Anna Delaney: Hi, I’m Anna Delaney with ISMG. 2022 will go down as a memorable year in cybersecurity. The Russia-Ukraine war turned cyberwarfare into a reality. Cryptocurrency markets imploded. While there was no log4J or SolarWinds level hack that we know of, industry stalwarts Microsoft and Cisco suffered breaches, as did Twitter and Uber. So how should we characterize 2022? We consulted with some of the top professionals in the industry and ask them to describe the year in one word. Here’s what they said.
Richard Bird: Abysmal.
Chase Cunningham: Affordable. That’s what I want to see in cyberspace.
Tom Kellermann: Guerrilla warfare. That’s the battle that we waged, that’s the battle that’s being waged against us.
Steve King: The biggest problem in my mind, and the one word I would use is complexity. I think we’ve created this. We’re our biggest enemy.
Sam Curry: One word is insufficient, but I’ll say hopeful.
Delaney: As we enter the New Year, we asked our experts about the trends to watch in 2023. They helped us put together a list of 10 predictions for this highly unpredictable industry. Our panelists began with the topic of API security. The API economy is growing as organizations rely more heavily on open source software, and custom interfaces to bridge cloud and legacy systems. API attacks resulted in several high profile breaches and 2022. Expect cybercriminals to step up their attacks on API vulnerabilities in 2023.
Bird: This is something that Gartner in particular has been calling out for several years that the kind of Layer 7 application tier is going to become the primary attack surface and exploit by 2022 was their statement – that it will become the predominant method. It isn’t but it’s definitely trending that way. What we’re going to hear more about will be in 2023 a massive U.S.-based API exploit related breach. It is going to happen.
Kellermann: It’s about modern application development. It’s the fact that the developers in many organizations are more powerful than security teams. It’s about API. APIs are being attacked left and right for good reason. Very few people really understand how to defend API, so they think their laughs can defend them against those types of attacks. I think it’s very concerning in both regards, you have the migration to cloud and multi cloud environments, public cloud environments with this implicit trust.
John Kindervag: The developers have way too much power probably. They care very little about security. They want to go fast. In fact, I often joke, they’re the Rookie Bobbies of IT. I just want to go fast. I got to I got a cougar sitting next to me in the car. I don’t care about security. I’ve had so many people tell me, I don’t care about security, I got to do however many pushes a day. How can I make it secure. And oh, by the way, by the time that this has proven to be insecure, I’ll be on to another job anyway.
Delaney: Critical infrastructure, a prime target of nation-state actors relies on a combination of IT and OT systems to keep plants running smoothly. However, many industrial control systems are decades old and vulnerable to attack. In fact, last year, IBM X-Force observed over a 2000% increase in adversarial reconnaissance targeting ICS vulnerabilities, which puts all critical infrastructure at risk. Our experts warn, be prepared for attacks against power grids, oil and gas supplies, and other critical infrastructure targets.
Kindervag: We will have problems in OT security as long as we keep talking about it as OT security and IoT security versus just cybersecurity, right? Because there’s no difference. It’s a packet talking to something. That resource does a particular thing, a POC and HMI, a SCADA system, it doesn’t matter.
Curry: Some parts of critical infrastructure are more vulnerable than others. The things that especially have to do with loss of life, where you get medical care, things that have to do with water, that have to do with food, supply, and energy. I think while CISA has a huge responsibility, and each of those critical infrastructure divisions has a lot of work to do, things like energy production is very, very vulnerable right in the middle of the winter for much of the Northern Hemisphere.
Cunningham: We have this thing going on where if you build a system and connect it to water or electricity or nuclear or god knows what else and then you leave admin on the internet, somebody can come out later on and go “Oops, I’m sorry, I screwed up” and they get a golden parachute and walk out like if you’re going to do that, send me $6 million and you can beat me in the middle of the Superbowl, like that’s the crazy thing for these people don’t understand. There’s no punitive measures. We need to introduce a standard and legislation for negligence. If you’re in charge and you do negligent things and don’t take care of it, you need to be wearing an orange jumpsuit in a six by nine cell for 10 years.
Delaney: Multi-factor authentication was once considered the gold standard of identity management, providing a crucial backstop for passwords. But all that changed this year with a series of highly successful attacks using MFA bypass and MFA fatigue tactics combined with tried and true phishing and social engineering. Experts warn that success won’t go unnoticed. Attackers will increase multi-factor authentication exploits.
