Yes, ‘tis the season when cyber security experts gaze into the crystal ball to tell us what to expect in the coming year, which is fine, but it’s also good to look in the rearview at a year that will be over next week, both for what happened but also for what it all might mean and what we can learn from it.
With that as a goal, you could say (or sing) along with the late Frank Sinatra that “it was a very good year.” Not all good news, but plenty to learn. Even when it’s painful, it’s useful. So, in no particular order of significance, here are a few of the events or trends of the past year that varied from encouraging to disturbing to alarming but were all instructive.
The number of catastrophic cyber security events that have been labeled a “wake-up call” is at least in the dozens, maybe hundreds. They include the breach of the federal Office of Personnel Management, discovered in 2014, that compromised the personal and financial information of more than 22 million current and former federal employees; Stuxnet, which destroyed a significant portion of Iran’s nuclear facilities in 2010; Industroyer, which brought down a portion of the energy grid in Ukraine in 2016; the 2021 ransomware attack on Colonial Pipeline that led to the shutdown of nearly half the fuel supply to the East Coast for almost a week; and the discovery a year ago of Log4Shell group of vulnerabilities in the Apache Software Foundation (ASF) open source logging library Log4j.
And pretty much every time, after a blizzard of headlines and panic fade, it’s as if everybody hit the figurative snooze button.
But that may be ending according to Michael White, technical director and principal architect with the Synopsys Software Integrity Group, which would be very good news indeed for everybody but cyber criminals, who have grown prosperous thanks to lethargic security measures at too many organizations.
“I think the wake-up call is already here in the shape of rules and regulations,” he said. “Product security regulations, both in specific industry sectors like healthcare, automotive, and energy, as well as in jurisdictions—the UK and EU, with the U.S. coming—mean that you can’t hit the snooze button any longer.”
“Someone now needs to sign their name to attest that the organization has done everything that previously had been ‘recommended,’ and there are now clear consequences for not following the rulebook.”
There is more good news on other fronts, even though most of the headlines about cyber security would make you think the news in the industry is always bad, much the way carnage and crime always lead the evening news. And yes, there is plenty of bad news, as we will note.
But some of the best news of the year you were unlikely to have noticed, which is why we’re calling it to your attention. In fact, it’s good news specifically because it resulted in things you didn’t notice—some unknown number of disaster headlines that didn’t have to be written.
In a couple of major areas, software got safer in 2022. That means while bad things will still happen, they won’t happen as much.
One way is the increased use of the programming language Rust in the Linux kernel, the main component of the free and open source Linux operating system. The Linux OS, which has been around for more than 30 years, had previously been written mainly in C, a low-level language that makes it easier and faster to write code and handle high-performance demands, but that is also notorious for security bugs.
Rust delivers the performance pleasure without nearly as much pain. Travis Biehn, technical strategist with the Synopsys Software Integrity Group, said Rust “is suitable as a high-performance systems programming language, and it also provides safety. Its introduction to operating system components like the Linux kernel means developers can start writing new projects in a safe, modern language. It’s the first step toward better security in Linux kernels. Hopefully Linux isn’t the last project to pursue them.”
Something similar is happening on the browser front, with Mozilla’s Firefox. Web browsers have traditionally been written in low-level languages like C to yield high performance, but they suffered from the resulting plague of vulnerabilities.
“One really error-prone area of programming is writing parsers, video, and audio codecs,” Biehn said. “But Mozilla pioneered an approach with the community so that Firefox can wrap these routines in a special sandbox that prevents software bugs from compromising users’ machines. That’s a huge win, and a new way to use sandboxes to protect users.”
By now, ransomware qualifies as old news—according to security firm CrowdStrike, the first attack was 33 years ago. The victims had to send what now sounds like a piddling $189 to a post office box in Panama.
But ransomware keeps evolving and is now a global plague that sucks at least $20 billion from its victims annually, easily making it one of the top cyber security (or lack of cyber security) stories of every year for more than a decade.
According to Statista, there will likely be more than 472 million ransomware attacks by the end of the year. That’s about 15 every second. And, as was painfully demonstrated this past year, attackers can create chaos and crisis in critical infrastructure, from food to fuel, transportation, utilities, healthcare, education, and more.
Ironically, the best ways to minimize the risks of falling victim to ransomware are old news as well. There is unlikely ever to be a silver bullet, but the primary reasons those attacks succeed are a lack of security in software and systems, plus a lack of awareness about how to resist social engineering.
Rebecca Herold, CEO of Privacy & Security Brainiacs, said too many organizations, instead of building more secure software, using end-to-end encryption, creating more effective backup and recovery procedures, and teaching employees how to spot phishing attempts, decided “either to take the chance that they wouldn’t be targeted or purchased cyber liability insurance and assumed—usually incorrectly—that the insurance would cover all the costs of a ransomware attack.”
