A new year is always a good occasion to look ahead and plan for what’s going to happen. In the field of cyber security, however, this can be pretty challenging, as it’s not always easy to predict how requirements and threats will evolve.
However, our experience is that changes rarely occur as a major revolution at one time. They’re more likely to be a whole range of small changes which, together, turn into something major. Such changes typically occur in the interaction between technological developments, our use of new technologies and the attackers’ need to achieve their goals.
This article will take a look at some ideas on what we think will effect cyber security in the coming year.
What to expect in 2022
Cyber attacks can be very costly and have the potential to bankrupt companies. That’s why cyber and information security have moved onto and up the management agenda in recent years. as management’s main task is to protect the company and its assets. This means that management now has a very different focus on cyber security, placing new demands on themselves and the company’s approach to cyber security.
Boards of directors will recruit members with some insight into cyber security, and many boards will set up committees to focus on cyber security, perhaps as part of the duties of broader risk committee. Getting the right skills makes demands of boards, including reporting.
Against the background of this challenging threat profile, work on cyber security will be better organised and preferably based on a suitable framework. This systematisation will be reflected in cooperation between the management and security organisation. Digitisation increases the complexity and changes the threat profile, which is why management’s focus will include how the organisation can be made more robust in relation to dealing with cyber security incidents.
Cyber security is also becoming an increasingly important part of the valuation of companies. This will mean that investors, capital funds and collaborators will include cyber risk in their overall risk assessments — and valuation.
Requirements for companies to have proper control of security, and able to document it will follow.
Absolutely nothing suggests that the threat from ransomware will diminish in 2022. Over the last few years, criminals have honed their business to standardise on double-extortion, i.e. they lock the company’s entire infrastructure while stealing its data, which they then threaten to sell or publish. All of this is delivered together in a ransomware-as-a-service model to other criminal groups. This is a fiercely lucrative business for the criminals, while the risk of being caught and brought to justice is virtually non-existent.
As companies become better at protecting their systems, criminal groups have shown tremendous creativity in coming up with new ways to attack and monetize their crime. “Double-extortion attacks” have become the norm and we expect them to expand and develop their attack methods to maximize earnings. This will include crypto mining, DDoS (denial of service) attacks, and more targeted exploitation of the data they get their hands on. Criminal groups will assess each victim, and try to maximize their profit. This will often hit companies where it hurts the most. For example, they may target the company’s production in addition to attacking administrative systems. We also expect criminals to use the data they steal from companies more actively, such as active and systematic extortion of the company’s customers, selling trade secrets, etc.
Ransomware is an extremely lucrative business from which criminals make a lot of money. For that reason, there is also increasing rivalry between the various groups in the same way as among traditional gangs fighting over drug trafficking in specific areas. As this rivalry gradually also impacts cyberspace, there will presumably be victims of ransomware caught in the crossfire — for instance, if disagreement arises between the executing criminal group and the criminal group providing the ransomware-as-a-service.
A victim could also get caught in the middle as authorities step up their attempts to impact the criminal groups and their infrastructure. If a victim is in a situation where the only way to save the business is to pay a ransom, action by the authorities might make it impossible, because they’ve destroyed the group’s infrastructure.
In practice, criminals have been able to operate freely and without risk in Russia for years. At the beginning of January 2022, the Russian authorities moved in and arrested members of the Revil ransomware group. According to the Russians, the arrest was carried out at the request of the United States. However, it’s difficult at this time to determine the precise reason, and why the Russians suddenly started taking cyber crime seriously.
There is therefore speculation that it might be a signal to the United States that the Russians can indeed control such groups. In doing so, the Russians will also be able to have free rein in a conflict. It may also be an internal Russian affair, in which the authorities want to show the other groups that they’re in charge, or part of a power struggle between Russian criminals, in which one of them has the authorities in their pocket. We believe that we will see ransomware used as an actual weapon, in a digital hybrid war between Russia and the West in particular.
Other topics that could affect trends in the ransomware field are regulation and insurance. For example, if legislation or regulation are on the way that prohibit the payment of ransoms or limits what insurance can cover. Finally, there are initiatives at various places in the world to create improved regulation of crypto-currency, which can also affect the way in which the ransomware groups work.
Regulation and legislation
With the growing digitisation of society, and thus importance and dependency on cyber and information security, they are moving higher up the political agenda just about everywhere. Europe’s GDPR puts us among the first to put the protection of personal data on the agenda. A directive on product security has been adopted, and with the forthcoming NIS2 directive, cyber security requirements for companies will once again be intensified.
This means that companies have to be prepared for even more formal security requirements, especially if processing personal data or in an industry subject to special requirements. Furthermore, there is also a lack of clarification on the consequences of the Schrems II judgment in relation to the use of cloud services in Denmark and the rest of the EU.
