Beyond the Obvious: The Boldest Cybersecurity Predictions for 2023 – Dark Reading
The end of the year is upon us, and that means predictions — lots and lots of predictions. And no wonder: With 2022 in the books, cybersecurity professionals worth their salt are starting to think about what’s around the next bend; one needs to be prepared, after all.
This year, we wanted to break out of the mold of covering predictable predictions (“more automation is on the horizon,” anyone?) to focus on some of the more out-there views on what the cybersecurity landscape might hold for the next revolution around the sun. In this, our stable of experts didn’t disappoint.
Security experts from near and far gave Dark Reading their most outrageous/boldest security predictions for 2023. Whether that’s something that will happen on the threat side of things (hackers will start WWIII), an impending crazy cyberattack (looking at you, evil Santa elves), a prediction for insane futuristic tech on the defensive side (bot vs. bot), nutty enterprise trends (spyware for employees), what have you — these crystal ball-isms will hopefully make you think about what is in store.
For instance, David Maynor, director of the Cybrary Threat Intelligence Team (CTIG), offered up a slew of hot takes for 2023 that run to the dystopian. And we’re here for it:
“Information security practitioners will continue to be divided into topics, such as active defense, to the point that pseudo-religious cults may form,” he opines. “DEF CON will be canceled. A reboot or sequel of one of the following movies will be greenlit: Hackers, Sneakers, WarGames, The Net, Swordfish.”
Nicely done, David. And that’s just the beginning.
Cookies to the Rescue: A Seasonally Appropriate Hacking Collective
To kick things off, Dean Agron, CEO and co-founder of Oxeye Security, flagged an impending cyberattack that’s sure to hit everyone on Santa’s list, not just the naughty ones.
“The ‘Santa’s Gift’ attack, from a Greenland-based hacking group called ‘[email protected]‘s 3lves’ will allow attackers to bypass input sanitation mechanisms by using a specific combination of 🎅🏼 🦌 🧝 🎄 🎁 🛷 emojis (Santa, reindeer, elf, Christmas tree, gift, and sleigh). Every input that allows inputting emojis is vulnerable, and the right permutation of emojis will immediately enable root access to your cloud infrastructure. Privacy and security advocates who have been fighting to eliminate cookies are rethinking their posture, as an overflowing stack of cookies (and a glass of milk) is the only known measure to combat this attack.” — Dean Agron, CEO and co-founder of Oxeye Security
Yes, he was just kidding. But it made you wonder for a minute, didn’t it? Onto the real predictions!
Automation Is Finally Ready for Prime Time
Sure, predicting the use of more security automation is like saying there might be more political division in Congress in the new year. But at least one of the experts we tapped took it an extra step further.
“The drive to use automation to replace human workers will evolve into automating away the need for useless middle management where both workers and executives rejoice.” — John Bambenek, principal threat hunter at Netenrich
Scary AI & Machine Learning Gets … Scarier
The idea of weaponized deep fakes becoming a go-to method for attackers was a theme for many of the bold predictions that Dark Reading received.
“We haven’t really seen it at scale yet, but with the trouble we already have getting our users to follow policy and not fall for social engineering attacks, how much worse will it be if (when) we have to deal with videos of their boss telling them that it’s totally cool to give that random caller your password?” — Mike Parkin, senior technical engineer at Vulcan Cyber
Others also warmed to this theme.
“In 2023, fraudsters will devise new ways to hack into accounts, including new ways to spoof biometrics, new ways to create fraudulent identity documents, and new ways to create synthetic identities.” — Ricardo Amper, founder and CEO at Incode
Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, points out that scary-level AI can juice the D, too.
“2023 will be the first year of bot vs. bot. The good guy’s threat hunting and vulnerability-closing bots will be fighting against the bad guy’s vulnerability-finding and attacking bots, and the bots with the best AI algorithms will win. 2023 is the year where AI becomes good enough that the humans turn over defense and attacks to self-traveling and replicating code for the entire attack chain from initial root exploit to extraction of value.” — Roger Grimes, data-driven defense evangelist at KnowBe4
Chatbot AIs: A Particularly Nasty Strain
Sometimes the dark view of AI use has to do with unintended consequences, with Maynor linking back to his WarGames reboot note.
“A person with no programming or security knowledge may accidentally create a destructive, self-propagating worm using an AI chatbot and then accidentally release it on the Internet, causing almost a trillion dollars in damage worldwide.” — Cybrary’s Maynor
Hmmmm, what AI chatbot could he possibly be referring to? At least one person we talked to has no qualms naming names, with a dark prediction about AI-assisted phishing.
“Hackers will use ChatGPT to develop multilingual communications with unsuspecting users in business supply chains. Many of the most notorious cybercriminal gangs and state-sponsored cybercriminals operate in countries like Russia, North Korea, and other foreign countries [which makes them] somewhat easier for end users to detect. This technology can develop written communications in any language, with perfect fluency. It will be very difficult for users to recognize that they are potentially communicating via email with an individual who barely speaks or writes in their language. The damage this technology will cause is almost a certainty.” — Adrien Gendre, chief tech & product officer and co-founder at Vade
Of course, these are early days for ChatGPT and its ilk. Imagine the risk once development really gets going.
