A neighbor, who I haven’t seen in a while, asked me this morning, “What’s new?” and I could not think of a single thing. Somehow, we find ourselves on the precipice of a new year, yet little has actually changed. Kids are back in school (hooray!) but grownups aren’t necessarily back in the office. In fact, many have predicted that the very idea of going to work at an office has forever changed.
Ah, predictions. They certainly are fun to think about. No, we don’t have a crystal ball, but our advisory board at RSA Conference is comprised of esteemed and incredibly influential professionals whose predictions may help you prepare for challenges you might face in 2022. When we asked our board to reflect on 2021, what security issues surfaced, how they were resolved and what they think will arise in 2022, they predicted it would look a little like this:
A Quest to Find Weaknesses in Systemic Dependencies: The hours-long Facebook outage in early October 2021 served as a stark reminder of the many systemic dependencies we have integrated into everything, though we remain largely unaware of the impact of those dependencies until there’s an outage. Hugh Thompson, program committee chair, RSA Conference, said “it seems like there’s a Jenga puzzle of society and dependencies that we have, yet we don’t really know what it looks like until one of the pieces gets pulled.” Inevitably, blocks will get removed in 2022. We need to think now about the impact each piece has on the whole puzzle to avoid seeing the tower come crumbling down.
Taking Ransomware to the IoT Level: Ransomware remains top of mind. Caroline Wong, chief strategy officer at Cobalt predicted we will see malicious parties continue to scale and specialize when it comes to launching ransomware attacks. And yet, Wong said she expects to see some evolution in ransomware, particularly with regard to IoT. “Consumers are familiar with ransomware. They’ve come to expect it. They’re nervous and terrified of it. Attackers will leverage social engineering techniques to trick victims into paying ransoms, even if their information has not technically been made unavailable.”
2022 could be the year we see malicious actors exploiting vulnerabilities in IoT devices in general, Wong said. “Different from the type of ransomware that occurs where hackers encrypt a victim’s information and hold it for ransom while demanding payment, this type of attack will involve attackers taking over the ability to communicate with a victim through an IoT device and leveraging social engineering to manipulate their behavior while exploiting their fear and anxiety.”
Adversaries Outside of Russia Will Cause Problems: Recognizing that Russia is a safe harbor for ransomware attackers, Dmitri Alperovitch, chairman, Silverado Policy Accelerator said, “adversaries in other countries, particularly North Korea, are watching this very closely. We are going to see an explosion of ransomware coming from DPRK and possibly Iran over the next 12 months.”
What’s concerning about this potential reality, said Ed Skoudis, president, SANS Technology Institute, is that these other countries will be less experienced, making it more likely that they will make mistakes. “A little less experience, a little less finesse,” said Skoudis. “I do think we are probably going to see—maybe accidentally or maybe on purpose—a significant ransomware attack that might bring down a federal government agency and its ability to execute its mission.”
You’ve Been Served: The idea of accountability is one with many tentacles, and while we’d like to see everyone taking responsibility to protect the greater ecosystem of our interdependent digital world, those who fall short of meeting security requirements will be held accountable. Alperovitch said, “next year will we likely see the federal government sue one of its federal contractors for shoddy security.”
The Skills Gap Will Escalate to Crisis Mode: Though cybersecurity programs are being implemented across the entire education landscape, Skoudis predicted that “the lack of cybersecurity professionals and expertise will continue to grow to, essentially, a crisis mode as technology proliferates and gets more complicated and sophisticated. Cloud complexities and multi-cloud complexities are getting bafflingly difficult to deal with, and we don’t have enough good people.”
A Shift to Altruism: In part, the question of whether we will take the time to identify the weaknesses in our systemic dependencies ties into this next prediction of shifting toward altruism. The very act of thinking about potential systemic failures recognizes that we rely upon and are responsible to and for one another. Wendy Nather, head of advisory CISOs at Cisco, said that a lot of the discussions around dependencies have focused too much on shaming the victims for not doing their part. “Now we’re talking about legislation to make providers do their part. It’s not just a supply chain question. The question is ‘What do we owe one another?’ because these relationships are not single strands. They are not single supply chains. It’s an ecosystem.” In 2022, we’d like to see more recognition of the reciprocity of our relationships. There is no hierarchy on which anyone could place the onus of responsibility at the very top level. “We’re all walking around with loaded weapons,” Nather said.
Finally, my favorite prediction for 2022 came from Dmitri Alperovitch who closed out our predictions conversation with the proclamation that, “There will be an in-person RSA Conference next year!” That’s one I firmly believe we can all hang our hats on. I look forward to seeing you all there and to watching the year ahead unfold together. Let us all be delicate and intentional with our Jenga blocks so that our interdependent tower continues to rise up tall, strong and secure.