2021 has been a crazy year for cybersecurity. From supply chain attacks like the SolarWinds hack to the NSO Group spyware scandal to the Colonial Pipeline ransomware attack, organizations face new (and repackaged) attacks every day. Indeed, according to the Identity Theft Resource Center, the total number of data breaches through September 2021 has already exceeded 2020 figures by 17%.
But beyond the specific attacks, various trends emerged and continued to strengthen in 2021. In this article, we take a look at six of them and consider how they might evolve in 2022. It should also be noted that each of these trends depends on and affects each other (and this list is just the tip of the iceberg), and it is often at their intersection points that the greatest risks and threats exist.
1. Protect critical infrastructure
What we already know: Although late, the world has realized the importance of protecting critical infrastructure. Governments around the world have passed laws and invested in colossal programs to protect and preserve supply chains of everything related to national security. Debates rage on how to classify critical infrastructure (horizontally by technologies used in several critical infrastructure systems like GPS, or vertically by industry like energy, finance, communications, etc.). Debates have also emerged around the best way to protect systems. Some philosophies are based on secure perimeter tactics, while others are based on digital insurance technologies and practices. Certainly, it is widely accepted that both hardware and software need to be protected, as we are seeing an increase in attacks under the application and operating system layers.
What could be next: Critical infrastructure expands to include interior space and outer space. From satellites that orbit our atmosphere to nanosystems that monitor or interact with our own biology from within our bodies, the attack surfaces have expanded to include our most intimate technologies. There are already methods for updating internal medical devices and spacecraft in orbit, but these will need to be improved and extended. In addition, the definition of the time horizon of a supply chain is evolving. It’s no longer enough to “look left” and make sure all of the previous steps are secure. Smart companies are committed to protecting products after they are marketed, and even until their second life or recycling.
2. The good and bad of artificial intelligence
What we already know: Like any tool, AI quickly expands its use cases, leading to both good and bad results. In cybersecurity, companies are using AI as a force multiplier in addition to traditional vulnerability analysis to uncover new vulnerabilities, exploits, and potential threats. AI plays a pivotal role in automating certain hardware and software security tools in order to continue to amplify the process. While people are always the center of vulnerability and security protections, AI aims to free up human resources to focus on the truly unique pieces, while AI takes care of the rest. On the flip side, AI isn’t just about good guys, adversaries use AI to gather information about networks and identify potential weak spots.
What could be next: In the future, AI and machine learning will be used to detect abnormal system behaviors. Much like the use of AI in radiology, patterns can be identified much earlier than the human eye to detect problems. By creating and training AI models on typical performance behaviors of a system – coupled with training these same models on historical systems behavior in the event of an attack – AI will be used by organizations to detect problems much earlier and enable a faster response to silent threats. On the flip side, in many ways, the art of discovering security vulnerabilities is about performing actions on a device expressly in a way that is not expected or allowed. Attackers take these actions and watch what happens in the hope that the system will act problematically and expose vulnerabilities. Unfortunately, AI and machine learning can additionally allow attackers to vary tactics and observe behaviors much faster than would be possible through human interaction.
3. Imperfect alignment of security and privacy
What we already know: Security and privacy use similar technologies to achieve goals that are sometimes aligned, but sometimes opposed. Confidentiality is a complex concept. In some areas, like data protection, security and privacy are mostly aligned. In other situations, privacy requirements conflict with security requirements, for example when the fundamental characteristics of a technology and / or a business model require the identification of actors and their activities (for example , in finance). To add complexity to an already complex situation, privacy laws and regulations are not harmonized globally and are in some cases extraterritorial (p. GDPR).
What could be next: In the short term, regulatory requirements will continue to drive advancements in privacy technology that will rely heavily on adapting techniques developed for various aspects of security. Process requirements for both privacy and security (such as exclusion / membership or disclosure requirements) will continue to be enshrined in regulations and standards. But these technologies and regulations will only cover superficial and niche issues, with a few brighter points, such as preserving privacy in web browsers. With AI and advanced computing increasingly relying on the movement of data, it is anticipated that in the longer term, privacy-preserving features will be integrated into communication protocols, and that regulations will increasingly address fundamentals of privacy, including user control and transparency in the use of user data.
4. Human threats controlled by machine trust
What we already know: The easiest way to get into anything that’s locked is to have someone hand over the keys to you. Multi-factor authentication filled a major gap and prompted researchers to document increasingly complex breach tactics, including physical proximity of systems and supply chain compromises. While these need to be carefully considered and addressed, the most common tactic remains phishing with unintentional insiders or by offering a platform or dollars to those who are unhappy. AI intersects with human factors and fields of psychology to develop increasingly robust detection capabilities where unusual digital behavior can trigger an investigation.
What could be next: Even the most robust human attestation and detecting abnormal behavior only solves half the problem. Companies are increasingly asking, “What about the certification of the machine itself?” Some require certification of a system’s internal cryptographic digital material every time an employee logs in to make sure the system itself has not been compromised. There is growing interest in this as employees work outside of a traditional secure perimeter of the corporate office or lab.
5. The marriage of hardware and software security
What we already know: Software was (and remains) a major target, with most successful attacks occurring at this level. But as software becomes more secure, successful exploits don’t always give keys to the kingdom or full access to the system like they once did. Hackers go deeper into areas of higher privilege, like firmware and hardware. System security relies on complex trust relationships, and the relationship between hardware and software is crucial for the execution of the trusted system.
What could be next: Hardware and software are designed to work better together, which should result in new trust mechanisms that allow for continuous, real-time verification and attestation. As the IT world continues to grow, the transfer of trust between software and hardware when securing a system and data will become more valuable.
6. Digital transformation and âcloudificationâ
What we already know: Many people are now working from home, which is driving more and more applications and data to the cloud. Savvy organizations recognize the potential benefits and risks of this model, and they ask the appropriate questions about physical hardware security and layered approaches to securing software.
What could be next: Going forward, conversations should also include customer perceptions of privacy, reliability and ethics (based on decisions to collect and store data). Understanding how data will be used and how it will be protected will be increasingly valuable. Stakeholders should also be prepared to also address how data is protected at the level of the hardware layer while it is in any state – at rest, in transit and in use.
2022 is set to be another exciting year of innovation and security challenges. While the six we’re highlighting today are just the start, it’s important to also consider other key areas such as crisis simulation and planning and the impact of user experience on security.
Contributing Author: Tom Garrison, Vice President and General Manager of Customer Security Strategy and Initiatives, Intel