A peek into the cybersecurity crystal ball for 2022
It’s that time of year. And not just the obvious one now sadly in the rearview — the holidays — welcome as they were. It’s also the time that predictions are upon us. In the world of information technology, starting after Thanksgiving and ramping up into January, a parade of courageous experts dust off their crystal balls, do some gazing, and flood tech websites with forecasts about the coming year.
Yes, courage. You need it to make predictions that could turn out to be dead wrong. Or that could miss the biggest story of a year. Which happened in 2019, for good reason. Nobody could have known that less than three months into 2020 life, health, work, and technology would be upended by a pandemic that continues two years later.
That’s why we talk about 20/20 hindsight, not foresight. That’s why the late, great Yogi Berra declared that “predictions are hard, especially about the future.”
That’s why nobody at the end of 2020 was talking about Log4Shell, an easily exploitable vulnerability in the popular logging package for Java, Log4j, discovered just weeks ago. It could affect billions of devices, and some experts have called it a recipe for “an internet meltdown.”
But that doesn’t make forecasting worthless. Many predictions do come true because they come from well-informed cybersecurity prognosticators.
Which is a good thing. Chances are many of them will be correct because those who make them have built successful careers on their ability to evaluate trends and plan ahead. That can help both those in the industry and the rest of the non-techie world.
So in no particular order, here’s some informed speculation about what we’re likely to be seeing, buying, selling, enjoying, and likely fighting for the rest of the brand-new year.
High supply chain anxiety
Jason Schmitt, general manager, Synopsys Software Integrity Group
Although increased scrutiny of our software security and technology supply chains will drive incremental improvements and ramp up security spending, it’s unlikely to keep pace with the exponential increase in malicious threats and insecure systems.
Software supply chain risk management will rapidly emerge as a crucial discipline and top-three investment area for CISOs, as they realize the extent to which they lack visibility into software and have underinvested in software security programs relative to the extent of the threat to the business.
The IoT: Ever-bigger, ever more porous
Rebecca Herold, CEO, The Privacy Professor
The ways that IoT vulnerabilities — and there are many, given that manufacturers often don’t engineer sufficient security into their products — are exploited will continue to increase. The number of IoT product hacks in the first half of 2021 was twice that of the first half of 2020. So with the increased use of IoT products, that number will double again in the first half of 2022. Cybercrooks, hackers, nation-states, and snoops see these devices as sitting ducks within the digital ecosystem, providing them with easy access to the device. They use that access to change device settings and controls, and to connect to otherwise secured networks to exfiltrate data, plant malware, ransomware, and botnets, and to cause general mayhem and bring down networks.
Dr. Joseph Lorenzo Hall, senior vice president, Strong Internet at Internet Society
I think we will be watching the dance between LEO [low earth orbit] satellite systems and governments that want to forbid internet connectivity for their people in certain contexts and times.
We’ve seen an amazing uptick in internet shutdowns in authoritarian and approaching-authoritarian nations, and I expect cheap satellite terminals to frustrate that control. We may see governments try to jam or intercept satellite communications, which is probably going to be rocky given the speed of competition here and the oodles of vulnerabilities governments could use at various points in these systems. And given the proprietary nature, it’s hard to tell from the outside exactly how secure these links are.
The extreme here could be if a government like Russia and China, which have demonstrated kinetic capabilities against satellites, actually acted against western LEO satellite system companies, either to make a point or litter those orbits with rubble for a while. Enter stage left [Apple cofounder] Steve Wozniak’s company to clean up space debris!
Transparency or else
Sammy Migues, principal scientist, Synopsys Software Integrity Group
More people will demand to know what their software is made of. Whether it’s a nutrition label or Bill of Materials or similar, organizations will demand that vendors account for all software in apps and devices, where it came from, how it was built and tested, and how it’s being maintained. In a few years, selling opaque software will be the exception rather than the rule.
Andrew Hay, chief information security officer, LARES
Businesses can expect to see and be required to complete more third-party vendor due diligence spreadsheets than in the previous years. As vendor management programs mature, organizations are pushing their security expectations and requirements through the supply chain to satisfy regulatory requirements, partner requirements, and even cyber insurance requirements.