Bird: The method of attack predominantly used for MFA is social engineering to bypass or exploit MFA. The success that bad hackers had with social engineering against MFA to exploit it was headline news. Headline news attracts, you know that next wave of ransomware, other bad actors that kind of want to jump on the newest methods to exploit an attack. So I definitely think we’re going to see a lot of situations where MFA strong authentication is exploited and bypassed. I think, unfortunately, it’s just a reminder to us all that tech is only a certain percentage of the solution. When we look at the current state of 2022, everybody is holding on to these old architectures, these old methods, these old structures of how they’re managing cybersecurity, and they’re going “we’re doing the best that we can,” which is amazing to me “we’re doing the best that we can with a leaky boat.” Why don’t we fix the leaks?
Delaney: Ransomware attacks have proliferated across public and private sectors and tactics to pressure victims into paying ransoms have expanded to double and even triple extortion, that because of the reluctance of many victims to report the crime, the actual number of incidents isn’t really known. Expect ransomware attacks to hit bigger targets, and exact bigger ransoms.
Lisa Sotto: Ransomware continues unabated. The environment is honestly more malicious than ever. We say that every year, but this year, it does seem more malicious than it’s ever been. We continue to battle with the threat actors, for companies in every industry sector. The threat actors really have been busier than ever, which means we are busier than ever trying to manage the fallout.
David Pollino: I think we’re going to be surprised by something that is going to, hit us across the board. I’ve had some recent conversations with some security people around the opportunity to mobile-based ransomware. We’ve seen a lot of ransomware around your cloud storage, we’ve seen a lot of ransomware around your computer, maybe a little bit less of what’s taking place on your actual device, on your actual iPad. For many people, that’s where it knows more about them than the individuals as well. So whether it’s actually taking over the device itself, accessing embarrassing or any information that people want to keep secret on their device, I think we may see some innovations there by the criminals but I have a feeling 20 years from now, we’re still going to be talking about ransomware.
Kellermann: Like in ransomware payments to sanctions evasion and violation of sanctions and let’s ban them and any virtual currency or exchange that’s complicit it and laundering the proceeds associated with ransomware should have their assets forfeited, and put into a super fund to fund critical infrastructure protection domestically. That’s my Christmas wish. That’s it. Simple thing. Ample laws on the books.
Delaney: The momentum behind digital transformation programs has prompted a mass migration to public cloud. This trend began in the corporate sector and has expanded to large government agencies, creating a hodgepodge of complex, hybrid and multi cloud environments. Containerization of applications has led to widespread malware infections, and this year, we saw the introduction of serverless malware aimed at the AWS cloud with so much more data moving to the cloud, watch for attackers to target the major cloud hyper scalars.
Kellermann: I really think this is the moment where whether either I’d say the Russians or the Chinese choose to commandeer an entire public cloud environment and use it as a launchpad for like systemic wiper attacks or ransomware attacks as a manifestation of geopolitical tension due to whether it’s what’s going on in Ukraine or what’s going on Taiwan.
Kindervag: To me cloud is a regression in security, the native cloud controls, stateless hackles from IP tables, 1992, so I just don’t understand why the love affair of security and cloud happens. If you looked at Martin Casado’s report for Andreessen on the cost of a cloud, the trillion dollar paradox and how clouds are now as expensive as data centers, I’m wondering, or I’m hoping that people will start rethinking that and wondering is the cloud the best place to go, given the threat environment.
King: We see breaches every day due to bad configurations for either hybrid cloud or containers. So, I don’t know how we’re going to do this with the current level of knowledge.
Delaney: The principles of zero trust defenses have been around since 2010. But only in the past few years of cybersecurity organizations, and the vendor community began to embrace the concept of least privilege continuously verified defenses. This approach received a major boost just last month, when the U.S. Department of Defense announced its zero trust strategy, with hackers moving laterally across IT environments with ease, expect wider adoption of zero trust, as organizations look to modernize their defenses.
Cunningham: If you’re sick of zero trust, 2023 is going to be your year, because it’s going to keep on coming with a fervor. So drink your zero trust Kool-Aid and get your zero trust hoodie and all that stuff. But there’s a reason for that, because the strategy is making a difference, there’s studies to validate that, to indicate that. Organizations are beginning to move towards the adoption cycle for this whole thing. it’s my ray of hope, what we’re moving towards is a better state over time, the DoD publishing their strategy was a watershed moment. And it’s just going to continue going on from here.
