Artificial intelligence, quantum computing, deep fakes and – unfortunately – ransomware are the future cybersecurity threats according to a panel of experts at IT World Canada’s second online MapleSec conference.
The predictions were made during Tuesday’s opening session entitled, “The Threatscape 2023 and Beyond.”
“AI-generated malware will be one of the emerging threats in the near future,” said Hadis Karimpour, associate professor and chair in secure and reliable networked engineering systems at the University of Calgary.
Unlike conventional malware, she said, AI-generated threats will use intelligence to infect computers or deploy malicious applications faster than happens now.
As organizations deploy AI applications, infosec pros will face more of these threats, she added.
Quantum computing and the transition to post-quantum cryptography will be the biggest challenge organizations will have to face in the next five years, said Jennifer Fernick, New York City-based senior vice president and global head of research at NCC Group.
Cryptography is fundamental to the security and privacy of everything we do online, she pointed out. But quantum computing will crack current algorithms. Fortunately, she added, researchers are now creating and testing quantum-resistant algorithms that can run on conventional computers.
Initially, quantum computers will be available to a select few, she said, but will spread more widely once quantum-safe cryptography is established.
For her part Cara Wolf, CEO of Calgary-based Ammolite Analytx, said having a CISO or CSO in the C-suite is an emerging priority at many organizations – and not just large firms.
As cyber threats get more sophisticated and the number of ransomware attacks increase cybersecurity must have its own corporate entity with enough governance and authority to make a difference in decisions made by business units, she said.
On ransomware, Karimpour said it’s a failure of both awareness training and credentials management. Online training is not enough, she added. Organizations need to develop an effective training program to make sure employees are engaged and aware of the threat of ransomware.
Wolf said statistics she sees on successful ransomware attacks “are quite alarming:” Sixty per cent of small businesses that are hit go under, she said. Meanwhile some firms can’t get cyber insurance because they have been victimized.
Prevention, she added, is key to blunting ransomware attacks.
Looking into the future, Fernick said ransomware doesn’t need to evolve much further to keep doing tremendous damage. Ransomware attacks happen most commonly on networks with unpatched vulnerabilities, she added, However, she also noted that organizations aren’t installing patches fast enough.
“Until we as an industry can radically improve vulnerability triage and remediation I think ransomware actors will continue to ‘count their bitcoins,’” she said.
In the short term, government sanctions against ransomware payment operators like cryptocurrency exchanges will have more of an effect on checking the spread of ransomware than anything else, she said.
The trio agreed that so-called deep fake content – the manipulation of video, audio or other digital material designed to impersonate people – will rise.
Fernick warned that AI-based deep fake detection models could spawn content that will be undetectable in a never-ending cycle: Deep fakes get better, detection gets better, and it never ends.
Awareness training is key, responded Wolf. Employees have to be taught to look for things that are suspicious, such as a message from the CEO late on a Friday asking that millions of dollars be transferred to a foreign account.
The session wrapped up with the trio being asked to predict what cyber mistake people will still make five years from now:
–Clicking on phishing links from unverified sources, said Karimpour.
–Application developers still treating security as something to be done at the end of product development, said Fernick.
–Gullibility of humans, said Wolf.
“I think we’re going to see the trusting nature of people diminish,” she added, “which is unfortunate because you need trust to do business with others.”
MapleSec continues Wednesday and Thursday starting at noon Eastern time. The theme of Wednesday’s sessions is Building Resilience, while Thursday’s sessions are around Privacy and Governance.