Authors: Morey J. Haber, Chief Security Officer and Brian Chappell, Chief Security Strategist, EMEA & APAC
The annual cybersecurity trends prediction season is upon us once again. For this edition, we’re sharing our top prognostications for 2023, as well as a glimpse into the key emergent trends we foresee taking hold for the remainder of the decade.
But first, let’s take brief stock of our decade to date. So far, the roaring twenty-twenties have not disappointed. We have experienced a global pandemic that has dramatically altered the course of how and where we work, the death of a queen, and a regional war that has laid bare the darkest sides of human intent. During this era, cybersecurity initiatives have only increased in urgency. The stakes for protecting digital assets and critical infrastructure from cyberattacks continue to ratchet up.
With all that aside, some clear patterns have taken shape on which we predicate our predictions for 2023 and beyond.
Cybersecurity trends for 2023
1. Negative, Zero, and Positive Trust
A transformation in the implementation of zero trust is underway, with positive and negative implementations that will continue to morph in 2023.
Next year, expect products to actually be “zero trust-ready", satisfy all seven tenants of the NIST 800-207 model, and support an architecture referenced by NIST 1800-35b.
Zero trust product vendors will create marketing messages that may imply positive and/or negative intent (maybe not using such simple puns on the number zero). Some will provide positive zero trust authentication and behavioral monitoring, while others will work using a closed security model to demonstrate what should happen when a negative zero trust event occurs. These will be more akin to SOAR (Security Orchestration, Automation, and Response) solutions that are zero trust-enabled and focus on actions when inappropriate activity is detected.
Therefore, we will have positive zero trust solutions that manage authentication workflows, negative zero trust solutions that dive in deep when malicious activity is detected, and ultimately marketing around zero trust that far exceeds any messaging we are hearing today from vendors focusing on the behavioral outcomes of zero trust. In a few more years, this technology will mature and both halves of the zero trust model, positive and negative, will essentially cancel each other out. This will ultimately occur with the emergence of complete end-to-end solutions that cover use cases for both appropriate and inappropriate zero trust behavior.
2. Camera-Based Malware is here. Say “Cheese”!
Don’t let your viewfinder deceive you. In 2023, expect to see the first of many exploits that challenge smart cameras and the technology embedded within to leverage vulnerabilities.
The camera on our mobile devices is a powerful tool for documenting our memories, history, and daily lives. These cameras have been augmented with algorithms to recognize QR codes, and even artificial intelligence to enhance our pictures. While there have been timeless discussions on the risks of using QR codes, we’re only now beginning to understand the risks from our smart cameras. This is especially true when the output is used to generate GIFs, boomerangs, and other more complex picture and video formats.
We have already seen malware and exploits embedded in photos, and the applications designed to render them. In 2023, the technology that allows you to take great photos and videos may itself become exploitable for malware execution. This malicious behavior may not exploit the technology within to run code, but it may have results that can obfuscate sensitive information, provide misinformation, embed malware, or perform some other form of misdirection based on the content. QR codes are the first sign that this threat is even possible. As cameras become more complex, the risk surface is expanding for novel approaches that could lead to their exploitation.
3. Reputation for Ransom – The rise of Ransom-Vaporware
2023 will see a rise in ransom-vaporware—the extortion of monies based purely on the threat of publicizing a fictional breach.
Society so willingly accepts the veracity of breaches reported in the news—and without evidence. For a threat actor, this could mean the need to perpetrate an actual breach is reduced and a threat alone, that is not even verifiable, becomes an attack vector all in itself.
An attack need not be front page news to inflict a detrimental reputational impact on the victim. Any claims from the organization that the breach didn’t happen will be deemed an attempt by the organization to avoid reputational impact, even if the claims are baseless. The publishing of any data, however easily obtained, will be seen as proof of a breach, including simple information obtain via open-source intelligence (OSINT). This is especially true when a named threat actor claims responsibility. It’s the ultimate, undefendable attack for 2023.
