus, most hacks use exploits that were developed and made public by others, usually after the software vendor has had the opportunity to fix an exploit.
Hackers that use these ready-made exploits but don’t have the skills to produce their own are often called script kiddies and they represent the bulk of attackers on the Internet. And while they often have success, for the most part, just keeping systems patched and up-to-date will stop script kiddie attacks.
Now, with AI tools at their disposal, many of these low-skilled attackers will be able to attack beyond their skill level. In other words, brace yourself for more sophisticated and zero-day attacks coming from masses of less sophisticated attackers.
And while many are predicting that cyber defense will also benefit from these AI breakthroughs, solutions like this will likely lag behind the attackers by quite a bit. And it doesn’t really change the problems associated with differentiating “good” network traffic or system operations from “bad” ones.
2. Data Breach Penalties Take Off
GDPR has been in effect since 2018, and it’s finally found its footing:
- GDPR fines 2018–2020: €253 million
- GDPR fines 2021–2022: €2.1 billion (⬆8x)
And it isn’t just the name-brand companies, either. Most of the headlines concentrate on fines levied against companies like Facebook, Google, and Amazon, but there have been over 1,200 fines so far and most of them hit less well-known companies, including small tech companies, hospitals, banks, restaurants, and even private individuals (source).
And then there are the state privacy laws. California’s latest, CPRA, and Virginia’s new privacy law, CDPA, both go into effect on January 1, 2023.
As we’ve seen with GDPR, it can take a few years for privacy law enforcement to ramp up, but we expect big fines for companies suffering breaches in 2023. Best get that house in order before then.
3. Spillover from the War in Ukraine: Digital Attacks on Energy Supply
Russian hackers have repeatedly struck at Ukraine for a decade using a wide range of attacks including ones that jump the gap from digital to physical to cause outages of power and more.
Russian hackers have been focused on the war, but sanctions against Russia are building in pain. Russia wants those sanctions to ease and for that, they need countries to feel pain around energy prices.
Watch for attacks against critical infrastructure like grids, pipelines, and shipping companies in 2023 not just in Ukraine, but across Europe and the U.S. These will likely be coupled with renewed disinformation campaigns with the aim of provoking unrest and extremism in democratic countries that add pressure to politicians to find solutions to soaring energy costs.
4. Post-quantum Progress, but No Major Shift Yet
The post-quantum cryptography competition hosted by NIST made its initial selections for new cryptographic standards in 2022, but these selections aren’t finalized yet.
Once finalized, there will be an incredible push to upgrade cryptographic infrastructure to support the new standards, and this will take tremendous time and money.
For now, though, NIST is gathering community feedback and will then produce drafts of standards that permit or even require the use of these new algorithms.
Those drafts will then need time for public comment and revision before they are officially blessed and ready for adoption. In all likelihood, we’ll see meaningful progress in 2023, but no fire drills in cryptography until 2024.
5. Data Sovereignty and the Multi-cloud Mess
Many companies are still working to shift from on-prem to the cloud, but for those who are already in the cloud, the daunting next step is the fractured multi-cloud world that’s being driven by data sovereignty laws. Distrust between countries has led to a need to keep data about citizens within the borders of the country or region where the citizen lives.
When it comes to Europe, the U.S. is not currently a trusted entity because laws in the U.S. allow the government to produce secret subpoenas to compel information in cases of suspected espionage.
There’s a proposed new privacy shield agreement between the U.S. and EU that seems dead on arrival with no progress since its announcement last summer. But even if it should pass, it will be challenged and found wanting, again, unless the U.S. changes its laws to better protect the privacy of citizens and non-citizens alike, which seems unlikely.
The consequences of this multi-cloud shift will be two-fold:
An increase in complexity leads to more misconfigurations and consequently more breaches. Note: according to Trend Micro, 70% of breaches in the cloud are due to misconfigurations today; this will only get worse.
An increase in the adoption of technical measures, and particularly of encryption, to keep data private and to keep control of data, via the keys that encrypt it, out of the jurisdiction of untrusted governments.
6. SBOMs Bomb
Supply chain attacks that inject malicious code into software dependencies and compromise all the apps that directly or indirectly use them have been a huge problem over the last two years (think SolarWinds and Log4j).
The consensus approach to resolving this problem has been to build out Software Bills of Materials (SBOM) for all used software. These SBOMs itemize all of the direct and indirect dependencies of a given piece of software.
This has been likened to putting nutrition facts on the side of food packaging, but in practice, it’s nowhere near as useful. Someone has to evaluate all of those thousands of dependencies to determine which represent acceptable risks and which don’t. And if a dependency is unacceptable, then does the business stop using the software that is upstream from it? Does the company re-implement the functionality of the library itself? For open source, what criteria should even be used for trustworthiness?
The sad truth is that it’s a huge amount of work to ingest and evaluate SBOMs and it’s several orders of magnitude more work to remedy anything deemed to be an issue.
SBOMs are a good first step towards potential future scoring systems that help companies understand inherent risk in the software they use, but in the meantime, companies will find SBOMs to be a bottomless hole of time and money with little practical increase in security as a result.
The Year of the Yubikey: hardware tokens are a better way to handle multi-factor and with Apple and Google building them into new phones and with other multi-factor approaches failing in the face of fatigue attacks and social engineering, companies are going to start rolling out hardware tokens to more of the workforce and particularly those with access to sensitive information. The “passwordless” hype train will help this along as well.
Web3 implosion continues: startups building Web3 apps will have a very hard time raising money or getting sufficient income from users to keep their people employed. We’ll see a massive drop in active projects and startups as the monetary incentives evaporate and the other downsides of Web3 (complexity, poor performance, public records, crypto-currency underpinnings) become more apparent.
“Zero-trust” hype tails off: enough companies have attempted to implement the much-hyped “zero-trust network” security model and found that solutions are not as good as promised and complexity and management are more costly than expected. Buyer wariness will lead to a lot less marketing around this concept even though it’s fundamentally a good idea that organizations should yet strive to achieve.