Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content.
The year 2022 contained a bit less upheaval and fewer unfortunate surprises than the few before it — mercifully. But in the cybersecurity realm, it certainly wasn’t drama-free. Threat actors continued to develop sophisticated and effective attack strategies, the world continued to struggle with the pandemic, and conflict erupted in Ukraine.
In this episode, we’ll use 2022 as a lens to foretell what this year may have in store for us. Joining me is Dan Lohrmann, a well-known voice in cybersecurity whose resume boasts an impressive list of positions in cyber leadership in both the public and private sector, in addition to the authorship of three books on cybersecurity.
Dan publishes an annual review of top cyber organization predictions (check out Part One and Part Two). Think of them like a content analysis of over two dozen industry-leading reports. Among those surveyed is the 2022 IBM Security X-Force Threat Intelligence Index and our annual predictions blog that published recently. And of course, I’d miss the chance to humble-brag if I didn’t share the fact that we released our 2023 Threat Intelligence Index just this week.
Given the hours he’s devoted to analyzing the market predictions, Dan’s view is both broad and deep. We’re going to utilize his expertise to focus on a few hot topics for 2023:
- Ransomware: How it will evolve, and who may be targeted
- Social engineering: How increased sophistication (including attempts to bypass MFA) may impact business
- Cyber insurance: Will it become more difficult to get in 2023
- The Ukraine war: What fallout we might expect this year
- Crypto and social media: Given the tumult in 2022, what we might see changing both on a market and a policy front
Join us, and together we’ll venture Into the Breach.
Listen to the episode: Cybersecurity Predictions for 2023
Transcript
Mitch: Everyone wants to know the future. Knowing what may come gives us a sense that we have the ability to plan, to make decisions and possibly even avoid negative outcomes. But we’re trying to figure out what might occur, we need to take into account what has already occurred. And if we’re getting potential future insight from a professional, we need to know that they’re informed and able to guide us with at least some amount of wisdom. Joining me today is Dan Lohrmann. When it comes to cyber, Dan definitely has some wisdom. He’s a well- known voice in cybersecurity and his resume boasts an impressive lists of positions in leadership in both the public and private sector. Additionally, he’s the author of three books on cybersecurity. But Dan does something really interesting every year. He publishes an annual review of top cyber organization predictions. Think of this like a content analysis of over two dozen industry leading reports. Given the hours he’s devoted to analyzing these market predictions, Dan’s view is both broad and deep. We’re going to utilize his expertise today and focus on a few hot topics for 2023, ransomware, social media, crypto, and the war in Ukraine. So let’s find out what Dan thinks our future might hold. Join me as we venture Into the Breach. So Dan, I want to welcome you to Into the Breach, and I’ve been a fan of yours in the sidelines for a while, so I’m going to give you an opportunity here to tell us about yourself.
Dan: Well, thank you. I appreciate the opportunity to be on the show. So I work for Presidio, and I am the field CISO, field chief information security officer, focusing on public sector mainly, but I think we’re going to talk about this a little bit, do some work with the private sector as well. A speaker, blogger, writer on cybersecurity. Over 30 years in the security industry, started a national security agency. I was in England with Lockheed and ManTech in the ’90s, and then I was 17 years in Michigan government. So in Michigan, a lot of different roles. I was in CISO, first CISO in Michigan, first CISO for 50 state governments, started back in’02, but then I was a CTO for Michigan. And then we brought physical and cybersecurity together. So I was CSO over physical and cybersecurity in Michigan. And then I went on to work for a security mentor. I’ve written three books and my most recent one is called Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions. And we talk about ransomware stories, what happens, the good, the bad, the ugly, behind the scenes from the eyes of a CFO, CSO, CEO, what happens, and also some government leaders as well. But yeah, just I look passionate about cybersecurity and just real excited about today’s show.
Mitch: Well, thanks. We should have aired this before Christmas because those books actually make excellent Christmas presents. Hint, hint, folks. All right. So Dan, you write this article annually, and I alluded in the landing page article for this episode that this is like a content analysis, if you will, of industry leaders and other folks predictions in the industry. How did you come to create this synthesis? It looks like you put a lot of hours into it.
