As 2023 draws to a close, it’s time once again to look back on the past year’s security developments and make some bold predictions about the future of technology, identity and digital trust.
Artificial intelligence (AI) was all over the news in 2023, and 81% of participants in a recent survey expressed concerns about the security risks associated with ChatGPT and generative AI. So it’s no surprise that AI is driving security trends for the year ahead, teaming up with quantum computing as the two hot-button issues most poised to transform cybersecurity strategies.
What other trends are impacting the outlook for 2024? Our team of cybersecurity experts, including Avesta Hojjati, Dean Coclin, Lorie Groth, Brian Trzupek and Tim Hollebeek weighs in on what’s in store.
A recent Ponemon Institute survey revealed that, while the risk of “harvest now, decrypt later” cyberattacks worries most IT leaders, many business executives are still unaware of quantum computing’s implications. The survey also revealed that the majority of organizations lack clarity in ownership, budget and strategy for post-quantum cryptography (PQC) preparation. Fostering proactive, effective communication is key.
In 2024, PQC education and planning activities will accelerate investments in this area. We predict companies will move aggressively to start enforcing policies around PQC. NIST is expected to release its final standards in February, which will push organizations to take steps to consider, document and specify their quantum strategy and crypto-agility approach. One of the most vital steps will be a move to a certificate management platform and discovery.
The eIDAS regulation has long played a key role in the governance of electronic identification and trust services for the EU. A new piece of legislation places a stronger emphasis on Qualified Website Authentication Certificates (QWACs), requiring browsers to display the information in these certificates prominently and intuitively.
We predict that browsers will begin rolling out special displays for QWACs, as required by law. This will be a game-changer, because as merchants, governments and financial institutions realize the value of having their identities displayed, they’ll advise that customers only do business with entities displaying QWACs.
These EU developments will impact global trends. Verified identity will become the foundation of the trust we place in the source and authenticity of content. Companies will begin exploring ways to establish digital identity one time, without the need for additional proof checks.
We expect the United States’ coming election season to put the issue of content authenticity front and center.
Last year, in the wake of high-profile software supply chain attacks, we predicted that software bills of materials (SBOMs) would be widely adopted in 2023 because of the information and visibility they provide. In the coming year, we believe the software supply chain (SSC) will continue to become more robust, with inspections at various points of delivery. The composition of embedded software will grow more transparent as SBOMs become more widely used.
On the hardware side of the supply chain, we predict that more malware will be embedded within hardware components manufactured in certain regions. Placing malware inside devices like digital cameras, modems and laptop microcontrollers is an easy way for bad actors to compromise the entire supply chain. Manufacturers will begin to demand that suppliers utilize a trust-by-birth and security-by-design approach to chipsets and other components to assure day-zero security.
As the world grows increasingly mobile and dynamic, device security is becoming more important than ever. With individual identity now frequently tied to smartphones and other devices, the root of identity must be specialized per device and per individual—all protected under the umbrella of trust.
We predict that more and more devices will be secured with identity and operational checks to confirm authenticity, enabling individuals to interact with devices that support everyday activity with the confidence that the devices are tamper-resistant and their information is secure. Increased levels of IoT trust will also open up more opportunities for particularly sensitive use cases, such as electric vehicle chargers and medical devices.
In 2023, we heard a lot about utilizing AI for defensive solutions like intrusion detection and prevention systems. But in 2024, the tables will turn, with AI being used far more often for attack surfaces. Attackers will begin using AI capabilities to harvest the landscape, learning about an individual or enterprise to later generate AI-based attacks. With today’s technology, a bad actor could pick up a phone, pull basic data from LinkedIn and other online sources to mimic a manager’s voice, and perform malicious activities like an organizational password reset.
The ability to render sites on the fly based on search can be used for legitimate or harmful activities. As AI and generative AI searches continue to mature, websites will grow more susceptible to being taken over by force. Once this technology becomes widespread, organizations could lose control of the information on their websites, but a fake page’s malicious content will look authentic thanks to AI’s ability to write, build and render a page as fast as a search result can be delivered.
Just as they’re doing with PQC, leaders will need to create a strategy to combat AI threats and assure trust for public-facing websites and other key assets.
According to our 2022 State of Digital Trust report, 99% of businesses believe that losing customers’ trust will mean losing their business. More organizations are considering the role that trust plays in digital transformation and are looking to modernize their security protocols to extend beyond traditional network boundaries and include personal identities. This will become a foundational element of business resiliency and customer retention. But that direction will need to come from the top, requiring Chief Digital Trust Officers (DTOs) to have a seat at the executive table.
A DTO is responsible for ensuring that an organization's partners and customers can trust the organization's digital assets and capabilities. Their work is focused on keeping an organization's digital presence secure and reliable and ensuring that trust is built into all digital interactions. Having a DTO leader not only brings a more strategic approach to security and compliance but conveys a message of confidence and assurance in the safety and security of the digital infrastructure within the company.
Verified Mark Certificates (VMCs) have existed for years. The email equivalent of a checkmark on social media, they provide added validation and security requirements to help companies protect customers and their brand against phishing and spoofing attacks. In 2024, a new type of certificate will be introduced that will put these verification capabilities within reach for smaller organizations. Instead of the trademark required by VMCs, mark certificates will simply require proof that the owner has been using their logo or mark.
This more accessible approach opens up the market to organizations like small and medium businesses and nonprofits that don't have trademarks. They'll now be able to have their logo displayed in mail clients appropriately, which will help customers recognize the emails they receive are coming from a legitimate entity. This massive step forward will continue to drive broad acceptance of authenticatable email experiences for both businesses and consumers.
“Never trust, always verify” architectures will become pervasive through information technology, product security and consumer ecosystems, replacing networks and VPNs that formerly provided implicit trust to their users. The use of certificate-mediated authentication to deliver identity, integrity and encryption to application and data interactions will continue to grow.