I see an overabundance of security and trust challenges as we turn the page on 2021 and move onto 2022. The challenges of 2022 will start off being much like those of 2021 but even more troublesome given the backdrop of anarchy in our global economies, and in our social and public health environments, and in our political worlds where a general feeling of distrust prevails across a disintegrating institutional landscape. In 2022 we must verify and fact check everything [and how to trust the “fact-checkers?”], disbelieve our senses in terms of what we see or hear as GANs generate synthetic data and misinformation spreads across media sites. We even have to deal with “virtual influencers“- animated, typically computer-generated, characters designed to attract attention on social media. It will become increasingly difficult to discern what is authentic and what is not, not just in the physical world but also in the digital world – especially as we enter the virtual world of the Metaverse in 2022. So what will be our trust anchors for securing assets in 2022? What trust foundation will our economy and culture be built on in 2022 and in the future?
The pandemic has put a real hit on an already deteriorating brick and mortar economy. How much will it bounce back post-pandemic is anybody’s guess, but I feel it is safe to say that the economy is being moved by a new driver – digital transformation. But what will our increasingly digital economy be based on – will it be the central digital platform economy of walled gardens run by big tech in whose shadow we live now? Will it transition to a new decentralized and open ecosystem of apps and things? As data become the new fuel to power an AI/algorithm-driven work machine, will consumers have a way to control how their data is collected and used? Will they be able to profit by its use? Will AI replace their jobs? How will digital assets be valued (e.g., proof of work, proof of stake, digital scarcity) and what will be the currency by which they are traded? At the enterprise level, how will Industry 4.0 challenge the thinking of today’s cyber defenders? Will its expected increase in the use of sensors, AI, and analytics tied to the cloud (edge or otherwise) obliterate the Purdue reference architecture and create new cyber gaps as autonomous systems start to run critical aspects of our infrastructure? Or will humans remain in the loop with decision-making augmented through AI and AR? Can we trust AI? Will it do more harm than good? Can we make the AI economy secure and safe?
The answers to these questions will have a profound impact on the types of trust models we employ for the future and what will be the focus of cybersecurity challenges in 2022 and going forward.
“Trust” seems to be a tough sell these days. Even in cybersecurity the buzzword is “zero trust” where nothing is trusted inside or outside an organization’s “boundary.” In zero trust environments, we constantly monitor and analyze for anomalies and behavior changes, we divide our exposed surface to smaller network segments to limit problems, we know what and who is on our network at all times – people, devices, data, and systems/software, we classify our data, we control privileges to a more granular extent, we perform life cycle activities, and we patch our systems on a timely basis.
Trusted systems were never a reality beyond military grade and intel agency system environments. Even in those environments, the deployment of highly trusted systems is generally rare. They were too expensive to build and maintain, complex to use, and nearly impossible to upgrade. Commercial enteprises generally opted for a “perimeter” security approach which has all but washed away over the last couple of decades as holes have been cut into the perimeter to allow more and more functions and access to users, and as enterprises have moved to the cloud. This evolution has led us to the brink of zero trust.
The final impetus behind moving to zero trust has been an onslaught of ransomware attacks which prey on human error, poorly run operations, deception, and misguided trust in passwords and IT perimeter defenses. Our collective recommended response to these attacks – implement the zero trust architecture. The zero trust architecture (ZTA) called out by the Biden Cyber EO requires modernizing security practices and tools, while reconfiguring internal IT operations. It also demands re-examining our hardware and software supply chains, our data supply chains, even our human [identity] supply chains as we track and surveil the behavior of our employees and our citizens for “improper” activity or errors.
Implementing a ZTA is a significant endeavor on its own, specially since it partially relies on a design that leverages the power of VPNs, routers and switches to secure the connection and segment the network into zones to control unauthorized lateral movement. But can we trust the routers and switches? And how to deal with the complexity of segmenting a network when secure access must be provided everywhere [cloud / multi-cloud, enterprise, hybrid] and to everyone – remote workers, mobile workers, employees, contractors, vendors, partners and suppliers and with any device – mobile, BYOD, enterprise-managed, third-party-managed?
ZTAs do offer the promise of better security if you can scale them properly, if you otherwise implement them properly (right design, right tools, right processes, right people), and if you ignore possible supply chain problems. ZTA technologies give granular access to verified users for only the applications and data that your workers need while continuously monitoring user and device behavior to adjust access based on risk dynamically. This means that the risk of lateral movement by an attacker is dramatically reduced, the connectivity between the user and the app is efficient, and the security of the connection goes well beyond encrypting traffic between two points. NIST provides excellent guidance on implementing a zero trust architecture and reviewing the various options available.