Dan: Yeah, thanks for asking. I started doing this in about 2014. I originally was involved with predictions in cybersecurity, going back even earlier than that. So 2008, 2009 saw that a lot of people at the end of the year were putting together these reports. And it’s almost like now become, if you are involved in almost any aspect of cybersecurity, people feel obligated to give their predictions about what’s going to happen in the coming year. But I also noticed as I was participating, giving my predictions that not all the prediction reports were created equal almost like… We think about Gartner and Forrester and different reports and the research that goes into them. And some companies were coming out with these really great reports that had a lot of references and research and data, and like IBM does, but lots of other companies, Trend Micro, and Mandiant, and FireEye was all these companies have changed and bought Symantec over the years, McAfee, just different companies, and they’ve put a lot of work into these reports. Some cases they would be 40, 50, 60 pages. Some of them, over the years I’ve even seen over 100 page reports that almost resembled white papers and really great research that was being done. So what I started to do was just really think through, not just the predictions themselves. Anybody can come up with a one- line prediction, is it going to snow tomorrow or not? But how much work goes into that? How much detail goes into that? And I noticed that some companies were just consistently putting out outstanding reports. So it’s not just the prediction itself, but the research that went into that. Some companies call a forecast, some call them trends, some call them different things, but they’re all very well done. And so just really trying to categorize those. And then over the years I started giving awards for what I thought were the best, most well done, and not just because I can’t predict the future any better than anybody else can, but I certainly can look at the research and the depth and the breadth of the work that’s gone into these reports. And some of them are just really well done.
Mitch: Well, you’re giving me a little bit of a grad school, PTSD, the content analysis.
Dan: Sorry.
Mitch: No, no, no. It’s all good. It’s all good. Nerd alert, I actually liked doing stuff like that. So that’s why I was attracted to you because it’s like this is a lot of quality work. Your article Lohrmann on Security, it appears on govtech, the govtech site, but I’ve been stalking you for a little bit. Okay. And really your article seems to have a hefty amount of play into the private sector even though that site is more geared towards public. Am I getting that right?
Dan: Yeah. It’s Lohrmann on Cybersecurity. Just make sure that’s clear to everybody. So I mainly write for public sector, but you’re right, my day job with Presidio is really 80% public sector, 20% private sector. The thing that’s interesting about that is that even when working with government, we’re working with lots of partners like IBM, and lots of AWS, and CrowdStrike and go through the whole list. So even as we’re providing solutions and really talking through challenges with government clients, so 80% of my work and client is our government. So mainly state and local governments that do some work in the Fed, but mainly focus on state and local governments. But I still work with lots of vendors in order to deliver that to make sure that we bring the best solutions to our partners in government.
Mitch: Yeah. I actually appreciate the spirit that brings to the table as well since it takes a village and none of us can do it on our own nor should we. So the fact that we share information across the sectors is actually a really good thing. So let’s dive in to the predictions themselves. What did we get right in 2022?
Dan: Yeah. I mean, we got a lot, actually. We felt there’s a lot of people that believe that ransomware was going to continue to be a real threat and actually grow and expand, and it did. Interestingly enough in almost every one of these areas, you may hear me repeat this a few times. There’s always contrarians in almost any topic because there were a few people, not very many, a few people last year that thought ransomware was going to diminish and all of a sudden was going to be magically gone from the scene. But that was really a minority opinion. Most people thought it was going to grow and become even worse. It continued to be scary, and it was. So I think challenges around ransomware as a service, and we’ll dive into ransomware in a few minutes, but a lot of the trends that people saw around the proliferation of the number of attacks, the sophistication of the attacks, those things are all truly what happened in 2022. So we saw a lot of that, and we saw a lot of the challenges that are listed around threats in space. There certainly were some of those as more of that predicted for the coming year, but a lot of vulnerabilities around Log4j vulnerabilities, but other types of issues related to different types of malware threats continuing to grow. And then a renewed emphasis on IoT types of attacks too. So internet of things, meaning whether that be autonomous vehicles, drones, other things that were not your traditional computer and hospitals getting hit, equipment in hospitals certainly hot, had a big year of attacks against hospitals.
