2023 was an explosive year for cybersecurity. Talk of post-quantum cryptography heated up, with several algorithms now under consideration for standardization by NIST, IoT device usage – and with it, machine identities – continued to explode, creating a plethora of security challenges, AI became more widely available than ever before thanks to generative AI solutions, many organizations found themselves facing a security talent gap, and the list goes on.
2024 will be no different. In fact, we’ll see many of these trends come to a head in the new year, and many more new challenges will emerge. To learn more about what to expect in 2024, we sat down with four of Keyfactor’s cybersecurity experts to hear their predictions. Here’s what we learned.
Post-quantum cryptography will take off
2024 will be the year of “quantum-readiness” for organizations.
It may be a hot take, but I believe this will be the year of quantum cryptography.
While the initial candidates for NIST PQC algorithms are expected to be finalized in early 2024, that marks the starting line for post-quantum algorithms, not the finish line. That’s a good thing because organizations will need to do significant testing and planning to adopt the new algorithms, as they are completely different from the current ones used in asymmetric cryptography.
In 2024, organizations need to start planning and testing for the adoption of those new algorithms, and they need to start making assessments about how prepared the entire supply chain for their organization will be. From this point forward, it will be imperative for security assessments and vendor audits to begin taking post-quantum cryptography into account.
– Chris Hickman, Chief Security Officer at Keyfactor
Protocol standardization from NIST will happen, and that will lead to a rush in development.
Keyfactor is tracking algorithm standardization closely and will be ready to support organizations as they make the transition to the new standards, including PKI and signing solutions that leverage PQC algorithms, shortly after they are finalized by NIST.
In particular, with FIPS 204 Dilithium/ML-DSA, we are not only working on software but also integrating with HSM vendors. Keyfactor will be first out of the gate with production-ready, quantum-ready products once the FIPS 204/ML-DSA standard is finalized.
In general, as the standards are finally released, 2024 will see a rush in development among product vendors and standardization organizations, and it will be the year that quantum-ready PKI and signing solutions will be deployed in production.
– Tomas Gustavsson, Chief PKI Officer at Keyfactor
An ever-growing IoT will present continued security concerns
Machine identities – and security challenges along with them – will continue to explode.
The number of machine identities will continue to proliferate in 2024. Many organizations are experiencing significant growth among IoT devices that require network connections. Often referred to as OT for IoT, this new wave of devices will continue to push the total number of connected devices and endpoints.
Needless to say, you cannot treat these devices with any less scrutiny and security than any other devices. Unfortunately, many of these devices do not include sophisticated protocols to automate the management of their identities, and therefore organizations will struggle to keep up with this growth unless they have a machine identity lifecycle management platform.
– Chris Hickman, Chief Security Officer at Keyfactor
The risk of attackers leveraging IoT in cyberwarfare will come to fruition.
Many device endpoints can be leveraged in attacks if not properly secured. For some of these smart consumer devices, companies that needed to cut costs during the design process may have removed some security features, so that’s definitely something everyone needs to keep an eye on.
Looking even deeper at the IoT security space, manufacturers will need to get serious about exploring post-quantum cryptography for IoT devices that are long lived.
– Ellen Boehm, EVP of IoT Strategy and Operations at Keyfactor
Regulations that used to seem far off in the future will become real in 2024.
The Biden administration’s “U.S. Cyber Trust Mark” labeling program, designed to help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks, is expected to launch in 2024.
This is definitely a step in the right direction because we acknowledge a gap in cybersecurity awareness, and we need to make consumers more aware of risks. Just like we as consumers expect a certain level of quality and safety from the products we buy, consumers have the same expectation of the security that is embedded inside the smart home tech and connected devices they choose to use. As with any new program, there will be iterations, but having this conversation is important so we can start to level up and drive more awareness on a national level for U.S. consumers.
– Ellen Boehm, EVP of IoT Strategy and Operations at Keyfactor
The long-awaited impact of AI will arrive – the good and the bad
AI will start to have a real impact on cryptography.
I see the biggest advantage that AI brings as reducing the overall “legwork” required to break cryptography. AI could also be used to effectively identify patterns in data or reduce the overall “noise” that may be present to crack keys. For example, the combination of a sufficiently powerful quantum computer and AI could be used to reduce potential candidates for attacks against keys.
