Predicting the future of security in 2023 and beyond

From Quantum to Code Signing, DNS tools to Digital Identity, the complexity of the cybersecurity landscape grows by the day. Here’s our predictions on what you need to be ready for as we enter 2023.

We can’t predict what’s coming next without examining our past. And when it comes to the future of technology, security and digital trust, there have been few years leaving us with as much to think about as 2022.

Australia has seen some of the biggest cybersecurity breaches in corporate history, and the 2022 Australian Cyber Security Centre (ACSC) annual report declares that ‘cyberspace has become a battleground’. From ransomware to critical infrastructure attacks, the breadth of attack types and targets has grown rapidly. The ACSC now sees a cybercrime report every 7 minutes, with average losses per report of $64,000 — with SMBs seeing the highest average impacts.

It’s now an existential threat to businesses to be prepared for not only the existing threats but the threats that will soon be at your doorstep. So what does 2023 hold? Our team of cybersecurity experts, including, Avesta Hojjati, Dean Coclin, Mike Nelson, Srinivas Kumar, Stephen Davidson, Steve Job and Tim Hollebeek weigh in on what to expect in the next year.

Quantum computing will force cryptographic agility

Cracking a 2048-bit encryption would take an unfathomable amount of time with current technology. But a capable quantum computer could conceivably do it in months.

Last year we predicted major developments in the post-quantum computing world as the U.S. National Institute of Standards and Technology (NIST) reviewed potential cryptographic algorithms that could withstand both traditional and quantum attacks. NIST has since chosen a first group of encryption algorithms designed to become part of its post-quantum cryptographic standard.

As this standard is developed, we predict an increased focus on the need to be crypto-agile as quantum computers pose a significant future threat for secure online interactions. While it may take several years to incorporate into various standards, organisations should begin to prepare now — playing catch up in the post-quantum age will be futile.

Security systems will need the capability to rapidly switch between encryption mechanisms in the near future. While quantum may seem like a far-off reality, the fact is that encrypted communications taking place today, not just in the future, are in peril. Crypto-agility means organisations know how cryptography is being used, that they have the tools to identify and fix issues and that they establish clear policies around cryptographic best practices. We predict crypto-agility will soon be a competitive advantage in the very near future.

Matter will become a true household standard

In recent months, the smart home standard and common language for smart home devices, Matter, has officially launched. As a true global standard, including Google, Apple, Amazon, Samsung and many more, Matter unifies the connected device industry to enable devices to work with each other across platforms.

We predict the Matter logo will become the symbol that consumers look for in smart home technology. Matter will soon become as recognisable as standards like Bluetooth, and with support within the latest Apple iOS 16 it is on a path to rapid adoption. Smart devices on the market throughout 2023 will quickly move to have the Matter logo on the box.

This rapid adoption means connected device manufacturers do not want to wait to become Matter compliant. Security is baked into the Matter standard carefully to ensure the future of smart home places trust at its core, and DigiCert is proud to be the first Matter-approved Root Certificate Authority, providing critical device attestation to smart home manufacturers looking to earn the Matter seal on their products.

Code signing will prompt race to the cloud

Used by software developers to digitally sign applications, drivers, executables and software programs, Code Signing Certificates help end-users verify that any code they receive has not been altered or compromised by a third party. They include your signature, your company’s name and a timestamp. Organisation validation (OV) code signing certificates are required to prove legitimacy.

But OV code signing certificates are changing. In June 2023, according to the SSL industry regulator CA/B Forum, private keys for OV Code Signing certificates must be stored on devices that meet FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent security standards. This means certifications will be shipped to the customer on a USB device, delivered to the customer’s hardware security module.

We predict that these changes will mean customers move to cloud signing in large numbers, instead of dealing with replacing their hardware token. We also expect all code signing will be cloud-based in the future as customers will prefer cloud over having to keep track of a hardware key.

Software supply chain attacks force responsibility action

Headline-making software supply chain incidents, like those that impacted SolarWinds and Kaseya, have brought the importance of understanding your software dependencies into sharp focus.

In 2021, U.S. President Joe Biden issued an executive order on improving the nation’s cybersecurity that requires software sellers to provide federal procurement agents with a Software Bill of Materials (SBOM) for each software application. This is a list of every software component that comprises an application and includes every library in the application’s code, as well as services, dependencies, compositions and extensions.