Mitch: Well, that’s good to know that we got some stuff right in 2022. So let’s talk about 2023, and we’ll pick on everybody’s favorite topic to kick things off, and that is, the one you already mentioned, ransomware. So we do have a lot of folks predicting that ransomware attacks are going to spike again in 2023 with the potential exception of larger organizations in regions that have already been heavily impacted. So in fact here at X- Force, we’ve seen that these are the same organizations that have invested the resources to help better defend themselves, but other cyber leaders are predicting that the ransomware ecosystem is going to continue to evolve and grow with smaller, more agile groups that are more well- equipped to evade law enforcement, meaning we don’t expect it to drop off the radar. What did your research tell you that we might see for ransomware in 2023?
Dan: Yeah. So as I mentioned earlier, you’re going to probably hear this in many of the areas, there’s differences of opinion on some of this. But one of the big trends I saw across a lot of companies was a belief that ransomware as a service would diminish in a sense of this ransom was being used by a wide variety of bad actors across multiple continents and different industries and things. It was putting a big target on the back of those criminals, if you will, those companies, whatever you want to call them, criminal enterprises. And so the trend being that it’s going to become more focused, more targeted ransomware, not the expansive target on your back ransomware as a service would diminish. Now others are saying ransomware as a service will continue and modernize the software and exfiltration leak sites in that they’re really going to go after brand names are going to be a big target. And in many cases, the brand damage is actually a bigger deal to a lot of Fortune 500 companies or Fortune 2, 000 companies than actually paying their ransom or regaining access to the encrypted files so that they’re going to refocus how they do what they do. Several people, several companies mentioned that they thought that ransomware attacks would be less by nation states and organized groups, but more by bragging rights than actual financial gain. And so again, we’ll see if that develops or not. There would be a lot of different actors, not just nation states or organized groups, but just people trying to use ransomware to make a name for themselves or to have bragging rights. Extortion attacks would be continuing to grow. Some people think that it’s going to shift that Europe could actually be a bigger target in the coming year than United States. And that was I think Mandiant said that and a few others. A couple other things different people are saying about ransomware, but I like this one. This is Trend Micro. “ When compelled, ransomware actors will adapt and adopt other criminal business models, online or offline, that monetize initial access, such as short and distant scheme or other forms of stock fraud, business email compromise, and cryptocurrency theft, or others like that.” So again, once you’re in the system going sideways and using that information to maybe, not just do what we think of as historical ransomware, but the trend we’ve seen in the last few years, but go into some of these other models, business models, criminal business models for things like business email compromise.
Mitch: Yeah. I find it interesting the way these folks behave. It’s seriously pages out of legitimate business, and I think in the legit world, we call that business development, right?
Dan: Yeah.
Mitch: And I agree with you that, I mean, we’re seeing a little bit of conflicting detail on how ransomware might continue, but the message is pretty much the same and it’s not going to go anywhere folks. So brace yourself for 2023. Topic number two, among my favorites, social engineering. Now trend micro among others had some pretty foreboding predictions for social engineering in 2023, including the notion that threat actors are going to continue to adapt to new technologies. And two, that they’re also going to target a population that makes financial purchases and investments online. And number three, which I raised an eyebrow at, it was interesting point that romance schemes are going to be targeted at specific individuals in 2023. So look out, Cupid. Couple of questions for you. First, what is your take on what we might see on the social engineering front, and two, what do you think will be the role of deep fakes? Another interesting topic for me. And number three, what’s your counsel to those folks, and you guys know you’re out there, who might think that they’re less vulnerable because they have implemented MFA?