One ZTA architecture that is getting attention is known as secure access service edge (SASE) cloud architecture. It combines several cloud network and cloud security functions, and delivers them as a single cloud service directly to user devices, branch offices, IoT devices and edge nodes to reduce latency caused by backhauling. SASE combines software-defined WAN (SD-WAN) capabilities with zero-trust, secure web gateways, cloud access security brokers, firewall-as-a-service, identity as a service (IDaaS), and other security technologies into a single platform. Such platforms are aimed at addressing the need for organizations to enable consistent, dynamic, secure access to sensitive data and applications on an internet scale.
A ZTA initiative could easily be sidelined due to the complexities and concerns arising from other types of foundational change in 2022. Increasing inflation, job loss, stock market and pandemic worries, an evolving global energy transition, and continuing breakdowns in any of the supply chains previously mentioned will amplify the concerns and the issues that must be considered. These issues will also create detrimental impacts on our increasingly fragile national cybersecurity posture in 2022. On top of this set of challenges is our largest strategic and greatest cyber threat – China – which already has been active in rattling the cyber saber in 2022. Not to discount Russia and other well-known cyber adversaries as well, as world tensions heat up the military cyber front as well. China and Russia pose a threat not only for their cyber espionage capabilities, but also due to their influence operations and their ability to generate “localized, temporary disruptive effects on critical infrastructure.” The theoretical examples provided in a 2019 intelligence report describe China disrupting a natural gas pipeline for days or weeks, and Russia causing a power outage that lasts for at least a few hours. These are mild effects compared to what is possible in 2022, such as with Ukraine and Taiwan.
Other cyber threat trends and issues that were identified in 2021 and will persist in 2022 include:
- attack attribution will become increasingly critical and controversial as sophisticated actors become proficient in planting false flags in their attacks
- attacks will continue to align with global conflicts – a recent CISA warning affirms this observed trend
- significant attacks on critical infrastructure by sophisticated threat actors will continue to emerge in 2022 and grow more damaging
- supply chain compromises
- attacking confidence in governments and public institutions
- espionage and destructive attacks masquerading as ransomware will further hamper critical infrastructure operations
- cyber weapons will proliferate – zero days for sale and mass exploitation of stolen zero days will ratchet up attacks.
Advanced persistent threats (APTs) are becoming more prevalent and harder to detect with increasing special focus by nation state attackers on firmware and management software across IoT, ICS, network, IT operations software, and cloud / web hosting. Essentially cyber worries cut across every economic and technological segment as the list of IT, OT, IoT, cloud, and 5G vulnerabilities and threats grows bigger every day.
And we still have on-going gaps in the cyber defenses of our critical infrastructure to be addressed as we move to Industry 4.0, where, according to control systems cybersecurity expert, Joseph M. Weiss, in this blog at Control Global, “process sensors have 100% trust [versus zero trust] by the control systems the sensors support and the operator displays that use the process sensor input. Not only are the sensors fully trusted, there is no process measurement integrity index that might enable facility operators to feel better about such trust,” he added. He also pointed out that many in the operational technology (OT) cyber security community believe that the networks are important, but the process sensors are not. Examples include the American Water Works Association (AWWA) and the American Petroleum Institute (API) cyber security standards that do not address process sensors. He also pointed out that the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards exclude process sensors.
Enterprises must also not take their eyes off of other important changes that are trending for 2022 that could affect their everyday operations and compete for funding and priorities, such as:
- technology [self-sovereign identity and Web 3.0, 5G and edge computing, blockchain, IoT, AI/ML, autonomous systems, sensors, digital twins, 3D printing / additive manufacturing, quantum computing, energy storage, Metaverse, stem cell therapies]
- work life balance and culture [remote work, gig economy, recruiting challenges, climate change, increasing use of EV and AV, Metaverse, outcome-based health]
- institutional processes [digital transformation, pace of M&A, supply chain]
- laws and regulations [privacy, data sovereignty, identity, ethics of AI, digital scarcity, Non-Fungible Tokens (NFTs), cryptocurrencies, consumer/child protection]
- economics [inflation, interest rates, stock market volatility, tariffs, embargoes, pandemic concerns, international tensions].
Shifts in the digital identity landscape will be felt in 2022 adding to the complexity of delivering digital services and corresponding changes in trust models. Consumers today expect seamless connectivity to data and services, while businesses want frictionless service delivery but also know who they’re letting through the door. This is all achieved through identity. It has become an essential business enablement function, driven by the growth of the internet, digital products and services. With respect to identity, consumers want convenience and privacy, businesses want certainty and access. And governments want compliance and security. However, the way identity is centrally managed by each enterprise today creates a burden on the consumer to manage dozens of one-to-one online relationships with service providers. This burden is especially acute when it comes to managing privacy. From an identity architecture standpoint, the one-to-one relationship of consumer-to-account needs to be redesigned. What hopefully 2022 will bestow is greater adoption of the opportunity to build interoperable networks and fully fledged ecosystems — with supporting standards, policies, and trust frameworks — that provide consumers with new approaches towards identity mobility and being able to manage their privacy attributes.
