2021 has been a wild year in the cybersecurity space. From supply chain attacks like the SolarWinds hack to the NSO Group’s spyware scandal to the Colonial Pipeline ransomware attack, organizations are facing new (and repackaged) attacks daily. In fact, according to the Identify Theft Resource Center, the total number of data breaches through September 2021 has already exceeded 2020 numbers by 17%.
But beyond specific attacks, a variety of trends emerged and continued to gain strength in 2021. In this article, we look at six of them and examine how they might evolve in 2022. It’s also worth noting that each of these trends depends on and affects the other (and this list is just the tip of the iceberg), and it’s often at their intersection points that the biggest risk and threats exist.
1. Protecting critical infrastructure
What we already know: Albeit belatedly, the world has awakened to the importance of protecting critical infrastructure. Governments all over the world have passed legislation and invested in colossal programs to protect and preserve the supply chains of anything tied to national security. Debates rage about how to classify critical infrastructure (horizontally by technologies used in multiple critical infrastructure systems like GPS, or vertically by industry like energy, finance, communications, etc.). Debates have also emerged around the best way to protect systems. Some philosophies ground themselves in secure perimeter tactics, while others in digital assurance technologies and practices. Certainly, there is wide agreement that hardware and software must both be protected, as we witness increasing attacks below the application and OS layers.
What could be next: Critical infrastructure is expanding to include inner space and outer space. From satellites that orbit our atmosphere to nano-systems that monitor or interact with our own biology from inside our bodies, attack surfaces have expanded to include our most intimate technologies. There are already methods for updating internal medical devices and orbiting spacecrafts, but these will need to be improved and expanded. Furthermore, the definition of the timeframe of a supply chain is evolving. It’s no longer sufficient to “look left” and ensure all the prior steps are secure. Smart companies are committing to protect products post-release, and even into second life or recycling.
2. The good and bad of artificial intelligence
What we already know: Like any tool, AI is rapidly expanding its use cases, leading to both good and bad outcomes. In cybersecurity, enterprises are using AI to be a force multiplier on top of traditional vulnerability scanning to discover potential new vulnerabilities, exploitations, and threats. AI plays a critical role in moving to automate certain hardware and software security tools to continue to amplify the process. While people are still at the center of vulnerability and security protections, AI aims to free up human resources to focus on the truly unique pieces, while AI handles the rest. On the flipside, AI is also not just limited to the good guys, adversaries are using AI to collect information about networks and identify potential weak spots.
What could be next: Moving forward, AI and machine learning will be used to spot anomalous system behaviors. Just like the use of AI in radiology, patterns can be identified far earlier than the human eye to detect problems. By building and training AI models on typical performance behaviors of a system – coupled with training those same models on historical behaviors of systems while under attack – AI will be used by organizations to spot problems far earlier and enable faster response to mute threats. On the flip side, in many ways, the art of security vulnerability discovery is through performing actions on a device expressly in ways that aren’t expected or allowed. Attackers perform those actions and observe what happens in hopes that the system acts in a problematic fashion and exposes vulnerabilities. Unfortunately, AI and machine learning may further enable attackers to vary tactics and observe behaviors far faster than would be possible through human interaction.
3. Imperfect alignment of security and privacy
What we already know: Security and privacy use similar technologies to achieve objectives that are sometimes aligned, but sometimes opposed. Privacy is a complex concept. In some areas, like data protection, security and privacy are mostly aligned. In other situations, privacy requirements are in conflict with security requirements, for example where foundational features of a technology and/or business model require identification of the actors and their activities (e.g., in finance). To add complexity to an already complex situation, privacy laws and regulations are not harmonized globally, and are in some cases, extraterritorial (e.g., the GDPR).
What could be next: In the short term, regulatory requirements will continue to drive advances in privacy technology that will rely heavily on the adaptation of techniques developed for various aspects of security. Process requirements for both privacy and security (such as opt-out/opt-in or disclosure requirements) will continue to be enshrined in regulations and standards. But these technologies and regulations will cover only superficial and niche issues, with some brighter points, such as privacy preservation in web browsers. With AI and edge computing relying increasingly on data movement, it’s expected that longer term, privacy preserving features will be embedded in communication protocols, and that regulations will increasingly address the foundational points of privacy, including user control and transparency of user data utilization.
4. Human threats policed by machine trust
What we already know: The easiest way to break into anything that is locked is to get someone to hand you the keys. Multifactor authentication has closed one major gap and prompted researchers to document increasingly complex breach tactics including physical proximity to systems and supply chain compromises. While these need to be considered carefully and addressed, the most common tactic remains phishing unwitting insiders or offering disgruntled ones a platform or dollars. AI is intersecting with human factors and psychology fields to build up increasingly robust detection capabilities where unusual digital behavior can trigger an investigation.
What could be next: Even the most robust human attestation and detection of anomalous behavior solves only half the problem. Companies are increasingly asking: “What about the attestation of the machine itself?” Some are requiring cryptographic internal digital hardware attestation of a system each time an employee logs in to ensure the system itself hasn’t been compromised. This is growing in interest the more employees work from outside a traditional secure perimeter of the company office or lab.
5. The marriage of hardware and software security
What we already know: Software was (and remains) a major target, with most successful attacks occurring at this level. But as software gets more secure, successful exploitations don’t always yield the keys to the kingdom or full system access,like they used to. Hackers are going deeper into areas of higher privilege, like the firmware and hardware. System security is built on complex trust relationships, and the relationship between hardware and software is crucial for trusted system execution.
What could be next: Hardware and software are being designed to work better together, which should result in new trust mechanisms allowing for ongoing, real time, verification, and attestation. As the compute world continues to grow, the trusted handoff between software and hardware when securing a system and data will become more valuable.
6. Digital transformation and “cloudification”
What we already know: Lots of people are now working from home resulting in more and more applications and data moving to the cloud. Savvy organizations recognize the benefits and potential risks of this model,and they ask the appropriate questions about the physical security of the hardware and the layered approaches to securing the software.
What could be next: Moving forward, conversations must also include customer perceptions of privacy, trustworthiness, and ethics (based on the decisions to collect and store data). It will be increasingly valuable to understand how data will be used, and how it will be protected. Stakeholders also need to be prepared to also address how data is being protected at the hardware layer while it is in any state – at rest, in transit, and in use.
2022 should be another exciting year of security innovation and challenges. While the six we highlight today are just the beginning, it’s important to also consider other key areas such as crisis simulation and planning and the impact of user experience in security.
Contributing author: Tom Garrison, VP and GM of Client Security Strategy and Initiatives, Intel