Such actions are likely to spread quickly to other jurisdictions around the world as software supply chains are global in nature, and the Australian Government’s Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 places obligations and responsibilities onto companies and entities that operate systems of national significance.

Security industry analysts believe SBOMs will soon become standard practice as part of the procurement process, requiring software producers to be more involved in ensuring products are secure — and visibility will be key to that. Because of the information and visibility it provides into software supply chains, we predict SBOM transparency will be widely adopted across government and commercial markets in 2023.

EU digital identity will become the worldwide model

While SBOM is being driven by U.S. regulators, the EU has been driving standards to improve digital identity and privacy. The EU Digital Identity Wallet is a European Commission initiative under the eIDAS Regulation that will create a unified digital identification system across Europe. This will allow European citizens to carry eID versions of their official government identity documents in a secure mobile application for use in online authentication and electronic signatures.

In addition, the EU wallets will carry ‘electronic attribute attestations’ — supplemental aspects of identity like a professional qualification — that can be presented either with a personal identity or separately. The EU has significant cross-border projects lined up in financial services, education and health care.

We predict that much like Apple Pay and Google Pay have become widely adopted as a means for digital payments, the EU Digital Identity Wallet will become the model for digital identity that the rest of the world will seek to emulate. With the legal framework and policies in place for adoption on the continent, users will begin to feel more comfortable turning to a digital wallet to store and share credentials when needed.

Here in Australia, NSW has been a leader in this space through the Service NSW app and the integration of a digital driver’s licence alongside other identity documents. As we move to widespread wallet adoption for identity, we must also ensure we expand the landscape of digital trust.

Physical SIMs will be replaced by eSIM and iSIM technology

Many are familiar with the Subscriber Identity Module (SIM), the removable card ubiquitous to mobile phones for the past three decades. Newer to the scene is the embedded SIM (eSIM), introduced as an alternative to traditional SIM technology. An eSIM is still a physical card, but it’s attached permanently to a device. Updating data on an eSIM can be done with a remote SIM provisioning solution (RSP).

Next in this evolution is the Integrated SIM (iSIM), a much smaller and more secure option than the physical SIMs. iSIM embeds the SIM functionality into a secure area within a device’s system-on-a-chip (SOC) architecture. We predict the next generation of smartphones will remove traditional SIM hardware functionality and move to eSIM and iSIM as the root of trust.

DNS stature grows in importance

DNS will continue to grow in importance based on the growth of DevOps automation and Infrastructure as Code. As development teams continue to grow remotely and globally, the increased dependency on CI/CD has never been more important to keep up with productivity targets. With developers connecting to deployments and systems worldwide the ability to automate DNS changes has never been so important.

Infrastructure as code will continue its growth as being a best practice for organisations of all sizes. Large server environments will be deployed and automated to provide automation and predictability. DNS services with high uptime, fast speeds and fast DNS propagation will be an increasingly crucial toolset within modernised organisations. Well-defined APIs, SDKs and integrations will be vital to the success of productivity and reliability initiatives.

Criminals will exploit Zero Trust

As Zero Trust makes its way to become the standard security approach for IT systems, we predict adversaries will change their attack approach to be able to overcome Zero Trust frameworks.

Technologies such as Artificial Intelligence and Adversarial Machine Learning could potentially be deployed by skilled attackers to find weaknesses in a poorly deployed Zero Trust framework. It is critical to understand that simply deploying a new framework won’t be the end game. Constant evolution for security frameworks is a must since adversarial approaches will change as we design and deploy new barriers.

We have already experienced how adversaries can use AI and ML to neutralise off-the-shelf security solutions or deploy AI-based fuzzy attacks. Time will tell how a dynamic Zero Trust approach can protect us against increasingly well-armed adversaries.

The price of business is security vigilance

From Quantum to Code Signing, DNS tools to Digital Identity, the complexity of the cybersecurity landscape grows by the day. For every business with a digital footing, the requirement to invest in dynamic security solutions is increasingly an essential.

Since government action is also on the rise, requiring businesses to prove they are taking an active stance on protecting the information of customers, staff and supply chain partners, it is no longer excusable to hide from the reality of cybersecurity’s increasing threat to business. As transparency around security investment becomes a requirement for the future, it will quickly become a signpost for how trusted our organisations can be.

Image credit: iStock.com/royyimzy