4. The Foundation of Multi-Factor Authentication (MFA) Invincibility Fails
In 2022, threat actors, such as Lapsus$, exposed the shortcomings of MFA. The terms MFA bombing, MFA bypass, and MFA fatigue all leapt into the cybersecurity lexicon. In 2023, expect a new round of attack vectors that target and successfully bypass multifactor authentication strategies.
We’ve already been educated on the risks of using SMS for two-factor authentication. Years ago, NIST offered official guidance recommending everyone to stop using SMS for 2FA. Unfortunately, with many organizations still using SMS as part of their authentication strategies, threat actors have evolved their SMS attack vectors to include watering holes, MFA fatigue, AitM (Advisory in the Middle) attacks to compromise authentication solutions that use SMS for identity verification. These are becoming more sophisticated and more reliable than basic SIM-jacking since the entire mobile device is not the target.
In the next year, push notifications, and other techniques for MFA will be exploited, just like SMS. Organizations should expect to see the foundation of MFA eroded by exploit techniques that compromise MFA integrity and require a push to MFA solutions that use biometrics or FIDO2 compliant technologies. And even then, in the next decade or so, expect the same style prediction to make these passwordless solutions obsolete and vulnerable as well.
5. Cyber Uninsurability is the New Normal
As of the second quarter of 2022, U.S. cyber-insurance premiums already increased 79% over the prior year, and this increase came after more than doubling in each of the preceding two quarters. The truth is, it’s becoming downright difficult to obtain quality cyber insurance at a reasonable rate. In 2023, more businesses will face the stark realization that they are not cyber insurable. This prediction is one of our few repeats from last year’s edition because this is a highly consequential trend we cannot ignore.
Cyber insurance carriers have tuned their security questionnaires to ensure customers and prospects have proper cybersecurity hygiene before offering or renewing coverage. In many cases, they require customers to alter their policies and tools in a timely manner to obtain coverage in the future. Without these changes, companies could be left with exemptions based on attack vectors, or they could have their coverage denied, if the changes are not satisfactorily implemented.
The inability to implement the required changes, coupled with rising cyber liability coverage costs, will leave many organizations uninsurable in 2023. This will be even more of a trend compared to previous years, and businesses will have shrinking options. In addition, if their clients require cyber insurance per contractual requirements, it will leave a gap with long-term repercussions. Organizations may find their only options are to self-insure or purchase cyber insurance with an extremely limited scope and a laundry list of exceptions.
6. The Latest Concert Hack: Wearable Risk Surfaces and Hackable E-Waste
If you have recently attended a large concert, you may have received a disposable LED bracelet or had the option to purchase a collectable light stick. These devices receive RF transmissions during the event to generate a luminous glow. The event organizers control the color and pulse of the light, and en masse, the glowing bracelets of venue-goers foster a special communal atmosphere and engage the entire venue with additional lights and sensations—far beyond using a cigarette lighter as a show of support before the turn of the millennia. The device is meant to be low cost, disposable, and have potentially only single use. This is blatant e-waste, unless the supplier has provided services for repurposing or recycling the devices. In 2023, expect threat actors to easily decode the RF transmissions using tools like Flipper Zero to wreak havoc on venues that use these enhancements.
Some of these attacks may occur as a form of protest to the potential for e-waste. More waste-cautious countries may even ban these gimmicks because of the e-waste they represent. In some instances, these bracelets will simply be replaced by mobile phones to perform similar functions by driving their flashlights or the entire screen color based on a dedicated app subscribed to the concert they are attending.
7. Compliance conflicts are brewing
Significant compliance standards, best practices, and even security frameworks, are starting to see a diverging in requirements. This is heading off to a major conflict in 2023.
For example, does your security hygiene require your end users to change their passwords every 90 days or less? Recent guidance from NIST suggests that, for standard user accounts without an indicator of compromise, organizations should no longer require password changes on a periodic basis. Many organizations have not embraced this recommendation and still believe in other guidance that maintains this weakens their security controls. Thus, a conflict has arisen.
In addition, if you also consider recent guidance in PCI DSS 4, having a certificate on a host for multifactor authentication of an asset is not an acceptable solution to trust an asset. For many organizations, this is a security best practice, but it is at odds with the PCI council and other methods used for zero trust asset identification. Who is right and who is wrong is debatable.