Dan: Yeah. Three great questions. I’ll take them one at a time and go through. But I think social engineering, almost every single report said it’s going to continue and expand and even be… And we’ve seen it for really decades and obviously as people use social engineering, different types of social media, but different types of social engineering attacks, really through the years it’s continued to grow. And I worked for a security awareness training company in my previous role before Presidio and it was all, we used to say 90% of attacks are around people. It’s people, process and technology, but it’s all about the people. So absolutely, I think it’s going to continue to expand, and you’re going to see different twists on that. A lot of different examples that were given in the reports, and these are Dan Lohrmann’s, these are from all these different companies, but talking about classic honey traps, people trying to do, like you said, romance schemes is one of the ones Trent Micro mentioned, but any kind of way, fake jobs, fake resumes or trying to get your resume, you fake jobs that are out there trying to get you to submit your information. There’s lots of stories of companies that are fraudulent companies or fraudulent recruiters trying to pretend to be working for a company, get you to send them their information, maybe your social security number, send them your data, they can then use that for identity theft. Certainly, deep fakes will be part of that. Almost every report said targeted deep fakes, we’ve seen this for a couple years now, hasn’t been number one on a lot of lists, but it is number one on a lot of lists this year, and so that it’s going to be more and more sophisticated. It’s going to really be hard to know. Are you really dealing with who you think you’re dealing with? Make sure you double check your references, your resources, your contacts. Don’t just assume that the person… I mean, we know that we’re in the cyber business, but I mean the reality is so many people are fool and the bad actors are getting even better at what they do and their debates is going to let them do that. And then council and MFA. Again, a number of reports and I highly encourage you go look at these detailed reports on this, that MFA, because it’s being so widely adopted now, will in fact become a big target in 2023 and will be more and more compromised, and using your traditional phone text approach versus using an app multifactor authentication is seen to be more vulnerable of course in many ways. We could dive into those details. But the reality is that man in the middle attacks, attacks against MFA are going to become more common and the criminals are going to use those to gain access into more enterprises.
Mitch: Yeah. I think you’re right on the MFA side, in fact, we’re already starting to see some of that. And spoiler alert, we do have an episode coming up that features a social engineering hacker who’s going to share her secrets on how she does what she does. So stay tuned for that folks. But I want to comment back on this romance schemes one. I mean, it’s like, dang, Dan, I mean, dating is so hard as it is, and now we have to look out for actual fakers on our romance. So again, look out Cupid, guard yourself folks. Topic number three, cyber insurance. Now with more attacks taking place, insurers have been paying out a lot more on cyber insurance and are not making the same profits that they used to. There are a lot of statistics out there about how much money they’re not making, but the result is the same. Insurance premiums have been climbing sharply and policies are harder than ever to obtain. It sounds like that process is expected to become even more challenging yet. What does the industry expect to see from insurance providers in’23?
Dan: Yeah. And I think it’s going to be a continuation of the trend we saw in’22. So this is another one where there’s definitely a divergent of opinions, but by and large, everyone’s saying, and again, some people, the listeners will think this is just obvious because we’ve seen a huge increase in premiums and a huge reduction in the amount of coverage. And that trend would be continuing and even growing worse. I just did another piece on this at the beginning of the year after the predictions came out when Mario Greco, who’s the chief executive at Zurich Insurance, came out in a big Financial Times article at the end of the year after Christmas, and between Christmas and New Year’s, I believe, with the Financial Times in London and said basically cyber attacks are set to become uninsurable. And this is set off alarm bells across the industry, across the world, really. Tons and tons of LinkedIn comments on this.
Mitch: I read that. I read that. Yes.
Dan: I mean, it’s getting a ton of attention, but anything there’s a lot of these reports that were talking about this came out in November, December. So this actually was one that actually came true almost before the New Year started even. But a lot of people suggesting that insurance is going to be harder to get, it’s going to be more complicated. A lot of comments around that, a lot of the report said this and also people who commented on this Zurich story said that that’s not true, that it’s still going to be available. Some people may drop out of the market, but others will come back in. But clearly it’s going to be more due diligence, it’s going to be harder, get ready for longer forms, if you can get insurance at all, there will be, and I’ve seen this certainly in the public sector, lots and lots of governments that have dropped out and said, “ We’re going to self- insure because we just can’t afford it, or we can’t even get it, or we can’t do all the things that are being required of us in order to get the insurance.” Of course, that should set off red flags with those companies because if you’re not doing certain basic things like patching your systems or having a security awareness training programs and things like that, that’s a big problem as well for your enterprise. But yeah, there’s a lot of articles that are saying that cyber insurance is going to be harder to get basically more money for less coverage.