Ransomware at your service
Bill Brenner, vice president of content strategy, CyberRisk Alliance
We should expect to see a lot more ransomware attacks that target the software supply chain and organizations tied to critical infrastructure. I worry that what we saw with SolarWinds and Colonial Pipeline will become the new normal in 2022 — which is to say these types of events will become a monthly and weekly occurrences.
I do not predict a falling sky, however. The federal government is finally starting to take it seriously and will continue to do so. Cyberattacks with real-world consequences changes the game in Washington.
I also see security teams rising to meet these threats with grit and resolve. That too will continue. I know many of these professionals and I sleep better at night knowing they are on the case.
Bruce Snell, vice president, security strategy and transformation, NTT Security
We should really look at 2021 as the beta test for ransomware as a service (RaaS). 2022 will likely see a huge uptick in ransomware as a direct result of the growth of the RaaS market. Cybercrime groups will continue to expand their RaaS reach by making it easier and cheaper for aspiring script kiddies to get into the game and target organizations that are still being impacted by the cyber skills shortage. With close to 600,000 vacant security jobs in the U.S. alone, organizations will have to rely more heavily on technology and managed security service providers to keep up with the escalating number of attacks.
Of course ransomware is just the “how” side of the breach equation. The “who” side will most likely show an increase in attacks against critical infrastructure and the supply chain. Attacks like those against Kaseya and SolarWinds have brought attention to the state of application security and how easily one breach can trickle down exponentially.
May the global force be with you
Ian Hall, head of client services, APAC, Synopsys Software Integrity Group
I see an expansion of multilateral cooperation around cybersecurity. There have been two high-level meetings of U.S. government officials in Singapore where cybersecurity was discussed: Secretary of Defense Lloyd J. Austin III’s visit in July and Vice President Kamala Harris’s in August. A quick internet search of hacks or breaches in Asia Pacific brings up a common theme — the involvement of nation-state malicious actors. This is something that governments in the region are keen to get ahead of by cooperating to share information.
Cybersec presidential push
Matt Jacobs, director, legal counsel, Synopsys Software Integrity Group
The Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity, although issued in 2021, will start to impact many companies in 2022. This high-profile push to drive continuous security improvements throughout the technology supply chain will require suppliers to be cyber aware and will make cybersecurity a competitive imperative.
Companies that can’t demonstrate to the consuming public that their products and services are secure will quickly find themselves at a competitive disadvantage. In contrast, companies that can produce a comprehensive and reliable software Bill of Materials that identifies the software components in their products including, very importantly, their open source components, will increase customer confidence and enjoy a competitive advantage.
Unaccountable tool rogues
Richard Bejtlich, strategist and author in residence, Corelight
We will continue to see intruders leverage [security penetration testing tool] Cobalt Strike [used in the SolarWinds supply chain attack], with little to no consequence for its commercial developers. The security 1%, or those who have most or all of the security capability needed to leverage offensive security tools, will continue to benefit from them, while the 99% will continue to suffer.
The security 1% will continue to oppose any effort to hold the developers partially negligent for their weak licensing and insufficient responsible use practices. The security 1% will ignore the reality that nothing is perfectly black or white in digital security or in the physical world.
Tanya Janca, founder and CEO at We Hack Purple Academy
Companies will panic more about security, especially AppSec. Some of them will attempt purchase “security” by buying a lot of tools that they may or may not make proper use of. Others will create plans that involve training and upgrading their programs.
Software developers will take security into their own hands, more than ever before. With log4J I saw a lot of them come to the aid of their employers, when previously they may have stayed out of it.
All aboard the training train
Amit Sharma, security engineer, Synopsys Software Integrity Group
In the year ahead, cybersecurity awareness training will remain essential to the prevention of a variety of cyberattacks for organizations of all shapes and sizes. This is an important way for businesses to prevent phishing attacks.
And the more things change …
Graham Cluley, blogger, researcher, and host of the Smashing Security podcast
More of the same.