To these ends we are already witnessing a shift in trust models as centralized identity management models are being replaced with a decentralized and user-controlled one – a personal identity ecosystem. Several organizations are developing standards such as the Decentralized Identity Foundation, the World Wide Web Consortium‘s DID workgroup, the Open Identity Exchange (OIX), and GLIEF to aid in this shift. National institutions in Europe and Canada are also embracing this shift and showing up with the formation of new decentralized trust frameworks. The sudden, urgent need to be able to prove health information in a safe, privacy-preserving and secure way has also accelerated the spotlight on the concept of decentralized verifiable credentials tied to distributed ledgers. For example, the Hyperledger Foundation, spurred on by the pandemic has three identity-focused projects in the community, Indy (a distributed ledger for identity credentials), Aries (data exchange protocols and implementations of agents for people, organizations and things), and Ursa (a cryptographic library underlying Indy and Aries). Global supply chains are also looking to move forward in 2022 with decentralized business and entity verification [e.g., GLIEF] tied to blockchains to help secure their pipelines, and as KYC and KYB processes get implemented and upgraded to meet the EU’s eIDAS standards and its compatible framework for self-sovereign digital identities. Digital identity is a how, not a what, and the path to establishing personal identity ecosystems will be a journey, not a destination. As such, I expect new advances during 2022 in identity management through the merging of AI and identity to improve identity verification, reputation scoring, and credit scoring. These advances will generate greater adoption of decentralized IDs, and more seamless and intelligent personal identity management workflows with the addition of more consumer control over the use of identity and consumer attributes.
The shift to decentralized identity is riding the wave of Web 3.0 developments which leverage semantic web technologies (including decentralized digital identity), machine learning, artificial intelligence and blockchain to achieve real-world and virtual world, human and machine-readable communication within and across different ecosystems. Web 3.0 enables the formation of decentralized applications (dApps). Ownership, identity, and community are the heart of Web 3.0 dApps, and they’re forming fast growing interconnected ecosystems of a more democratic web that will hoepfully compete with the mega-platform owners in the future. Examples of a dApp are decentralized digital marketplaces which allow buyers and sellers to deal directly with each other instead of meeting in a traditional exchange via a third party. One such marketplace is iExec which leverages blockchain, confidential computing, zero knowledge proofs, and smart contracts. It allows decentralized trading of compute resources (data, services, compute hardware) as a commodity. Some other marketplaces and dApps cover NFTs, DAOs, digital identity solutions, margin trading, real estate, lending and much more. Blockchains like Hive are quickly becoming the most valuable decentralized hubs in the world. Many dMarkets and dApps participate in ecosystems for payment and exposure such as DeFi. I expect that this space will continue to grow significantly in 2022 but will be dogged by cyber attacks against crypto wallets, poorly coded smart contracts, and poor cyber hygiene by crypto exchanges and dApp providers. These issues have been trending up since 2020 when there were 122 blockchain-related attacks recorded. These led to the theft of almost $3.78 billion. These attacks show weaknesses when it comes to the security of cryptocurrency investment accounts. Standardization of authentication protocols along with multifactor authentication are some things that can help solve security issues in the cryptocurrency industry. I also really like the security and privacy controls offered by iExec and hope that others in this space follow their example.
Cryptography, a traditional bastion for trust for systems and for blockchain, also has an achilles heel with the advent of quantum computing and its not too distant ability to easily crack today’s asymmetric algorithms such as RSA. The blockchain accounting technology that powers cryptocurrencies could be vulnerable to sophisticated attacks and forged transactions if quantum computing matures faster than efforts to future-proof digital money. Keep in mind that it takes a 5,000 qubit quantum computer to penetrate Bitcoin’s encryption and solve for private keys. As of 2020, the most advanced quantum computers can only reach 66 qubits as their quantum states are very difficult to control. However, IBM has laid out a roadmap to reach 1000 qubits by 2023, and there has been other recent advances that can bring this code-breaking capability closer to reality. I expect to see many new announcements around this topic in 2022 as the pace to improving the performance and ability to program quantum computers accelerates. NIST is in the midst of a selection of quantum-safe crypto algorithms to help counter the future threats of crypto-breaking quantum computers and I expect some more announcments from NIST in 2022.