Mitch: Well, insurance is never fun to begin with. Sorry to pick on you folks in the insurance industry, but we all know it’s true. And yeah, I agree with you. I think it’s going to become even more problematic in 2023 on the cyber front. So topic number four, the Ukraine war. One of the big misses last year by pretty much everyone out there was how the Russia, Ukraine conflict would accelerate cyber warfare and have this substantial global impact. Well, in 2022 at least, we didn’t see much of that come to fruition. The conflict definitely dominated both the news cycle in industry talk, but the impact was much less than predicted. Why do you think that was? And do you think it’s going to change in 2023?
Dan: Yeah. And I think there are different opinions out there. Again on this, I’ve seen a number of reports talking about this. CISA’s got a great website you can go to called Shields Up. There’s a lot of people who come right out and say that we’ve done a good job of defending, that our defenses were better, then maybe that’s good news. The industry’s done better. That’s one theory. I’m going to give you four different ones out there and it could be a combination of all the above. There’s a lot of work that has been done both from individual enterprises, governments, groups like NSA and DOD, Department of Defense, to protect people. Along those same lines, there’s those who believe that it’s fear of retribution that the worst attacks from nation states like Russia maybe did not happen because they knew that if they did escalate to that level that it could a draw in NATO, it could draw in crossing that line of bringing in other nations into the war. And where that line is, I think it’s a gray line, it’d be great session just to talk about that, but cyber war and when does the attacks online become starting to kill people or you bring down the grid or something like that happens? Does that bring NATO into the war in a more direct way? So that’s one another school of thought. Another one is that in fact it’s poor offense and that the tools from Russia and maybe others are not as good as people thought. Again, they’re differences of opinion on this and there are different examples we give in the article. And then the fourth one, again, it could be a combination of these, but in fact the attacks are happening and we’re just not seeing them very much. And of course, some nations have been hit. We have some examples of big attacks that happened last year that really brought down systems in countries and brought down whole, not so much United States or large countries in the G8, but there were a number of attacks that really brought down governments around the world as far as systems and capabilities and their economy and things. And so perhaps that other more things are going on. We talked earlier, I mean, I’m come from the intelligence community way back when I started my career at the National Security Agency. We had the old cliche, you don’t know what you don’t know. So is there stuff happening behind the scenes that we’re going to be hearing about in the coming year that’s going to get worse? So those are just four different theories on that one simple question. I do think that most people think that Ukraine was the big miss last year, and it will continue to dominate and influence cybersecurity throughout 2023.
Mitch: I find it interesting to note that while we didn’t see a lot and head- to- head conflict between nation states, what there was, was a real rise in hacktivism. And people actually hacking on behalf of both sides of the conflict. And I do think that’s probably something that we’re going to continue to see in 2023. Another topic we could do a freaking whole episode on hacktivism.
Dan: I totally agree. And by the way, just so you know, back in 2016, there was a lot of predictions around, I made some predictions and others made predictions about hacktivism. So again, one of the things I want to point out to all the listeners is that sometimes they don’t get the year right, but they get the trend right. I mean, there’s a lot… This is common, artificial intelligence and autonomous vehicles and everything else and what’s going to happen with cyber. And so sometimes there’s a trend, but it may or may not happen in the year that we think it’s going to happen in it.
Mitch: Yeah. See, you’re giving me so many spoiler alerts, Danny, because there’s another episode coming out on quantum computing. So brace yourself, folks. All right. So this is a trick question for you because I’ve lumped two things in here at once, cryptocurrency and social media. Let’s talk about crypto first. 2022, hot mess for the crypto market in a multitude of ways. It was plagued by macroeconomic pressures, there were scandals, meltdowns, fortunes were wiped out overnight. As the year closed, there was a lot of confusion about the industry, especially after FTX. We saw further impact very recently with Coinbase laying off almost 1, 000 workers just this month. What changes do you think we will see in crypto in 2023, and given the fall of FTX, do you think we’re going to see a renewed push to regulate?
Dan: I absolutely do believe that, and that’s a prediction regulation, more regulation around crypto and around different aspects of that, how you can invest, all different types of predictions around crypto were very popular in this prediction report from a lot of different sources in companies. That’s supposed your exchanges basically the way that what needs to be made public, what’s in the United States, what’s offshore, what’s around the world, how we work together with the European Union around crypto. There’s a lot of predictions around that, and I certainly do believe, and I personally believe that I also see that as a big trend in the report that more regulation is coming in pretty much all aspects of crypto if it’s going to try and prevent another FTX from happening. In addition to that, build more confidence into the crypto markets so people know exactly what can and can’t be done by those that are holding their Bitcoin or their other cryptocurrencies.
