By Michael Daniel, CTA President & CEO
Yogi Berra once said, “It’s difficult to make predictions, especially about the future.” That’s true unless you are making predictions about cyber threats. In that case, you can simply say that tomorrow will be worse than today, and you will almost certainly be correct. However, such predictions aren’t all that useful. The real trick, of course, is predicting how and where those threats will get worse – in other words, predictions that would be helpful in making decisions. While I don’t have a better crystal ball than anyone else, in the spirt of making predictions as the new year gets underway, I would highlight four that cybersecurity providers should think about as they allocate their time and resources:
The cyber aspects of the Russia-Ukraine war will spread – while the Russia invasion of Ukraine did not result in sustained, widespread cyberattacks outside of the region in 2022, the lack of past performance does not necessarily predict future inactivity. In fact, if the war continues to go poorly for Russia, the downsides for using such capabilities outside of Ukraine could decrease while the incentives increase. Thus, the risk of destruction and disruption as a side effect of the war will likely increase over the course 2023.
That war will generate many second order effects – the conflict will affect the relationship between governments and the cybersecurity industry. For example, many cybersecurity companies are providing defensive support to the Ukrainian government and digital ecosystem. While providing such support is the right thing to do in this situation, these actions raise a host of questions. What are the rules companies need to follow to avoid becoming a combatant? Will some governments declare such support a hostile action even though it is purely defensive in an attempt to dissuade companies from assisting targeted countries? Can countries direct companies to provide support – or withhold it? While changes to the government industry relationship are not typically considered a “threat,” they could nevertheless have profound effects on how cybersecurity companies operate. Developing some internal answers to these questions in advance is the best defense.
Multifactor Authentication Fatigue could derail adoption – as always, adversaries are figuring out ways to exploit human psychology to their advantage. If a bad actor can wear out a user with MFA requests (the digital equivalent of “Are we there yet? Are we there yet?”), then they can get the target to bypass that security measure for them. That adversaries are targeting MFA is hardly surprising, but what could become a problem is the potential effect on adoption of MFA generally or other “more than a password” solutions. We cannot let the story become “MFA doesn’t make your more secure, it’s just extra pain for no gain.”
Cybersecurity, privacy, and safety entanglements will increase – as digitization and connectivity continue their march, cybersecurity, privacy, and safety will become even more intertwined. Threats will no longer just be “just” to privacy, security, or safety, but will often affect two or three of those aspects at the same time. Thus, even as the cybersecurity industry grapples with making products and services across different types of cybersecurity more interoperable (e.g., combining host-based XDR technologies with network security capabilities), we will have to integrate policies, practices, and solutions across what are now disparate disciplines. Companies that embrace this additional complexity and work to reduce it for their customers will thrive; those that try to stick to a narrow vision of security will lose out.
Undoubtedly, 2023 has some surprises in store for us and many predictions about the upcoming year will prove wrong. Yet even wrong predictions can be beneficial if they drive strategic thinking and encourage flexibility. That’s the real benefit of trying to peer into the future – not that you will correctly anticipate every change but that you will be more ready for any change.
Fortunately, we have some tools in place to mitigate these threats if these predictions turn out to be correct. For example, threat intelligence sharing speeds up our ability to become aware of changing threats and to adapt to those changed threats, while operational collaboration within the private sector and between the public and private sectors enables more effective countermeasures. Nonprofits organizations like CTA provide the neutral spaces needed for such sharing and collaboration to occur.
So, welcome to 2023. I’m sure it will be an interesting year, whether we like it or not.