The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a shiny crystal ball to find the cybersecurity narratives that will dominate this year’s headlines.
For the most part, not much will change. Organizations large and small will continue to acknowledge major data breaches, zero-days and ransomware crises will spread to new targets and a skills shortage in an uncertain economy will cause major headaches for even the most well resourced security program. With each passing year, we see new threats emerge and old ones evolve, and 2023 is likely to be no different.
Here are some of our predictions for 2023, covering the big business of cybersecurity, sophisticated attacks targeting industrial control systems (ICS), the surveillance-for-hire ecosystem, venture capital funding and startup valuations, M&A activity, nation-state APTs and cyberwar activity.
Big-tech makes big acquisitions
When Microsoft announced it was raking in billions in annual revenue from cybersecurity software and services, everyone took notice. Soon after, Google spent nearly $6 billion to acquire Mandiant and Siemplify, two deals that established the search marketing giant as a player in the security business.
This year, we’re predicting Amazon joins the fray with at least two big acquisitions — in the managed detection and response (MDR) and cloud data security posture management (DSPM) categories. Security is a major business enabler for the big cloud providers and, in addition to Amazon, we expect to see Oracle and IBM pounce on available bargains among startups.
Having lost out on the Mandiant deal, Microsoft will also be an active buyer in 2023. We expect at least one shocker of a deal in the public markets as Redmond continues to flex its security vendor muscles.
Our editors won’t be surprised to see Crowdstrike and SentinelOne involved in an industry-altering transaction by the summer of 2023 as big-tech lines up to feast at the security trough.
ICS malware in-the-wild
We believe at least one sophisticated malware family targeting industrial control systems (ICS) will emerge this year with some never-before-seen infection cyberespionage and data-destruction capabilities.
Like PIPEDREAM last year, the threat will be mostly contained with assistance from global government intelligence agencies but artifacts from the malware will be found in some of the most sensitive places, prompting a massive cleanup-and-expel operation that will cost hundreds of millions of dollars.
The discovery of the malware, which will include modern firmware and BIOS infection mechanisms, will lead to stricter mandates around SBOMs in critical infrastructure products, and increased government funding for below-the-OS security solutions, multi-factor authentication (MFA) technology, and attack surface management tools.
Our editors are also expecting a surge in the discovery of critical ICS vulnerabilities and a heavy focus by ransomware actors to target known and unknown flaws in network devices and embedded systems.
A sputtering startup ecosystem
It won’t be a good year for cash-strapped startups, especially late-stage VC-backed companies without a clear path to exit. The economic turbulence of 2022 will persist this year, leading to silent layoffs, cutbacks and eventual contraction with quiet mergers between competitors.
We won’t be surprised to see a feeding frenzy as big-tech (see above) look for bargains among startups, especially in the software supply chain, zero-trust, and data security categories.
On the funding side, our editors will be writing stories on down-rounds and fewer unicorns as investors deploy capital with more caution. On the flip side, the conveyor belt of stealth-mode startups with significant seed-stage funding will continue to raise eyebrows.
The once-hot Israeli startup ecosystem will see major contraction with not-so-stellar exits (Cisco and Palo Alto Networks will be happy buyers) and mergers among competitors.
Cyberwar and geo-political tensions
The ferocity of the Russia/Ukraine war will place new emphasis on critical industries and national security as global governments scramble to navigate geo-political tensions.
Western governments that have been reluctant to appear too intrusive on their national private economies will begin to impose more stringent cybersecurity requirements and restrictions. Privacy will take a back seat to necessity in data sharing.
We expect to see major cyberattacks linked to military objectives and an intense discussion about the involvement in hacktivists and civilians in cyber activities.
One of the predictions we nailed last year was the deliberate outing of PSOAs (private sector offensive actors) supplying exploits and hacking tools to governments around the world.
This year, we expect to write significant stories on the big tech vendors – especially Meta, Microsoft, Google and Apple – exposing private mercenary hacking teams in newer geographies. Look closely for a blurring of the lines between legitimate pen-testing and security assessment firms and the lucrative market for offensive hacking services.
Government sanctions and retaliatory policies around the world will likely lead to the arrest of at least one prominent security researcher linked to nation-state surveillance tooling. Latin America will emerge in 2023 as a hotbed for mercenary offensive security talent.
Cyberinsurance dog and bone
The return-on-investment for cyberinsurance will be increasingly questioned as premiums, exclusions and refusals all rise. But cyberinsurance is not going away. It’s like a dog with a bone — and you are the bone.
Startups will question the logic of replacing existing algorithms with effectively similar but more complex algorithms. They will do this by developing technology that will make one-time pads feasible. A quantum-safe algorithm means there is currently no known method of defeating the algorithm. A one-time pad is quantum-secure — which means that it can never be defeated by any mathematical means such as any quantum computer.
Abusing artificial intelligence
Thus far, the evolution of artificial intelligence has largely had a beneficial effect on cybersecurity. Expect that to be challenged in 2023 as criminal groups learn how to abuse it. First they have to understand it, then learn how to abuse it, and finally how to monetize that abuse. That final phase is getting closer, either in 2023 or 2024.
We expect to see OpenAI’s ChatGPT application featuring prominently in security research, especially among threat hunters and security software development teams.
Blurred criminal lines
The increasing professionalism of the criminal underworld will make it difficult to distinguish between elite criminals and nation-state groups in terms of performance. The crime -as-a-service business model will enable criminal wannabes to operate at a little short of APT quality.
Motive will become a major differentiating factor between criminal and nation-state attacks.