“It’s only now that the AI algorithms have evolved where good bot vs. bad bot becomes a realistic threat. ChatGPT showed us what was possible … and it’s not even the latest AI version. I’m not scared of ChatGPT. I’m scared of its children and grandchildren.” — KnowBe4’s Grimes
Apocalypse Now? Critical Infrastructure Is Set to Burn…
Evil AIs are forever tied in most of our minds with taking over the world and bringing about apocalypse (save John Connor!). But some experts tell Dark Reading that the apocalypse doesn’t need to wait for the sentient robots.
“In 2023 we’ll see a disruption to network supply chain unlike anything we’ve ever seen before: A new tactic that will be added to the warfare arsenal is the sabotage of fiber cable. It has long been a war tactic to target communication lines, but the attacks will be farther reaching and wipe out Internet access for entire continents.” — Daniel Spicer, chief security officer at Ivanti
Sure, the Internet disappearing overnight could cause major dysfunction, but what about a long-term lack of power?
“The skills gap, recession and tensions abroad are forming a perfect storm for a major attack on the power grid in 2023. At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years. The combination of aforementioned factors makes the US’s power grid more vulnerable to cyberattacks than it has been in a long time.” — Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence
Ian Pratt, global head of security for personal systems at HP Inc., even offers Dark Reading a potential attack vector for such a scenario.
“Session hijacking — where an attacker will commandeer a remote access session to access sensitive data and systems — will grow in popularity in 2023. If such an attack connects to operational technology (OT) and industrial control systems (ICS) running factories and industrial plants, there could also be a physical impact on operational availability and safety — potentially cutting off access to energy or water for entire areas.” — HP’s Pratt
… Or Maybe Not
There’s a contrarian in every bunch. Ron Fabela, CTO and co-founder at SynSaber, laid one such prediction on Dark Reading: that 2023 will be remembered for the ICS cyberwar that wasn’t.
“While everyone in industrial cybersecurity will continue to fear all-out cyberwar, with predictions of turning off the power grid and poisoning our water shouted from rooftops and Capitol Hill, one thing is for certain: It’s a paper dragon, all hot air and no teeth. The security operator in the SOC and the industrial operator in the control center deserve our attention rather than Russian APTs.” — SynSaber’s Fabela
WWIII Started by Hackers?
So if fears that the Bad Guys will take out our critical infrastructure are overblown, does anything have the power to light off a firestorm of kinetic war?
Why, messing with our finances, of course.
“An attack against the Securities & Exchange Commission (or IRS, or some similar fundamental agency to the US government) would likely be as clear a flash point for war as the assassination of Archduke Franz Ferdinand. So, if it were to happen, it would be a very carefully calculated and planned, state-sponsored attack.” — Simon Eyre, CISO and managing director at Drawbridge
Cybersecurity Consolidation? Less Vendor Choice? Nope & Nope
Speaking of finances, anyone who has been following the volatile vagaries of the cybersecurity market from an M&A, valuation, and funding perspective will be aware that most analysts believe that enterprises will rapidly consolidate their cyber-defense tools under just a handful of vendor names — meaning that security Big Kahunas will just keep snapping up small fry and rivals until the choices end up very limited indeed.
Enterprises seem to want that too, according to survey after survey, given the upside in terms of interoperability and management.
Richard Stiennon, chief research analyst at IT-Harvest, says bah humbug to all that.
“I have been hearing this since there were less than 100 vendors. Now, I count more than 3,200 cybersecurity vendors covering 17 major categories and 660 subcategories. There are always going to be new threats, and new threat actors creating demand for new products that will come from startups. Yes, there will be lots of M&A action in 2023, probably close to 400 transactions. Every acquisition whets the appetite of investors to get in on the action. It also creates founders who are now wealthy who start their next company as soon as they earn out.” — IT-Harvest’s Stiennon
Big Brother IS Watching You
We would be remiss if we wrapped up without mentioning the myriad predictions that Dark Reading received regarding the future of remote and hybrid working. It isn’t going anywhere — that genie is well and truly out of the bottle, we all agree. But there’s a rather horrific side effect of that reality: The use of creepy productivity monitoring tools by employers, which for all intents and purposes, is spyware by another name, says one expert.
“Many leaders are resistant to remote work because they are used to leading based on observations, i.e. who is sitting at their desk the longest? In today’s ‘anywhere work’ environment, ‘observation leadership’ is causing managers to implement spy-like tools that measure activity and working hours which invade privacy and create a feeling of distrust among employees.” — Dean Hager, CEO of Jamf
Silver lining alert: Hager adds that this kind of completely whacked-out employee tracking will backfire, leading to an outcome-based leadership that will have a positive effect on employee morale and company culture.