Five Cybersecurity Predictions for 2023
2022 was a year of many firsts for all of us here at ShardSecure, from raising our $11M Series A round of funding to giving our first presentation at BlackHat. Now, as we get set to close the books on this eventful year, we thought we’d channel our inner Carnac and offer some predictions about what might lie ahead in the year to come. For our first of hopefully many annual predictions, we’ll tell you what we foresee in the evolving cloud and data security market.
1. Quantum Leap: Steal Now, Decrypt Later
Over the past decade, quantum computing has gone from the realm of the theoretical to a near inevitability. Google CEO Sundar Pichai expects that quantum computing will be able to break current encryption standards in the next five to ten years. Listening to other experts in the area, we believe the time frame might be even shorter — around three to five years. And while conventional computing paradigms currently make cracking encryption largely impractical, the coming quantum computing revolution will likely render even the most hardened encryption schemes meaningless.
The data that many companies manage today will continue to be sensitive well into the future — especially data in privacy-sensitive or strategic industries such as healthcare, defense and government, and biotech. For that reason, encrypted data that’s secure today is still susceptible to “harvest now, attack later” schemes in which bad actors steal datasets for later decryption once commercial quantum technologies become available. We should expect to see some advanced threat actors and/or nation-states playing the long game and setting their sights on encrypted payloads with the goal of applying quantum cracking in the not-too-distant future.
2. Threat Actors Weaponize New Data Privacy Laws
On January 1, 2023, a revised version of the California Privacy Rights Act of 2020 (CPRA) will officially go into effect. Already recognized as one of the most stringent data privacy laws in the country, this amended piece of legislation will for the first time establish a new agency known as the California Privacy Protection Agency (CPPA) to enforce these laws.
While these efforts at bolstering consumer data privacy laws should be applauded, we also anticipate some unintended consequences. We’ve already seen ransomware operators leveraging new tactics like double extortion, in which they not only encrypt their victim’s data but also threaten to publicly release sensitive data. We believe that threat actors will use these data privacy laws to similar advantage, since the threat of being publicly sanctioned by a regulatory authority could provide another powerful incentive for extracting a payment from their victims.
3. Threat Actors Find Creative New Ways To Defeat Encryption
A little over a decade ago, security researcher John Bambenek published a paper called “Defeating Encryption” in which he wrote: “[T]he point here is not that encryption is worthless. The point is that encryption by itself is not helpful. The endpoints need to be secure, passwords need to be difficult to crack, and those who do have access [especially root access] to the system need to be trustworthy.”
This guidance remains as true today as it did ten years ago, and it speaks to the false sense of security provided by encryption alone. Just recently, an “unpatchable flaw” was discovered in Microsoft O365 Message Encryption (OME) that enables attackers to infer the contents of encrypted messages. Essentially, OME’s use of the ECB cipher meant that attackers who obtain many email messages can gather information about their contents by analyzing the protection provider.
So don’t be surprised if we see advanced threat actors beginning to attack encryption head-on by chaining these and other types of zero-day vulnerabilities together as a way to subvert modern encryption algorithms in 2023.
4. Ransomware Operators Adapt Their TTPs To Be Cloud Native
Traditional ransomware mainly targets on-premises IT infrastructure, but it doesn't work all that well in cloud environments. This is one reason we haven't heard much about ransomware in public clouds.
However, as the past few years have shown, ransomware operators are nothing if not a resourceful bunch. Given the rising trend of enterprise assets and services moving to the public cloud, we will likely see ransomware operators adapting their tactics, techniques, and procedures (TTPs) to become more cloud native.
5. Attackers Go on the Hunt for Valuable Data
According to one recent report, 77% of ransomware attacks include a threat to leak exfiltrated data. As WIRED magazine detailed in an article earlier this year, some ransomware gangs are foregoing encryption altogether and instead focusing their efforts on finding and stealing high-value data files: “What makes Lapsus$ noteworthy is that the group isn't really a ransomware gang. Instead of exfiltrating data, encrypting target systems, and then threatening to leak the stolen information unless the victim pays up, Lapsus$ seems to exclusively focus on the data theft and extortion. The group gains access to victims through phishing attacks, then steals the most sensitive data it can find without deploying data-encrypting malware.”
Consider the damage these ransomware gangs can do if they disseminate a spreadsheet of employee salaries or release a company’s highly valuable proprietary source code into the wild. We expect to see these threat actors take less of a “spray and pray” approach and instead train their sights on specific data targets in order to do what they do best: maximize disruption.
It’s not all bad news
Of course, we also believe that 2023 will see increasing interest in microsharding as a means to protect and desensitize sensitive data. Without the vulnerabilities of key-based solutions like encryption, microsharding makes data unintelligible to unauthorized users in the face of misconfigurations, unpatchable flaws, quantum computing, and more. It also offers strong data resilience to neutralize the effects of cloud provider outages and ransomware — even double- and triple-extortion attacks.
We’d love to hear what you think the next year has in store for the data security market. Tweet at us and let us know your thoughts.