A neighbor, whom I haven’t seen in a while, asked me this morning, “What’s new?” I could not think of a single thing. Somehow, we find ourselves in the new year, yet little has actually changed. Kids are back in school (hooray!), but grownups aren’t necessarily back in the office. In fact, many have predicted that the very idea of going to work at an office has forever changed.
Ah, predictions. They certainly are fun to think about. No, we don’t have a crystal ball. But our Advisory Board at RSA Conference is comprised of esteemed and incredibly influential professionals whose predictions may help you prepare for challenges you might face in 2022. When we asked our board to reflect on 2021, what security issues surfaced, how they were resolved, and what they think will arise in 2022, they predicted it would look a little like this:
A Quest to Find Weaknesses in Systemic Dependencies: The hours-long Facebook outage in early October served as a stark reminder of the many systemic dependencies we have integrated into everything. However, we remain largely unaware of the impact of those dependencies until there’s an outage. Hugh Thompson, Program Committee Chair at RSA Conference, said, “It seems like there’s a Jenga® puzzle of society and dependencies that we have, yet we don’t really know what it looks like until one of the pieces gets pulled.” Inevitably, blocks will get removed in 2022. We must think now about the impact each piece has on the whole puzzle to avoid seeing the tower come crumbling down.
Taking Ransomware to the IoT Level: Ransomware remains top of mind. Caroline Wong, Chief Strategy Officer at Cobalt, predicted we would see malicious parties continue to scale and specialize in the different ways in which they launch ransomware attacks. Yet, Wong said she expects to see some evolution in ransomware, particularly with IoT. “Consumers are familiar with ransomware. They’ve come to expect it. They’re nervous and terrified of it. Attackers will leverage social engineering techniques to trick victims into paying ransoms, even if their information has not technically been made unavailable.”
And 2022 could be the year we see malicious actors exploiting vulnerabilities in IoT devices in general, Wong said. “Different from the type of ransomware that occurs where hackers encrypt a victim’s information and hold it for ransom while demanding payment, this type of attack will involve attackers taking over the ability to communicate with a victim through an IoT device and leveraging social engineering to manipulate their behavior while exploiting their fear and anxiety.”
Adversaries Outside of Russia Will Cause Problems: Recognizing that Russia is a safe harbor for ransomware attackers, Dmitri Alperovitch, Chairman of Silverado Policy Accelerator, said, “Adversaries in other countries, particularly North Korea, are watching this very closely. We are going to see an explosion of ransomware coming from DPRK and possibly Iran over the next 12 months.”
What’s concerning about this potential reality, said Ed Skoudis, President of the SANS Technology Institute, is that these other countries will have less practice at it, making it more likely that they will accidentally make mistakes. “A little less experience, a little less finesse,” said Skoudis. “I do think we are probably going to see—maybe accidentally or maybe on purpose—a significant ransomware attack that might bring down a federal government agency and its ability to execute its mission.”
You’ve Been Served: The idea of accountability is one with many tentacles, and while we’d like to see everyone taking responsibility to protect the greater ecosystem of our interdependent digital world, those who fall short of meeting security requirements will be held accountable. Alperovitch said, “Next year, we will likely see the federal government sue one of its federal contractors for shoddy security.”
Skills Gap Will Escalate to a Crisis Mode: Though cybersecurity programs are being implemented across the entire education landscape, Skoudis predicted that “The lack of cybersecurity professionals and expertise will continue to grow to essentially a crisis mode as technology proliferates and gets more complicated and sophisticated. Cloud complexities and multi-cloud complexities are getting bafflingly difficult to deal with, and we don’t have enough good people.”
A Shift to Altruism: In part, the question of whether we will take the time to identify the weaknesses in our systemic dependencies ties into this next prediction of shifting toward altruism. The very act of thinking about potential systemic failures recognizes that we rely upon and are responsible to and for one another. Wendy Nather, Head of Advisory CISOs at Cisco, said that a lot of the discussions around dependencies had focused too much on shaming the victims for not doing their part. “Now we’re talking about legislation to make providers do their part. It’s not just a supply chain question. The question is, “What do we owe one another?” Because these relationships are not single strands. They are not single supply chains. It’s an ecosystem.” In 2022, we’d like to see more recognition of the mutuality of our relationships. There is no hierarchy on which anyone could place the onus of responsibility at the very top level. “We’re all walking around with loaded weapons,” Nather said.
Alas, my favorite prediction for 2022 came from Dmitri Alperovitch, who closed out our predictions conversation with the proclamation that, “There will be an in-person RSA Conference next year!” There’s one I firmly believe we can all hang our hats on. We’ve moved our 2022 physical event date from February 2022 to June 6 – 9, 2022, and I look forward to seeing you all there. Let us all be delicate and intentional with our Jenga® blocks so that our interwoven tower continues to rise up tall, strong, and secure.