Bird: This is the year, 2022 is the year that I really experienced a lot of resistance up and down the management chain within companies to zero trust. And it’s starting to crack open a lot of dialogue about what zero trust is, what it’s not, what it can actually accomplish. I think to that may be the change in 2023, where discussions become more relevant, become more tangible, some of it is the efforts that a lot of folks on this call had been engaged in, inclined back zero trust from kind of the marketing domain, and putting meat around the bones. And really kind of focusing on ZTM, what it delivers from a security standpoint. But I think where the debate will happen is people are still very, very notionally tied to defense in depth, overlapping controls as their security architecture. And that goes back to what I said about situational awareness? We have, we have nearly 30 years of documented evidence that clearly shows that those models suck, and they’re not working. And that’s why I think that the dialogue on zero trust is going to be very dynamic and 2023. Because people are going to have to defend those positions for their old security architectures, and mindsets and framework. Because they are failing, and give an excuse for why they’re not willing to try something new relative to security.
Kindervag: We have to change the incentive structure around cybersecurity and make it an imperative at the C-suite so that they get the proper funding they need. This is the first year that I got a call from somebody who said we got a new CFO, and he said, “We’re under spending in cybersecurity and we better start figuring out what we’re going to do, because we can’t have this kind of low spin and high risk.” And so I think that the incentive changes that it’s driving are going to be the most beneficial to the industry that we all know and love.
Curry: I’ve seen encouraging signs, but we still haven’t seen requirements for cybersecurity skills, hard requirements for boards, they’ve talked about it with the SEC, I did see the Sanford policy school and Duke did put on a really great event where they were board members could come and find out what questions to ask of cyber people. And they did a simulated breach. That was a great thing to see. My own CFO asked me if he should get a CISSP, which frankly shocked me. Because he was expecting to need those skills is to get board positions in the future and to be relevant to business. But those are exceptions. I think while we’re making progress, I’m not sure that most people at the C-suite can spell zero trust yet, let alone talk about what the tenets of it are, the pillars of it are, how we get less trust in environments and I think we got to learn more business speak on our side to get those principles across.
Delaney: The conviction of former Uber CSO Joe Sullivan in October for obstructing the investigation of a cover up that 2016 data breach sent shockwaves through the cybersecurity community. The prospect of being held criminally liable in an incident response, in addition to getting fired as senior security leaders rethinking their role in the organization. Look for chief security officers to negotiate employment contracts with greater personal protections.
King: I think that the Joe Sullivan case as an example is going to make a dramatic shift in how CISOs prepare for that next job.
Jonathan Armstrong: And often in these situations, the C-size is friendless really. The victims don’t love him, the management isn’t necessarily going to support him. And you might have management actively briefing against the CISO, to shareholders and to prosecutors. So unfortunately, it is a lonely place for CISOs. When you’re starting a position when you’ve got some bargaining power, making sure that your contract is robust that you’ve got the protections you need there. I think it might involve looking at reporting lines. So who reports to who is going to report a data breach. And again, rehearsals are important then so that individuals know their own roles and responsibilities in the team. And you’re clear what you will do, what you won’t do. I think it’s about due diligence, when you move to an organization, is there a data breach there that hasn’t been reported, and how you’re going to manage that if you’re the new girl coming into the team, and sorting all this out? I think it’s about director and officer liability insurance – DNO insurance – so making sure that your name is on the policy and making sure that the organization will support you. If there is an incident financially.
Bird: I think that there’s going to be an overall change. I think that that’s going to break the back of the old argument of who the CISO should report to as well. Because we’re going to see that in order for things like DNO insurance to be applied and then vote for a CISO. They’re not going to have reporting structures. They are going to be one or two down from CEO or CIO or CTO.
Delaney: The first cyber insurance policy was written more than two decades ago. But the cost of recovery and business losses from ransomware attacks has grown exponentially. In fact, losses by hospitals typically exceed $100 million. As a result of cyber insurance are raising the rates or exiting the business altogether. The availability of cyber insurance will continue to dry up increasing financial risks for business owners.
Bird: Bitcoins quote was a banker as a fellow that lends you an umbrella when the sun is shining, and takes it away as soon as the rain starts to fall. I think the cyber insurance industry is very much in that space, as well as people who are using as their corporate strategies, cyber insurance as a backstop to their own security, inefficiencies and problems, which has been a standard method of operation for a decade now, which is, I know that I have risks, I am choosing not to mitigate those risks because I have a financial backstop in place. That financial backstop is rapidly being removed as the rain starts to fall. For many companies and anecdotally, a lot of us are hearing the payouts on massive breaches that have occurred over the last 24 months have been somewhere between zero to 30% on the dollar that was agreed to in the premium and on the payback and reason this is because not only is the entire cyber insurance industry reevaluating what they’re doing their actuarial is by design. So they’re now beginning to calculate their risk based upon what they’ve found. Not in news headlines, but when they’ve gone and done the deep forensics that they’re going to do every time one of their customers has been breached. And they’re continuing to find that the basics of cybersecurity have been done poorly or not at all.
