NCC Group’s global look ahead to 2022 with Jennifer Fernick

We’ve interviewed industry leaders from our four key geographies – the UK, the Asia and-Pacific (APAC) region, North America and Europe – to understand the key developments in each region over the last twelve months, and what we might expect from the year ahead and beyond.

North America with Jennifer Fernick, Global Head of Research

In North America, computer scientist and former financial sector cybersecurity leader Jennifer Fernick – who has deep technical expertise in cryptography, quantum computing, and artificial intelligence – shared her insights on the key developments in the region.

What are the three key developments you saw in North America in 2021?

The rise of ransomware has changed the business impact of exploitable vulnerabilities, from the somewhat abstract impacts on confidentiality, reputation, intellectual property protection, and customer trust, to the more direct availability threat resulting in immediate loss of access to the core data and systems of the business. While security-mediated availability risks have always existed, ransomware has made them palpable to corporate boards. The downside of the IoT revolution is both that most of our enterprise systems and critical infrastructure are increasingly vulnerable and fragile to attackers at a keyboard thousands of miles away, as well as that smaller organizations are becoming increasingly dependent on major technology companies to continue to operate with reasonable resilience and security. Regulatory and diplomatic levers – such as sanctions – are at this point likely going to be more effective at damping the global rise of ransomware, compared to individual technical interventions, but I also believe that we are being presented with a “grand challenge” to improve the ways we find and remediate vulnerabilities, at scale. Perhaps in facing a threat of this magnitude, the security industry will be forced to innovate and take a more scientific approach than it currently does to examining the efficacy of different security tools and interventions.

Such policy levers are also beginning to take effect in strengthening supply chain security. The Biden administration’s Executive Order on Improving the Nation’s Cybersecurity, which set ambitious timelines for introducing regulations that aim to enhance software supply chain security, has driven significant behavioral change across affected organizations with product development pipelines being reshaped to meet the US Government’s expectations. This is especially important given how rapidly vulnerabilities are being exploited in the wild – research has shown that over the last few years, the mean time to exploitation of vulnerabilities has gone from several weeks, down to just a few days. As a result, the software ecosystem’s massive interdependence is an increasing risk, because flaws in a codebase’s dependencies represent risk of exploitation in the increasingly near future, necessitating a rethinking of vulnerability management and triage, as well as around improving the security of the software supply chain in ways that scale.

The cyber security skills gap is continuing to grow. It is a worrying trend against the backdrop of ransomware on the continual rise and an ever-complex security landscape.

All three of these issues necessitate finding more comprehensive, scientifically rigorous, scalable approaches to detecting and remediating security vulnerabilities.

What are the three key developments we can expect to see in North America in 2022?

Decentralized Finance – what happens when (insecure) code is law?

Historically, cyber security breaches have tended not to impact financial markets or company valuations in any great way, bar a short-term dip. Stock valuations are increasingly detached from cyber security realities, perhaps because the effect of security events are often felt indirectly, or because they are still difficult for many firms to quantify and attribute. Consequently, improvements in cyber resilience today are largely driven by regulatory interventions. However, in the sphere of decentralized finance (DeFi), where value is exclusively stored digitally and mediated directly by code, a threat actor could directly and immediately remove value from a company through attacking the underlying infrastructure, protocols, or cryptographic implementations. One leaked cryptographic key or a single software flaw could lead to the collapse of entire organizations. I suspect that serious DeFi companies will, over time, more easily understand the intrinsic value of robust cybersecurity than their so-called “web2” counterparts, mainly because for DeFi, “code is law”, and there is so much at stake that can vanish in an instant. I therefore expect to see a bottom-up, market-driven push for higher assurance systems for serious decentralized finance companies, the like of which we’ve perhaps never seen before in any other sector.

Large language models present massive risk

I’m also captivated (and concerned) by the security implications of the ongoing development within the AI research community of large language models. They are scaling rapidly – by 1-2 orders of magnitude in number of parameters each year – which is particularly stunning because in many cases, generic large language models are outperforming special-purpose AI models, and will increasingly so as language models scale. We are edging closer to a ‘no-code future’, where tools utilizing large language models replace coding and traditional app development. However, there are intrinsic security risks with using such tools, and their potential both to (unintentionally or not) generate insecure code – and maybe even to generate exploits against insecure code – is something that requires a deep and serious research effort by good-faith security researchers so we better understand what is possible, before attackers do. This looming security issue isn’t on policymakers’ radar, but it soon will be.

(Also see: : https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-language-models-like-gpt-3/)

Users deserve to know about the security of their apps and devices

My final prediction for 2022 is that we’ll begin to see users becoming more empowered and informed about the security of the devices and apps that are a part of their lives, through a combination of measures including better consumer-oriented security labelling. We’re already seeing this come into effect for consumer IoT devices, following widespread recognition that consumers should be able to make informed choices about the products they have in their homes. Should the same principle not apply to our mobile phones? Security assurance should not only be available to the technical elite – setting clear standards, benchmarks, and security labelling for consumer-oriented applications and devices is something that will make everyone safer and more secure. I look hopefully forward to a future where this is the norm.

Wildcard prediction for 2022 and beyond

In the coming few years, the race to build arbitrarily scalable general-purpose quantum computers have the potential to dramatically shift the geopolitical balance of power through the decryption and thus data-collection abilities that will be achieved through quantum cryptanalysis. Quantum computers will enable us to efficiently compute certain things previously believed intractable in our lifetimes. In security terms, they will be capable of breaking (or, in the case of symmetric ciphers, significantly weakening) almost all of the widely-used cryptographic algorithms in place today, – jeopardizing the security of communications in the presence of malicious third parties. Whilst work to develop – and migrate to – quantum-resistant cryptography is well underway, nations’ scientific and intelligence communities are in a race against the rest of the global scientific community to achieve first-mover advantage, and it will not necessarily show up as headline news when the first government cracks RSA2048. Whomever gets there first will wield significant power in ways that cannot be overstated – but we can partially mitigate the impact of this through the deployment of high-quality implementations of well-cryptanalyzed quantum-safe cryptographic algorithms.