By Nils Gerhardt, Chief Technology Officer for Utimaco
At the end of 2021, the pandemic that had caused so much disruption throughout the previous two years appeared to be ebbing away, and the world was ready to get back to the pre-pandemic norm.
However, 2022 brought about new crises, and threats from cybercrime continued to grow. These economic conditions caused cybercrime to continue to grow rapidly, as it did during the pandemic, and put extra strain on companies, which will face a huge upswell in petty fraud attempts. For example, eCommerce companies receiving large numbers of automated credit card fraud attempts or organizations receiving more severe ransomware attacks, phishing attempts, and so on. This increases the load on automated anti-fraud systems and raises the chance of an attack getting through – it only takes one unsavvy employee opening a phishing email to cause a major security breach.
Although many established trends will continue to grow, such as the use of AI and the growing importance of quantum-agility, I believe the following trends will be dominant in 2023.
Protection of supply chains – both physical and digital
Supply chains are still one of the dominant topics for a wide variety of industries, and the topic will also accompany us in the new year. Software supply chains are changing: remote tools and services are used alongside open-source software, and companies are building whole applications using low-code methods. To avoid introducing new vulnerabilities that may spread to customers if they go undetected in the software supply chain, companies will have to focus on securing their software supply chain. Many of these are low-code or no-code, meaning that there is little interaction with them at the code level, and while this may be helpful in many cases, it can prevent security professionals from identifying vulnerabilities.
Similarly, the hardware supply chain needs scrutiny, especially when components are in high demand. In hardware supply chains, for example, it is important to check whether networked components are original. In the meantime, large quantities of counterfeit goods are in circulation, which cannot be easily distinguished from the real thing. Insecure firmware of such components can become a dangerous gateway into networked systems.
Therefore, solutions are needed to guarantee the authenticity of such parts. With key injection, it is possible to give parts a cryptographically secured identity that can be easily checked by different authorities.
In the software space, software bills of material (SBOM) can be used, which show which software components were used, whether they are open source or otherwise. In addition, the relationships between individual components in the software supply chain are made transparent. This allows users to assess if software is being affected by a reported vulnerability much more quickly. US authorities have recently been required to request an SBOM and process documentation from their software suppliers to address potential vulnerabilities in their software faster. It is safe to assume that such information will also be in greater demand in Europe in the future.
Companies should be careful with low-code or no-code platforms, since traceability is extremely difficult as users usually have no insight into exactly which components are being used and when they were updated. While low-code and no-code platforms give companies an immense advantage in terms of speed of deployment and ease of use, these platforms will need to focus on providing possibilities to integrate appropriate security measures in the generation of new applications.
Another aspect of software supply chain security relates to continuous delivery. Here it must be ensured that third parties do not succeed in injecting malicious code into the process and that all open-source components used are secure.
Cloud computing has given companies incredible computing power that would normally only be available from super-computers. However, when an organization sends sensitive information to a cloud service, it is possible for outside actors to eavesdrop on that information in a way that would be much more difficult (but not impossible) if the operation was happening in a closed system. This increases the need for security but similarly, companies must ensure that they do not come into conflict with European GDPR regulations through using large cloud providers.
Confidential computing processes data in a trusted execution environment (TEE), a secure part of the cloud computer’s CPU. Embedded code makes sure that the encryption keys that secure the data are available to authorized code only, so additional code that could be sent from a third-party won’t be executed and authorized code will be ‘invisible’ to attackers. This way, sensitive data will remain encrypted in the cloud computer’s memory until the TEE moves it to the processor. Throughout the entire process the data is invisible to both third parties and the cloud providers themselves. This in turn creates the need to manage the identities of users for authorized access. Cryptographic providers can help with this and with key management for data encryption. In the future, more and more companies will rely on encryption in the cloud and thus the demand for Key management and a hardware root of trust will also increase significantly.
Crypto asset management
Companies today are often not even aware of what type of cryptography they are actually using, which certificates are being used, when they will expire and what algorithms are executed by the different enterprise applications. There is great uncertainty, so the need to better understand a company’s own infrastructure and to properly secure a wide variety of communications is growing. For this reason, security-conscious companies are increasingly starting crypto assessments.
Another step is forward-looking asset management, for example, when an algorithm is outdated. In the future, it will be important to find solutions and define processes for continuously modernizing your own cryptographic assets. The aim of this is to achieve so-called crypto-agility, so that algorithms are adapted directly if a certain encryption method is broken – for example, by quantum computers.
The essentials of cybersecurity set-up
Overall, 2023 looks set to be a year in which companies will be concentrating on the essentials of their security setup – their supply chain, the safety of their data in the cloud and their ability to switch to new forms of encryption. When building up the foundations of a company’s cybersecurity the hardware or cloud-based solutions will continue to be essential.
Nils Gerhardt is the Chief Technology Officer for Utimaco, a leading provider of cyber security solutions, and board member of the IoT M2M Council. Before joining Utimaco, Nils worked at Giesecke + Devrient in various executive management roles with regional and global responsibilities in Germany, Canada and the USA. As Chairman of the Board of GlobalPlatform, a global industry organization, Nils brought major companies together to define the standards for secure digital services and devices.