“Cyber criminals love this,” she said.
If you don’t know the meaning of the acronym for software Bill of Materials, you are part of a vanishing minority. Which is some of the best security news of the year. Yes, its profile got off the ground nationally in 2021 as a key component of President Joe Biden’s “Executive Order on Improving the Nation’s Cyber security,” but it gained some serious critical mass within the cyber security industry during the past year.
It's good news because one of the realities of software security is that, as many experts have said, improving it means doing more fundamental things than transformational things. And an SBOM is, or ought to be, a fundamental. It’s an inventory of everything in the supply chain of a software product, including where a component came from, who made it, who is maintaining it (or not), and whether it contains any known vulnerabilities or licensing conflicts. In short, it helps organizations know what’s in the software they’re using, and if it needs to be patched.
The less good news is that the road to making SBOMs mainstream could be bumpy. A few weeks ago the Information Technology Industry Council (ITIC), a lobbying organization with a membership that includes tech giants like Amazon, Apple, Microsoft, Intel, IBM, Cisco, Samsung, and Zoom, wrote to the federal Office of Management and Budget (OMB), urging it to “discourage” federal agencies from requiring an SBOM for software products they would buy because SBOMs aren’t yet “scalable and consumable.”
“We believe that SBOMs are not suitable contract requirements yet […] At this time, it is premature and of limited utility for software producers to provide an SBOM,” the ITIC wrote.
No public response yet from OMB, but the reality of the security cliché remains: You can’t protect what you don’t know you have.
Every year there is more software written—lots more. We were up to 2.8 trillion lines of code two years ago. And since it is written by imperfect humans, it is imperfect as well, which means every year there are more software vulnerabilities.
According to Statista, with a couple of weeks to go before the books close on 2022, there have been more than 22,500 of them added to the Common Vulnerabilities and Exposures (CVE) list—a new record.
But obviously, some are worse than others. And we limped into 2022 with one of the worst. The Log4Shell vulnerabilities (noted earlier) were actually discovered at the end of 2021, but they bled into 2022 and remain a major threat to organizations, many of which have failed to install updates, perhaps because they don’t even know that Log4j is buried somewhere in their software supply chain.
It was another warning that open source software, while it offers multiple advantages to developers and users alike, is no more or less secure than any other software. And since everybody everywhere is using open source, a good New Year’s resolution would be to keep track of it (with the help of an SBOM) and keep it up-to-date.
The Internet of Things (IoT), with a global “population” of about 13.1 billion devices—closing in on double the world’s human population of 7.8 billion—is increasingly labeled the Internet of Everything.
And because both vendors and buyers of those things still care more about features than security, it’s been the biggest attack surface in the world for years.
But a more ominous IoT trend has gained traction in the past year. The risk is not just that hackers can compromise your “smart” device to steal your money or your identity.
Herold noted that IoT products are increasingly being used by criminals to “track and hunt down targeted victims.” According to Vice, eight police departments in the U.S. reported 50 cases of women saying they had received notifications that they were being tracked by a device they didn’t own.
Two women filed a class action lawsuit earlier this month against Apple alleging negligence after their ex-partner or husband used AirTags to track their movements and locations. The complaint alleges that AirTags, which have been promoted as a way to track items like luggage, “are one of the most dangerous and frightening technologies employed by stalkers.”
And Congress responded to the threat with a bill titled the “Tech Safety for Victims of Domestic Violence, Dating Violence, Sexual Assault and Stalking Act.” Its sponsors, Sen. Ron Wyden, D-Ore., and U.S. Reps. Anna G. Eshoo, D-Calif., and Debbie Lesko, R-Arizona, say it would “would provid[e] new grant funding to clinics and other partnerships focused on addressing domestic violence and technology-enabled abuse.”
“It’s not just Apple—all other types of GPS trackers could also be used for such purposes,” Herold said. “There have been more and more of these types of situations reported throughout 2022, and [these devices] will increasingly be used for malicious purposes while they lack cyber security controls and privacy protections.”
A lot of headlines at the end of the year about the tech economy were about layoffs. Crunchbase reported 90,000 jobs cut by more than 370 companies going into mid December, with names as big as Netflix, Adobe, Facebook parent Meta, Cisco, Amazon, and Salesforce on the list.
But for the most part, layoffs didn’t hit the cyber security sector, which has the opposite problem—an ongoing skills gap.
It was bad last year. Most experts predicted it would get worse this year. It did. It will likely be worse next year. According to the (ISC)2 2022 Cyber security Workforce Study, the gap increased 26.2% from 2021, to 3.4 million.
While the study found some encouraging trends—a large majority (72%) of organizations expect to increase their cyber security staffing during the coming year—the shortage is expected to continue, and not just because of a lack of skilled applicants.
Until it gets better, organizations could start filling the gap with one of the mantras of security experts: Security is everybody’s responsibility.