Mitch: Well, somewhere else that has seen a lot of upheaval is social media, and no names mentioned, Twitter, you know who you are. Well, there was a lot of drama over the year as Musk bid for and then retracted and then bid for again the acquisition throughout the year. But I think the real news emerged as he embarked in his role as the leader, and he slashed staff and reportedly left the company cyber vulnerable. Then there was the news of the notion of free speech and reinstatement of many formerly banned accounts who had been shelved for, well, a variety of reasons, including the proliferation of disinformation. And then just recently there was yet another thing, the leak of 200 and some odd million users’ information that was reported, which was refuted by Twitter. But again, we don’t know the story here yet. That may be setting the stage for more government oversight of the platform and social media in general. What do you think 2023 holds for our social media feeds? And same question as crypto. Are we going to see a larger push to regulate disinformation?
Dan: I mean, this is going to sound maybe contrarian on this point. I see with the Republican in the US at least, United States, I do think with Republican Congress, House of Representatives, they’re feeling like social media companies were using it for political purposes and were hiding things. So I actually think you’re going to see more free speech in social media. Will there be some attempts? Absolutely. I think you’re going to see that. But the regulating disinformation, I think, is… There’s obviously two schools of thought on that. I mean, one is that, and again, I’m not trying to take sides here. I’m telling you what I see and what I think is talked about in a lot of these reports that they see the challenge is one person’s disinformation is someone’s else… It’s stirred on the other side of the other political party and that kind of thing. So how do you regulate that? Certainly, there has to come some set of standards that can be agreed upon, hopefully, by both sides. I wouldn’t hold your breath in 2023 that that’s going to happen from a legislative perspective when you’ve got a lot of Republicans and Democrats who disagree on what is what on this. So I guess, personally, I’m little less optimistic that we’re going to have more regulation around disinformation and social media than I am that we’re going to have regulation around crypto. I think crypto, you are going to see regulation and it’s going to happen.
Mitch: Yeah. Actually, I tend to agree with you on both of those points. I think politics is going to play a big role in what we see for social media and definitely on the crypto side. We’ve made such a mess. The regulators are definitely going to step in. So Dan, switch gears here. We’ve talked a lot about some bad things that are going to happen for 2023. Give me two good things or three good things that are going to happen in 23. What do you think?
Dan: Yeah. I think the good news that I think I’m seeing, and again, a lot of predictions around this, we haven’t talked about cyber talent, we haven’t talked about… There’s always a trend every year and all these prediction reports that we need to have more… That we don’t have enough people in cybersecurity. So more women in cybersecurity, more diversity in cybersecurity, and the downturn or this we’ve all seen recently layoffs. We’ll see whether we have a recession or not. I’m not making a prediction on that, but clearly there have been some layoffs that actually can help bring people in the cybersecurity careers and especially in the public sector. I mean, I know when the stock markets go down, I was many years in government cybersecurity as a CISO in Michigan when there was a big downturn in’08 when we had the stock market dropped, and so shares weren’t worth as much and things. We actually brought a lot of good people in the public sector to actually help. So I think those are some good things that could come out of even a downturn in the economy and/ or as we head into 2023, getting more talent from women, more diversity in other areas, and then also maybe more opportunity to fill some of those vacancies.
Mitch: Well, I like the optimism and I agree on the silver lining in economic downturn. Man, it’s like you’ve seen my episode list because I do have an episode coming up on the talent shortfall and specifically when we’re looking at LGBTQ population and how they might fit into the cyber community and how they’re doing so now. Dan, I really appreciate your time today. This is fascinating. And for those of you who are listening, make sure you go onto the article and take a look at the URLs that link back to Dan’s reports. They are a little bit long, but I promise you they are fascinating reads. A special thanks to our guest, Dan Lohrmann, for his time and insight for this episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You’ve been listening to Into the Breach and IBM production. This episode was produced by Zach Ortega, and our music was composed by Jordain Wallace. Thanks for venturing Into the Breach.