Unfortunately, some regulatory boards are unwilling to embrace modern techniques, have ignored security research, and have embraced controls contrary to new technologies that offer superior security. Passwordless authentication is one area where the most conflict appears to be brewing.
In 2023, expect more regulatory compliance conflicts, especially for organizations embracing modern technology, zero trust, and digital transformation initiatives. The list of conflicts is something vendors experience every day when answering Security Assessment Questions (SAQs) for their own clients.
8. The Death of the Personal Password
The growth of non-password-based primary authentication will finally spell the end of the personal password.
More applications, not just the operating system itself, will start using advanced non-password technologies, such as biometrics, either to authenticate directly or leverage biometric technology, like Microsoft Hello or Apple FaceID or TouchID, to authorize access. Personal accounts are still commonly backed by passwords as the ultimate fallback, but the need to remember, retrieve, and type passwords is going to dwindle rapidly as the technology to reliably recognize us improves.
Today, you still need a passcode when your face recognition fails to work but, in the future, two or more of the available recognition methods (i.e. your fingerprint, your typing style, or even the rhythms of your body) will provide enough information together to uniquely identify you.
All that said, the death of the password has been predicted year-on-year and will likely continue for a few years to come, but the turning point has been reached and the end is in sight.
9. De-Funding of Cyber Terrorists Becomes Law
Governments all over the world will entertain a new approach to protect organizations from ransomware and stop the funding of terrorists: ban ransomware payouts outright.
Ransomware is big business with huge payouts motivating threat actors. If the supply of money is cut off, their operations will cease (in theory) to exist due the lack of profitability. Granted, threat actors may move on to a new form of cyber crime to fund their operations, but ransomware as we know it will fade away.
The current philosophy around disrupting ransomware profitability has centered on cyber defenses. Protect organizations from ransomware by deploying new technology and adhering to security best practices to stop malware from gaining control over an asset. Over the last few years, organizations have had some success with this approach, yet ransomware continues to claim victims for a wide variety of reasons.
In 2023, purchasing a decryption key from the ransomware operator will no longer be an option for victims, and the funding of terrorists will stop based on a legal approach—not a security product. Organizations will no longer be able to rely on cyber insurance and ransomware payments to restore business continuity. They will instead be forced to adhere to cyber security best practices—or risk going out of business, should a massive ransomware attack occur.
Think this is far-fetched? Legislation is already underway for the United States Government to make this law. In 2023, the funding of terrorists via ransomware may stop and victims of an attack will have even fewer options to regain control of their assets and resume business. In theory, this should push security best practices to everyone as the first line of defense in lieu of using a ransomware payout as remediation.
10. Cloud Camouflage is Confronted
To mitigate cloud security risks, expect a push for transparency and visibility into the security operations of SaaS solutions, cloud providers and their services.
We all use the cloud for our digital transformation strategies—as well as personally for social media or shopping—but we do not own the cloud. More importantly, we have limited visibility into cloud security. Initiatives like the CVE (common vulnerabilities and exposure) do not apply to the cloud, leaving organizations blind to the real risks, as well as when identified vulnerabilities are being patched. In fact, cloud service providers and software-as-a-service (SaaS) vendors often obfuscate their security and operations to protect against threat actors, and even their clients. This is “cloud camouflage.”
The push to ensure transparency of the architecture, foundational components, and even discovered vulnerabilities, will extend beyond SOC and ISO certifications to either an expansion of CVEs or a new reporting mechanism that indicates what was vulnerable and when. It’s time to see what’s underneath the camouflage—for the security of everyone.
11. Social Engineering in the Cloud
Attackers will turn from their software toolkits to their powers of persuasion as they increase the number of social engineering attacks levelled at employers and organizations across the cloud.
A single fake social media profile could result in untold risk if the threat actor leverages it to obtain employment or impersonates a vendor offering trusted services. For example, consider these fake CISO profiles that exist on a popular career based social media platform. All employers should have robust processes in place to ensure that, when considering a candidate for employment or a new vendor for services, background checks and communications rely on more than just a simple social media profile.
