Cybersecurity experts gaze into the 2023 crystal ball and see good, bad, ugly

Taylor Armerding
Nerd For Tech
Published in
7 min readJan 9, 2023

--

Supposedly it was iconic New York Yankee Yogi Berra who said that “predictions are hard, especially about the future.” But then, some claim it was iconic Yankees manager Casey Stengel who said “don’t make predictions, especially about the future.”

Whatever — same general idea. The difficulty of predicting what’s going to happen for the remainder of a year that’s just beginning ought to be obvious. Weather experts have a tough time telling us what’s going to happen in a week, after all.

So it takes both wisdom and courage to make predictions. Fortunately, when the topic is cybersecurity (or a lack of cybersecurity) there is a cadre of the courageous. And all are tempered by the wisdom to know that there are no guarantees. Who could have predicted at the beginning of 2020 that in less than three months the majority of Americans, if they were working at all, would be working from home due to a worldwide pandemic that would kill more than a million people in the U.S.?

But they can tell you what’s likely to happen because one of the reasons they’re experts is that they’re good at spotting trends. So here, in no order of significance, are some forecasts to help you plan for 2023.

Declining insurance assurance

Josephine Wolff, professor of cybersecurity policy, Fletcher School of Law and Diplomacy, Tufts University

One trend is that insurers are trying to carve losses from various types of state-sponsored cyberattacks out of their coverage, and the impacts that will have on policyholders and cyber risk management practices. Forcing companies to pay on their own for damages from those attacks will lead to more dissatisfaction and disputes around cyberinsurance claims.

Artificial but irresistible

Sammy Migues, principal scientist, Synopsys Software Integrity Group

We’ll see some new and interesting side effects from the technology that gave us deep fakes and ChatGPT. For example, technical interviews over video calls should be a snap if you have an expert sit in for you — who looks and sounds just like you.

If you don’t have such an expert handy, why not just send the questions to ChatGPT and read the answers? Don’t have time to learn how to configure that new security device? Forget technical support — ask ChatGPT for a step-by-step checklist! Don’t have time to write that new crypto module? Ask the AI to do it! Don’t have years of log data to support your massive budget request? Have the AI generate it in minutes! The possibilities are endless. Sure, the AI is just a mindless automaton spewing things it’s assembled but it can be pretty convincing at first glance.

Danger everywhere

Brian Krebs, security blogger at KrebsonSecurity

We’re likely to continue to see new methods used by data ransom gangs to turn the screws on victims to get them to pay. That probably means more attacks that end in the destruction or corruption of data when victims don’t pay.

Also, as faster, real-time payment systems take hold in the U.S. banking sector, enabling near instantaneous and irreversible transfers between and among banks in the U.S., we will see faster fraud, just as we have in other nations that were early adopters. This is especially concerning given recent data released by Sen. Elizabeth Warren [D-Mass] showing that the biggest banks in the U.S. are already stiffing victims of account takeover, reimbursing them an average of just 47% of the dollar amount of fraud claims.

Tanya Janca, founder and CEO at We Hack Purple Academy, security trainer

This year more and more software developers will be asking the security team for technical advice, and about half of them will be quite disappointed with the response. While lots of companies are taking security more seriously than ever before, some will continue to do very little, while others will spend quite a lot of money, but only check boxes.

Also, many more API security companies will pop up and will continue to try to sell tools that don’t add any additional security for web app front ends, and concentrate only on the APIs (back end), for better or for worse.

Third, due to the recession, quite a few companies will lay off security staff to cut spending. And the results in some case will be quite dire.

Supply chain awareness surge

Michael White, technical director and principal architect, Synopsys Software Integrity Group

As organizations become concerned about what could be in their software and where it comes from, we’ll start to peel back the layers of the onion and understand all the possible corner cases where we need to have appropriate controls.

This will mean much more transparency is required — not just software Bills of Materials, but also the whole chain of custody of who touched what, which tools were used, what testing was performed, etc. Organizations will look to toughen their internal supply chain and software delivery infrastructure, as well as cascade down to their providers and vendors a requirement for transparency.

Data breach data decline

James E. Lee, COO, Identity Theft Resource Center

The number of data breach notices that reveal less information about a compromise will continue to grow, putting more people and businesses at risk.

Two years ago, only a handful of notices didn’t have good information, but the percentage has accelerated through 2022. We think, anecdotally, that it’s due to a series of federal court rulings that you must have suffered actual harm from a breach before you can sue a company.

So the trend is to avoid giving any potential plaintiff discovery information in a press release. Sometimes it’s for legal reasons and sometimes it’s for PR, but we’re not seeing information that helps people make good decisions. That means opportunities are being left on the table that could help people. It’s ironic to be willfully removing information at a time when the White House is encouraging more information-sharing. We’re at cross purposes.

Wake up? Nah, hit the snooze button

Jonathan Knudsen, head of global research within the Synopsys Cybersecurity Research Center

People will still not take software risk seriously, will continue to build things too fast without doing it properly, and will still not think about security until their house is actually burning.

Southwest Airlines should be a wake-up call. Obviously all companies are software companies, and how much is its meltdown going to cost them? But we’ve had at least five decades of wake-up calls and we just keep hitting the snooze button.

Panning privacy inequality

Stewart Baker, attorney at Steptoe & Johnson, host of Skating on Stilts podcast

This is the year when Europe’s aggressively punitive privacy policy toward American companies and its lack of privacy enforcement against Chinese companies will become unsustainable.

Open source eats the software world

Gunnar Braun, technical AppSec account manager, Synopsys Software Integrity Group

The value of open source software (OSS) is not just that it’s free. It’s the enormous amount of software components available for almost every problem you’ll ever face. Businesses are realizing their dependence on OSS as an enabler for their own business.

Many OSS projects are backed (funded) not just by large enterprises that produce a lot of OSS on their own, but now also by smaller companies. This is their investment in the quality and security of OSS so they can continue to use and rely on it. In 2023, smaller companies will invest more in the OSS they use, and bigger players will build programs to bring order to the chaos, like Google’s Assured Open Source Software service. We will see what level of acceptance the latter will achieve.

Curbing crypto crime

Josephine Wolff

A trend worth following closely is the use of sanctions to target different types of cryptocurrency intermediary firms, including exchanges and mixers, and the broader effort to combat ransomware and other types of cryptocurrency-enabled cybercrime by targeting known bad actors in the cryptocurrency industry. It will be interesting to try to track what impact, if any, those sanctions will have on the broader cybercrime ecosystem and how easily criminals can replace those intermediary firms with others.

And on the legislative front …

James E. Lee

Despite continued evidence that data breaches give scammers the information they need to craft more effective phishing pitches and account takeover fraud, Congress will fail to pass a comprehensive privacy and data security law.

It’s long overdue — the first time I was on the Hill talking about it was 2005. And the best opportunity to do it was during the past couple of years with one-party control of the presidency and Congress.

There is a pretty good discussion draft of a law — not perfect, but a good starting point. The key sticking point that’s been there for years is federal preemption of state laws. But that’s allowed state data breach laws to stay in place and those are broken — they’re out-of-date and we need to look at them. Maybe it will get done because both parties favor the general idea — nobody is pro-data breach. And not every state is equipped to have its own law, so we have unequal protection today.

Sammy Migues

I think we’ll see the first steps toward massive cyber and cybersecurity overhaul across all critical infrastructure industries. The U.S. government will attempt to pass new laws or attempt to do through executive order what it can’t do through the legislative process. Cyber-resilience as a goal will begin to get pushed more into industry and trickle out to the very tips of the software forge — open source software creators.

--

--

Taylor Armerding
Nerd For Tech

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.