– Chris Hickman, Chief Security Officer at Keyfactor
AI will play a big role in IoT security – for better and for worse.
AI can be used for code development or product design to advance the development of IoT products and more efficiently launch new concepts.
On the flip side, AI will make it so much easier to crack weak implementations of algorithms that there will be no other choice than to use secure elements or secure MCUs to run cryptographic algorithms and to use strong software implementations of these algorithms, such as Bouncy Castle for servers and HSMs and Trusted Objects’ TO-Protect for MCUs.
– Ellen Boehm, EVP of IoT Strategy and Operations at Keyfactor
Widespread use of AI will create more opportunities, alongside serious questions about what we can trust.
Like any disruptive technology, AI is a double-edged sword. AI has been around for a long time, the difference now is one word: availability. Any new technology is initially expensive, not widely available, and sometimes, it’s too complex for the average person. Generative AI and large language models were the accelerators that overcame these hurdles, making AI affordable, usable, and accessible to everyone over the last year. That’s where the problems come in.
There’s no standard (yet) for how AI should be used, what AI should have access to, and how to prevent misuse. AI can be a co-pilot or assistant for cybersecurity teams, helping them work more efficiently and make better sense of the flood of alerts and warnings they deal with on a daily basis.
On the other hand, AI can be used to produce fraudulent images or videos, accelerate malware production, or even take DDoS attacks to the next level by enabling AI-powered bots to do the dirty work. One area where we’re most concerned is content and code authenticity. In a world where AI is accessible to all, how do you know if an image or video was produced by a human or AI, how do you know if it’s been augmented, how do you know when and where it was taken? All of these are important questions, particularly in the face of recent conflicts, which have raised questions about authenticity, and show the dangers of potential misinformation or even disinformation via content that spreads like wildfire on social media. Digital signatures are one of the best current methods to prove the origin and authenticity of images and videos.
The same also applies to software development. If teams augment development with AI, how do you know the source of your code? How do you know if it’s been tampered with or altered? Again, digital signatures are one of the best current tools we have to prove the integrity and authenticity of code.
All of these – whether it’s images, videos, or software – are intellectual property that must be protected. We now live in a world where we can’t immediately trust what we see and hear: Everything must be verified. Authenticity is the key to establishing trust in an otherwise untrusting world.
– Ryan Sanders, Senior Director of Product and Customer Marketing at Keyfactor
PKI will need to evolve alongside post-quantum, AI, and more
Cryptographic key safety was a top challenge of 2023, and that will continue into 2024.
In hindsight, the greatest challenge of the past year continues to be keeping keys safe. In 2023, there were a number of incidents that involved stolen or compromised keys. Those incidents led to malware distribution, unauthorized network access, and disclosure of tens of thousands of sensitive government emails. We’ll see a continued trend of keys being stolen and used for nefarious purposes in the new year.
– Chris Hickman, Chief Security Officer at Keyfactor
Zero trust will be the major PKI priority for organizations and security leaders, but getting it right won’t be easy.
Zero trust will be top of mind for many organizations in 2024. However, the field is so large that these organizations will struggle to define the most important elements of zero trust. Further, for components like containers and Kubernetes, there are so many different options to achieve the same goal that it is hard to find best practices, and there is a risk of ad-hoc point solutions that are not efficient long term.
– Tomas Gustavsson, Chief PKI Officer at Keyfactor
Point solutions will exacerbate PKI sprawl.
PKI sprawl will continue to be a headache due to the increased need for PKI, the limited knowledge of and headcount to support PKI in organizations, and the many point solutions that are appearing on the market. These point solutions solve specific needs in the short term but fail to address organizational efficiency and lack competence to support organization-wide governance for critical security components.
– Tomas Gustavsson, Chief PKI Officer at Keyfactor
The IT and security talent gap will persist in 2024.
The talent gap continues to widen, and 2024 will show the true strain on organizations of not keeping IT security staff current and up-to-date in skills.
With more flexible work arrangements now being offered, skilled workers can work for virtually any company on the planet, creating a huge issue for organizations outside of major metropolitan areas and those that simply can not pay the salaries these professionals command.
Add to the issue new concerns about items like quantum-ready cryptography migration and AI/ML, and organizations will require more people to remain secure. But, the labor market is just not there to fill the need.
– Chris Hickman, Chief Security Officer at Keyfactor