In 2023, social media will demonstrate growth as an attack vector. It will incorporate more OSINT to trick unsuspecting victims. Threat actors will leverage these newer capabilities to more effectively work under disguise so that they can convince a victim to divulge secrets or act in any other way that helps aid the attacker’s mission.
Imagine a fake employee with a common name using social media to spoof access by calling support. This simple scenario occurred in a recent high-profiled breach perpetrated by Lapsus$. Organizations cannot rely on social media alone for identity verification. We should expect social media to be increasingly abused in the year to come.
12. Unfederated Identities to Infinity and Beyond
Digital identities area a moving target. Year after year, we expand our definition of identities to encompass more assets and technology. In 2023, expect an expansion of the identity model that includes unfederated models.
Identities are more than just people. Identities can be associated with services, applications, processes, and even devices in the physical world, like robots. Essentially, if something has the ability to authenticate or authorize permissions, somewhere downstream (or upstream depending on your perspective), it is associated with a federated identity, typically via an account.
Unfederated identities, on the other hand, require management and access outside of our realm of directory-based identity services commonly found in organizations or offered as a service. These identities can include vendors, guests, and other third-party humans and machines that need ephemeral access into our assets and services to perform a task. They are unfederated because they are out of our control--not employees—and can cover a large scope, including entities we do not trust and, truthfully, know very little about. In addition, their profile, based on attributes, is typically not stored and may only have a “life” for the length that access is required.
In 2023, expect a push into unfederated identities to help provide new level of services and potentially physical products that will become a mild access control and management nightmare. The size and scope will feel truly infinite—unless it is well-defined for identity management teams to provide access beyond what typically is available today.
13. OT Gets Smarter, Converges with IT
In the next year, expect attack vectors for basic Operational Technology (OT) to expand based on similar exploits that target IT.
OT that once had a single function and purpose is now becoming smarter, leveraging commercial operating systems and applications to perform expanded missions. As these devices expand in scope, their design is susceptible to vulnerabilities and exploitation. OT devices must be maintained and updated just like any other technology-based asset. This is driving the convergence of OT and IT technology and management.
Security solutions are expanding coverage to not only monitor, patch, and assess risks on desktops and servers, but also to provide similar coverage for their peer systems that run manufacturing, critical infrastructure, and other related automation. The security industry’s response will include these devices for management and reporting. The primary difference will be downtime to patch, reboot, and install updates for OT based on commercial software.
Outages and mistakes in OT are rarely tolerated. As the IT and OT technology spaces converge, patching and updates will be the only remediations that provide true protection, even when the devices are segmented. For this process, we should expect problems After all, software is created by humans, humans make mistakes, and the implementation of OT does have mistakes—even when we try to correct previous ones.
14. Headline Breaches Move to Second-Page News
Most breaches are now second-page news. In 2023, expect news of breaches to be buried deeper—whether in print or online format based on audience fatigue, lack of interest, or just because it is no longer exciting.
When we first heard about the breaches at Heartland, Yahoo, and OMB, they were front-page news stories. Everyone was concerned. Today, breaches and public announcements occur with such regularity that the general public is numb to them. Stories only capture broad interest when the attack represents something new or is extraordinarily dangerous or disruptive. For example, look how fast media activity around the most recent Uber breach has died down compared to the first time a major supplier was compromised, like SolarWinds.
With that said, legal, regulatory, and compliance responses will become front-page news should an organization fail to follow the proper steps for public disclosure and risk mitigation. The Uber criminalization case against their CISO has proven this. Victimized companies who fail to respond correctly to security breaches will be called out, admonished, and have their reputations tarnished. Take, for instance, the real-world breach disclosures from FireEye (which did it correctly) compared to the executive response from Okta (which drew criticism from the security community). Those made the front page for their response. The incidents themselves were second-page news.
In 2023, many breaches will become second page news unless something novel materializes. And, even if something does occur, fatigue alone may make the incident short-lived, and with fewer repercussions.