Similar legislative initiatives are on the way in much of the rest of the world. The majority of the world’s Internet users are expected to be subject to local legislation within a few years, that regulates the protection and use of their personal data. In practice, however, there is a big difference between the actual purpose of legislation. In many totalitarian countries, legislation is aimed more at managing and controlling the Internet, rather than protecting citizens’ data. Many countries are also introducing legislation requiring data to be stored locally in the country.
Consequently, companies operating internationally must also be prepared to comply with various, and often contradictory, local laws.
Foreign states & cyber warfare
Cyber attacks have gradually become a standard element of any conflict, as seen in Ukraine over the first few weeks of 2022. There have already been isolated examples of the damage cyber attacks can cause to physical infrastructures. But cyber attacks are not going to settle a conflict alone and, in the coming years, will also just be one element.
Where the internet is currently used, primarily by countries such as Russia and China, it is in the context of disinformation campaigns which aim to influence opinions and create discord and disagreement in the West. The expectation is that this will continue going forward, and we can expect to see the use of deep-fake technology with manipulated images and video.
Actual cyber attacks are still going to be a tool to wreak havoc in a conflict situation, and the risk of collateral damage still has to be taken very seriously, as we saw with the Notpetya attack in 2017. If there is an escalation of the conflict in Ukraine, it’s expected to include destructive cyber attacks which could potentially involve collateral damage outside that country.
In the event that it comes to an actual conflict or conflict-like situation between Russia and NATO, there is also a high risk of actual destructive cyber attacks targeting NATO countries. At this stage, we don’t know how extensive attacks from Russia would actually be able to succeed and what consequences they could have.
Countries such as Russia, China, Iran and North Korea have acquired even more skills and resources over recent years to implement advanced cyber attacks. This was evident in connection with the SolarWinds attack, which we assume Russia was behind. China is suspected of being behind the Hafnium attack, Iran has tried to conduct destructive cyber attacks against Saudi Arabia and North Korea has carried out numerous economically motivated attacks.
These countries will also pose a serious threat in the coming year, especially in relation to critical sectors or organisations that may be interesting in relation to espionage.
The many incidents in recent years caused by security breaches at suppliers, e.g. SolarWinds, Kaseya and AK Techotel, have put the spotlight on security in the digital supply chain.
Criminal attackers see a unique opportunity to impact many companies at the same time with modest effort, while intelligence agencies see it as a way to circumvent the defences of organisations with a high level of security.
Businesses have moved their focus to the risks of their digital supply chain, and are grappling with how to better protect themselves. Hard pressed by their customers, many suppliers have thankfully also begun to take cyber security in their solutions and services seriously, but often struggle with their culture and years of the lack of investment in technical security, which takes time to make up.
A very special software supply chain problem arises, because most software is developed like a LEGO set, consisting of components with many pieces found in a public software repository, often as open source and without anyone being responsible for security.
We expect to also see a number of security incidents caused by security breaches in the digital supply chain within the next year. Criminals and intelligence agencies can be expected to try to compromise public sector software repositories — and will presumably succeed in doing so. We also expect a number of service providers will be subjected to various types of extortion, in the form of DDoS and ransomware attacks.
Finally, we expect that customers will intensify the requirements they make of suppliers, including having to demonstrate a sufficient level of security. Much of this control will initially be based on questionnaires, for example, but hopefully in the long term, it will be based on recognised certifications such as ISO, ISAE3000 and the D-seal.
In addition to the above, there are a number of other areas in rapid development
— for example:
- Cloud and cloud security, where the paradigms are significantly different than traditional on-premises cybersecurity and therefore impose other requirements for the way we implement security.
- Identities and authentication are gradually becoming the new parameter and the most at risk, as cloud services are becoming the most important security control
- Malware is becoming increasingly advanced, and some recent examples are metamorphic malware (for example Tardigrade), which constantly changes the signature and malware embedded in the UEFI memory on the motherboard, thus surviving reinstallation of the operating system and hard disk replacement
- The Internet-of-Things (IoT), i.e., when the physical world goes digital, presents special challenges as the security of much of the equipment is inadequate. Managing and updating is often difficult — and incidents can often have consequences in the physical world
- Mobile devices are usually considered as being reasonably well-protected as they contain good built-in security features, but as the case of the Pegasus spy software from NSO shows, that security is far from perfect. This is already being exploited by various intelligence agencies and will presumably also be abused by criminals at some point.
- Crypto currencies will continue to be a favourite target for theft by criminals, and will compromise the individual’s virtual wallets or entire crypto exchanges. Crypto currency has gradually gained great importance as an object of speculation and the economic ramifications in general, and a suitably large attack will have an effect on the normal economy.