Predicting the future may sometimes seem an impossible task, especially given the speed with which our world and the world of cybersecurity changes, but there are already signs of two major shifts coming in 2022 that you need to have on your radar.
1. Regulations are Finally Coming
As many parts of the government tighten their control over cybersecurity, and court decisions set new precedents, companies will have to adapt and respond. Yes, it represents added pressure and cost, but most changes should already be practiced by most organizations, and they do indeed elevate the security posture.
We have already begun to see indications and movement toward this, but my prediction is that we will see new regulations fast-tracked for cybersecurity standards, first in the form of executive orders to government suppliers (already started), and then expanding to regulated industries via more specialized government agencies.
The policies and standards eyed by this legislative and regulatory shift of focus are already present, and we are seeing this administration make moves that have long been heralded. Recent rulings by the SEC, for example, put incident disclosure at the top of the list of things that will change, but policy and process such as scanning and detection will also soon be scrutinized. Other areas of the economy, such as insurance, will be included as their connection to cybersecurity becomes stronger and clearer.
Court decisions and penalties such as government fines will set a precedent and companies will make moves to avoid the newly articulated risks of non-compliance in cybersecurity. This will create a new cybersecurity floor, a standard by which many companies will have to rise to meet. The level of security to reach mere compliance will be closer to the standard of being highly secure, though many will still make their deployment decisions based on compliance versus security.
Further down the road expect pressures from governments for more accountability for Chief Information Security Officers (CISOs) similar to CFOs. This could come in many forms, but the NYDFS regulations could be a template. Organizations will need to support CISO efforts to confidently attest to the company’s security posture.
>> The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions.<<
Globally, cryptocurrency will face additional regulation and affect the nature of ransomware. Banks have long been expected to know their customer and blockchain ledgers aren’t quite private but rather anonymous. Expect exchanges and others in the ecosystem to face unveiling customers under subpoena. Criminal gangs will employ new tactics that only larger organizations can perform.
The following are some specific regulations we expect to see in 2022:
- SEC penalties for lack of transparency will extend to vulnerabilities and not just incident disclosure.
- New cryptocurrency regulation in several countries will change the nature of ransomware, discouraging any but the bigger gangs who typically target larger organizations.
- Ransomware disclosure laws (proposed by Senator Warren) will get push back for private companies, but the list of “terrorist organizations” that can’t be paid ransom will increase greatly to make up for it.
- Cyber insurance coverage will increasingly depend on the existing level of cybersecurity posture and organizations will have cybersecurity standards they’re expected to meet.
2. The Supply Chain Will Be Scrutinized
Gaps in the supply chain and inadequate security operations by vendors and third parties have been to blame for many of the notable attacks on private industry in the last decade or so with few consequences. However, the response from the industry has been a slight move to improve vendor management, but nothing of note. This will be an important area of focus in 2022 starting with greater disclosure.
For one, the myth that Cloud Computing is inherently more secure will be further exposed. In fact, the opposite is true and those vendors will be scrambling to add in more caveats to cover their liability, but also to build and partner to fill those gaps or, at minimum, disclose their gaps.
The backdoor inadvertently created by automated AWS appliance installations allowed hacker rootkits to be installed. Customers didn’t create that exposure, Amazon did. The potential risks of cloud computing will become too much to bear for many workloads and the benefits of going to the cloud will diminish as security is prioritized over convenience.
It’s become clear that the use of third-party vendors only outsources the work and not the risk. If something happens, the blame and responsibility will fall legally and socially on the company, not its vendors. In general, the whole IT supply chain is on notice and we could see a big fallout if another such wide-scale incident like the SolarWinds, Hafnium or Kaseya attack occurs.
Vendors will work to try to (quickly) fill in the security gaps that exist, although I don’t think it possible that they will ever be able to solve the frequent problems that employee errors and negligence present for cloud computing customers.
Vendors may change their marketing language and service policies to make it clearer that the gaps they are unable to cover exist, but that will likely have the effect of warding off potential customers. Sophisticated and well-resourced customers can apply more controls and scrutiny, but they need more transparency and accountability to do so.
In the further future, years from now, hosting providers may be willing to (or compelled to) take more responsibility for security vulnerabilities, but any such change would more likely be the result of regulation.
As many of the reasons cloud computing has been so popular are either made irrelevant by developments in cybersecurity (attacking and defending) or revealed to have been myths the entire time, the reasons to move to the cloud will become more specialized and may no longer be seen as a panacea for all business computing concerns.
This seems an unlikely shift in momentum, however, and companies with high security concerns will perhaps move certain workloads back to the premises, or host them securely via private colocation, but the general business world’s move to the cloud will continue, creating more exposure as it does. Cloud computing infrastructure is the “pipeline” of the information age even more than the Internet itself. Its exposure should be of national economic concern.
Over the past few years, large-scale attacks like the Colonial Pipeline attack have shown how vulnerable the larger economic supply chain is to cybercrime. The stakes are higher now, as the infrastructure and ability of our country to do business are more severely impacted by cyberattack. The collateral damage is too much to ignore.
The fatigue many have developed over the effects of data breach, such as identity theft, has not reached the height of what the actual effects of a cyberattack are quickly becoming. Without even intending to create large-scale problems, a cyberattack caused a large gas shortage in the United States and the effects were felt far and wide, by many who have no ostensible relation at all to the target, except via supply chain.
Affecting people outside the targeted organization means increased attention criminals don’t want. But their need to go for bigger payloads, improved security measures, and the availability of cyber insurance have conspired to raise criminal activity to these new heights and greater exposure.
It’s good news and it’s bad news. Governments and industry are going to do more and do better. We will all be more secure because of it. But we need not resist these efforts, inconvenient as some may be.
The threat of crime and its scale are going to increase in 2022 partly in response to our improving security posture but also because cybercriminals are now large professional enterprises, whole ecosystems in fact, and they need to keep growing.