15. A Record-“Breaching” Year
While most breaches will indeed be “second-page news”—if they make it to the news as all—2023 will still smash records in the direct and indirect cost of breaches to businesses.
Many organizations spent much of 2022 fixing the hasty remote access implementations and supply chain integrations made over the prior two years due to COVID. While some enterprises have robust plans for their cybersecurity in 2023 and beyond, far too many will find themselves behind the curve on their ability to protect and detect new intrusions.
Cyber criminals have continued their inexorable march forward over the past three years, and their momentum continues to build. Ransomware now targets backups of both data and systems before the extortion launches, which can leave defenders helpless. The theft of data prior to encryption through both automated and human-led ransomware attacks opens organizations up to long-term vulnerability and ever-increasing demands for payment.
Few organizations can afford the impacts associated with even short-term halting of their operations for recovery. That economic fragility is also likely to lead to increasing dependency on the supply chain and greater need for agility within it.
Therefore, in 2023, expect a record-breaking year of cyber security breach notifications, not only because of the sophistication of threat actors, but also due to the larger changes in the world that will impact an organization's ability to mitigate, remediate, or prevent a problem. Owing partly to macro-economic conditions, many organizations will not have adequate funding allocated to keep up with threats.
Cybersecurity Trends for the Remainder of the Roaring ’20s
1. Battery Software Revolution
We are at the onset of a rapid change in battery software that will improve charging times, minimize power consumption, see the elimination of fossil fuels— and even protect against tampering and catastrophic events.
Batteries alone cannot solve the problem of energy consumption and replenishment. Software is needed to regulate power consumption and ensure recharging is done in a throttled manner to avoid a catastrophic failure (fire or explosion). This is why battery software will become an important term in the next decade.
Charging your car or phone faster is not only dependent on having the proper power, but also on the method and algorithms to deliver and consume the power. Therefore, in the next decade, expect to see a larger focus on the software used for power management and the security of the software so tampering does not allow a threat actor to create a catastrophic event.
The smart storage and distribution of energy is a growing trend with a lot of potential for abuse. In the next decade, we’ll not only see a larger focus on software used for power management, but also on the security of the software to prevent tampering by a threat actor. Any place there is power, there stands a chance for power to be abused. Battery software, solar storage, electric cars, and the energy sector at large will all become common targets for threat actors.
2. Hackers take automobiles off-roading and off-line
Expect the hacking of automobiles to substantially increase.
While fossil-fuel-based vehicles will be around for a while, electric cars are on pace to be the norm in ten years. If you examine components within a new electric car, many have the same applications and base operating systems as our corporate devices. This means these automobiles are susceptible to vulnerabilities and exploits, just like any other computing device. If a threat actor were to target the controls in your car even now, they could disable or interfere with your display screens, entertainment, navigation, climate controls, and even the ability to call for help using the car’s system. Consider what this could represent when autonomous driving truly goes mainstream.
The hacking of automobiles will bring out the good (new functionality via software) and bad (malware) in our new electric cars. Expect to see everything from custom displays to malware using car resources for crypto mining. Performance improvements that could void warranties and violate other governing regulations are another possibility. In the next decade, this will be a risk surface and viable commercial market no one should ignore.
3. More “Lights Out” Cyberattacks
An increase in the number of cyberattacks on energy production and distribution will lead to power outages, fuel shortages, and heating or cooling resource depletion.
Geopolitical conflicts, climate change, shifts in energy production and consumption, and aging infrastructure for production and delivery are contributing to a major shift in energy consumption and energy sources. While a fault in any energy source can drive prices higher, the threat of an intentional disruption could leave people out in the cold, lead to under-delivered merchandise, or completely disrupt electronic transaction processing. If you can shut off the power, everything comes to a standstill. The repercussions will be measured in finances as well as in loss of life.
Governments are well-aware of the threats and repercussions of attacks on critical infrastructure; however, cyberattacks specifically targeting energy production will have the biggest impacts on society. Threat actors recognize this weakness, and we should expect nation-states and opportunistic cyber-organized crime syndicates to refine their methods to target energy sectors. This is a more focused prediction beyond ICS attacks because everything we use and operate today relies on energy.