Delaney: A series of breaches, major losses in market value and the FTX crypto exchange scandal sent the cryptocurrency world into a tailspin in 2022. Look for government agencies to place tighter controls on cryptocurrency firms to protect investors by money laundering and improve security.
Ari Redbord: Today, you already see regulators globally thinking in pretty sophisticated ways. We’ve only seen a handful of jurisdictions where you have a comprehensive framework for crypto. One of those places is the European Union – the EU – where you have MiCA – the markets in crypto-assets – regulation, or legislation that really sort of hits a bunch of the key sort of areas, starting with stable coin regulation, and then talks about how do you regulate centralized exchanges like FTX? And the amicus answer to sort of the future scenarios, like FTX is a really robust licensing licensing pipeline, where regulators really dig in to the operations, the governance structures of how one of these entities operates. And that conversation is happening absolutely everywhere. Just this week, we saw the Brazilian legislature, the Chamber of Deputies move comprehensive crypto legislation to the President that has taken seven years, MiCA took years, 2019, 2020 to get to the place we are today. We’re just starting to see movement within the U.S. Congress. And I’m hopeful that over the next really few years, we’ll see a comprehensive framework, but I think for the moment, we’re going to see sort of piecemeal action, whether it’s on stable coins, whether it’s on sort of centralized exchanges, with just given the FTX scenario, we’re going to see movement. But right now, in the U.S., where we’re seeing the most movement is from the executive branch – what is the SEC doing in terms of enforcement actions? What is Treasury doing?
Kellermann: The rogue nation states of this world are laundering the majority of their illicit funds through crypto, it’s not going to break because economic sanctions are avoided by crypto, it’s not going to break because cybercriminals whole economy of scale that’s massive, it’s larger than our industry is laundered through crypto, but I would say it was an awakening or reckoning for blockchain. I mean, in the construct of, “oh, it’s bulletproof. It’s so secure.” And we’ve seen these dramatic attacks against defy platforms left and right, where they’re just getting compromised, left and right. How the North Koreans build these missiles, they shoot on the proceeds of hacked exchanges. But I think it’s a reckoning for the security of exchanges as well.
King: One of the other good things that came out of this was, you know, that made … it’s reset the venture capitals, community’s approach to funding, great new ideas that startups have with 10x over valuation. And I think that as is going to retire for a while, you know, and that’s good because we’ve been, we’re cheap money and all these folks being hired to work on you, what essentially is crap, for another point solution to duke it out with a market leaders to me, never made a lot of sense, we’re working on if we’re going to spend that kind of capital, and I mean, people and money, why aren’t we working on the large problem that we’ve been discussing here? Why don’t we try to solve the reason why we’re here to begin with, instead of, you know, “I’ve got this great, you know, endpoint protection solution that scrambles eggs and makes your bed in the morning alongside it.” I mean, I would actually buy that.
Delaney: And finally, most large corporations have offered cybersecurity awareness training for years, but it doesn’t seem to be working. Cybersecurity resources are getting harder to find. Look for organizations to change the way they deliver education and certification programs, with an eye toward more engaged learning career paths and upskilling CISOs.
King: We’ve got practitioners who are working hard to try to make this stuff work, but they actually have no comprehend, no understanding of what they’re doing. I mean, it’s you, you do got 10 people in a room and said, you know, “tell me how Kubernetes works.”
Kindervag: We don’t train people the way we used to, to go out and learn these things on their own. They expect it to be given to them through training certification. And this is the problem with training as much as I like working with CyberEd and stuff. We got to get people to be more experiential and more inquisitive and want to know the answers on their own.
King: Our intention here, our mission is to reduce complexity through understanding and through, you know, learning paths that are addressed right at bat so that folks can actually understand what they’re doing, when they’re doing it and that I don’t see any of that happening today. So we’re looking forward to that.
Delaney: As you can see, the consensus among the experts is that for the most part, little progress is being made to meaningfully respond to the right rising tide of threats but there’s hope 2023. For ISMG, I’m Anna Delaney, wishing you a happy and safe year ahead.