Challenges on the compliance side are also growing in importance and complexity as regulations and standards continue to evolve in 2022. For example, data sovereignty controls how and where users’ data is stored. Data residency and localization requirements vary by jurisdiction along with the specific data transfer criteria. This complexity makes managing cross border data flows within existing data sovereignty laws increasingly challenging across the board. Governments are looking to experts [mainly platform owners and NGOs] to help find ways to address these challenges. Privacy is also an important topic on many people’ minds – both businesses and consumers – as the consumer-centric GDPR has produced significant fines for violations in 2021 and consumer worries over privacy protection rises. An increasing rate of privacy-based lawsuits has caused several major platform owners such as Google, Meta, Microsoft, and Twitter to rethink how they use and protect consumer data. Regulators have increased concerns about crypto currencies and I expect to see new regulations passed in 2022. Regulators are also worried about how safe and secure the ML algorithms driving businesses and autonomous systems are and how they should be evaluated for propriety and discriminatory practices. My bottomline question with respect to these issues is can we really trust the collective wisdom of government policy-makers and big social media platform owners as they struggle with the emergence of the digital economy and society?
With regard to ML and AI, we are seeing an algorithmic revolution. Everywhere you look, AI / ML algorithms are being developed and deployed to create intelligent tools, robots, intelligent workflows, and to perform big data analytics for complex problems. In fact, according to this 2018 article in the ACM – The Next Phase in the Digital Revolution: Intelligent Tools, Platforms, Growth, Employment, “We are entering a world that will increasingly be organized through the interplay of algorithms and data. It will be a data analysis-based economy and society where observation and interpretation of our individual behavior and optimization of our physical systems will be based on computation.” With the addition of smart sensors, these AI/ML algorithms are creating smart systems that are autonomous and changing the dynamics of the marketplace. The big platform owners that already have access to immense data resources are becoming algorithm-enabled “cyberplaces” where constituents can act, interact, and transact. In essence, the constituent creators “consign” their work to the platform. This consignment confers enormous power to the big platform owners like Google, Meta, Microsoft, AWS, Twitter, and Apple. I am convinced that this concentration of power is not a good thing.
All of these smart applications are also affecting jobs – creating new ones, eliminating current ones, or otherwise causing reskilling – and are being deployed in every conceivable way, and in every industry sector. For example, roles for cyber defenders are becoming marginalized by self-learning AI that is being adopted to automate threat detection and remediation of cyber events. Can AI fill the talent gap felt in cybersecurity? At the same time, there is a dark side to AI – AI is creating a more efficient process for hackers to attack their targets. Hackers are leveraging AI technologies to develop intelligent malware programs and execute stealth attacks. It seems that the not too distant future cybersecurity world will be AI defenses versus AI offenses.
Another interesting AI application I ran across recently was IBM Research’s efforts coined “AI for Code” or Project CodeNet. According to the IBM white paper, some outcomes of CodeNet will be to “increase software development productivity and modernize legacy applications… and which is aimed at teaching AI to code.” Again, AI has the potential to marginalize a large work force. Although not totally surprising, this application made me think – we will have AI applications that can write code – code which could create another AI algorithm. So as we move to a digital economy and most work is performed via software, will the future be “In AI we trust?”
Ther are many hard problems about AI to solve before we trust AI. For example multi-agent decision-making and collaboration along with distributed, low latency computation architecture for heterogenous agents are hard AI problems – affects things like autonomous vehicles. This AI problem raises questions like how to distribute knowledge and decision-making across multiple intelligent agents and network nodes (vehicle, edge, cloud); and how do these agents work together to achieve joint goals and their individual goals? What should be the role of human judgment in conjunction with AI is another difficult question. As AI becomes more prominent across the globe, building trustworthy AI systems is paramount. The foundations of trust must be built in the design of every AI system: explainability, safety and verifiability.
So how should we approach trust in 2022? Does Web 3.0 hold a secret to increasing democratization and improving authenticity? With its foundation built on top of distributed ledger technology, do we have a new trust anchor on which to build a responsive, more democratic, global, and more secure Internet? Per NIST – “Blockchain technology offers high confidence and tamper resistance implemented in a distributed fashion without a central authority, which means that it can be a trustable alternative for enforcing access control policies.” Or will the overhead and communication issues cause DLTs to falter at the scale desired? Will the foundations of trust for AI progress to provide predictability and satisfy reliance on its widespread use? Will hardware advances such as confidential computing provide a pervasive solution for securing our new digital economy and enabling better authenticity of the people and information and processes we interact with? There seems to be many questions regarding trust and security for 2022. I look forward to the exciting journey to answers as the year unfolds.