4. Evolving from Technology Recycling to Upcycling
The recycling of technology will move away from the destruction of devices and towards new means of repurposing them.
Instead of simply recycling old working technology for its parts, just because it is obsolete or no longer supported, vendors will provide novel solutions to extend the life expectancy of devices. Operating systems like Chrome Flex OS are designed to bring a modern, supportable feel to older and obsolete devices, but not sacrifice security or performance. Many people and organizations could certainly benefit from this when purchasing new devices is unaffordable or otherwise infeasible.
Over the next decade, we expect new businesses to emerge that will specialize in the upcycling and the second life of technology. It will be much more than recycling or donations and focus more on sustainability and revitalization to provide supportable and secure coverage for previous technology investments. The mantra, “just because it is old does not mean it should be thrown away”, will have new meaning.
5. The Emergence of “One You”
In the next 3-5 years, millions of people will start operating with a single, centralized digital identity. This will go far beyond legacy concepts, like a social security number.
We are seeing the first signs of this, and it’s increasingly being pushed by identity providers. Whether it is through a private organization or a government provisioned service, we are signing into and connecting more systems using fewer individual identities and existing authentications. Social media authentication mechanisms via Google, Amazon, and Facebook have been the first steps in this process. For most of us, in the short-term, this will resolve to two identities: one personal and one business.
In the future, however, you will have one account (based on your identity) that is used for everything. This will be a personally managed account that will be attached to a company and detached when that relationship ends. The identity owner will be in control of who has access to each piece of data (attributes) within their identity and for what periods. This will allow extremely granular control over both the sharing of identity information—as well as the monetization of it. Attributes will include everything from personally identifiable information (marital status, children, bank information, birth date, medical records, etc.) to benign information like the color of your car.
In the next decade, look for this consolidated online identity system to ubiquitously emerge and be your record of truth for everything about you. How you share and trade this information will become the source of the “one you”.
6. Personal Data Loss Tsunami
A massive amount of personal data will vanish—but will anyone notice?
As our population ages, and as we continue to pay subscriptions for data storage (photos, videos, and documents) in the cloud, what happens when we die? Who will migrate and pay for that data to be archived, condensed, or downloaded once we are unable to?
In the next decade, many of our photos will just be deleted because no one is attending to the subscriptions. Common scenarios will include obliviousness of a loved one’s subscriptions, the inability to access the deceased’s accounts, or the inability to pay for the continuing storage of precious data. The discontinuation of most free or inexpensive unlimited photo storage options is also a factor. More people are mixing multiple lower volume data stores, making it harder to track, secure, and hand over stored content.
Unlike physical photo albums, there is nothing tangible to work with, and once the cloud storage of this media is deleted by the provider, it is gone. This will drive the inclusion of data stores, and their maintenance, into wills.
For the next decade, expect a large amount of personal information on digital devices to disappear because we are ill-prepared to archive how the data is maintained and handled once we pass.
7. Default Accounts Go Extinct
By the end of this decade, we may finally witness the much overdue extinction of the default accounts and associated secrets.
Just about every system we work with has a default account (Administrator, root, admin, etc.). These accounts exist to provide the initial superuser access to create all other accesses. Then they persist (often disabled, renamed, or both), gathering metaphorical dust. Without effective password management, the credentials associated with these accounts become ripe for brute force and other attacks. Some of the earliest computer worms exploited default accounts, yet, decades later, we are still seeing this happen with IoT/smart devices. We need to tightly control access to those passwords and change them regularly, ideally after every use—or, preferably, get rid of default accounts all together!
By the end of the decade, authentication mechanisms will become more centralized. This will allow the first boot of a system to configure (or discover) the authentication provider, while also allowing for the assignment of one or more users (ideally groups of users) to the superuser role within the environment. This means no more default user accounts, although it will require some additional thought when removing users from the system.
The use of group assignments, rather than individual accounts, offers more options since control of group membership is outside the system itself. This is where many systems already end up, but, invariably, with the default account still hanging around because of basic flaws in legacy role-based access models. Using modern techniques for initial management and configuration will obviate these problems in the future.
8. ICS-based Attacks become more Cost-Effective
Ransomware attacks that target industrial control systems (ICS) could be devastating. In the past, we’ve seen human-led attacks that specifically targeted ICS to affect the operation of those systems deliver significant impacts. Examples include the attacks on the Oldsmar Water Treatment plant and on JBS, the world’s largest meat packer, and Schreiber Foods, the largest cheese supplier in the US, which resulted in a national cream cheese shortage. Automated attacks could take that to a whole new level, potentially impacting multiple systems simultaneously.
Many ICS systems would be catastrophically impacted by stopping their operations. Those systems “tend” to be carefully isolated and employ lots of redundancy to ensure they don’t go offline. For the other systems, an alteration that imperils the integrity of the data or output may be more damaging—such as changing the volume of a chemical flow as opposed to stopping the flow altogether.
As we see increasing interconnection between ICS and IT systems as a necessary move to improve efficiency, flexibility, and redundancy, it also increases the ROI on developing attacker tools that are more impactful in ICS scenarios. Rather than just stopping everything it finds it can access, ransomware could identify control systems and lock you out of them, while manipulating settings—either under predefined plans or dynamically through C2 (Command and Control) systems until you pay up. The increasing number of systems potentially accessible makes the effort of building the code more cost-effective for attackers.
Despite laws to stop ransomware payments and the convergence of IT and OT, expect a significant rise in ICS attacks over the next decade. The primary driver of this increase is recognition by threat actors of the fear they can instill. Developing targeted tools for ICS exploitation will become profitable for exactly these reasons.
9. Election Hackers Double Down to Destabilize Democracies, Many Ways to Win
The 2020 United States elections have demonstrated at least one disturbing fact: once doubt is shed on the reliability of an election system, that doubt can persist for a considerable time, even if the allegations have been debunked.
Whether you believe the 2020 elections where electronically tampered with or not is irrelevant; the doubt still remains. If the 2022 or 2024 elections actually involve security breaches, and facts confirm so beyond reasonable doubt, then the entire election process can be undermined.
For U.S. adversaries around the world who seek to destabilize the U.S. government, the election process is a prime target. Expect cyberattacks on the election process to intensify to create more fear, uncertainty, and doubt about the technology and process. This threat will exist beyond the decade as we use electronics for tabulating the results of election processes.
10. The Arrival of the Unforeseen Attack Vector
In the next decade, expect at least one entirely new class of attack vectors to emerge and raise the bar for cybersecurity.
As we continue to embrace newer technologies at home and in the office, it is only a matter of time before a new, perhaps somewhat unforeseen, attack vector is discovered targeting next-generation technology.
What is the next technology we will all embrace? Is it an evolution of digital personal assistants into robots, the metaverse, personal quantum computing devices, or even next-generation web3 based on crypto currency? No technology is 100% hacker-proof, but the lessons we have learned today can help us mitigate the unknown risks of the future. Whatever comes next, we should prepare.
Thus, we should recognize there will be new attack vectors that are not predictable today. How we mitigate the risks will be guided by lessons learned from our past.
Cybersecurity Predictions from the BeyondTrust Archives
The BeyondTrust team has a long history of making security predictions. You can check out some of our past forecasts below to assess how we’ve fared!
BeyondTrust Cybersecurity Trend Predictions for 2022 & Beyond
BeyondTrust Cybersecurity Predictions for 2020 & Beyond
BeyondTrust 2019 Security Predictions
Cybersecurity Predictions for 2018 (+ 5-Year Predictions, Too!)
5 Cybersecurity Predictions for 2018
10 Cybersecurity Predictions for 2017
2017: Looking Forward to a New Year in Cybersecurity
2016 Cyber Security Predictions & Wishes
2022 Cyber Security Predictions: 5 Years to Plan! Top 5 Security Predictions for 2014

Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Brian Chappell, Chief Security Strategist
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.