After Berlin pledged tanks for Ukraine, some German websites were knocked offline temporarily by Killnet DDoS attacks.

After Berlin agreed to send its advanced Leopard 2 tanks to Ukraine, Russia-backed threat group Killnet retaliated with DDoS attacks aimed at Germany's government, banking, and airport sites.

Germany's BSI federal agency, which oversees information security, said the attacks caused some small outages, but otherwise did little damage.

"Currently, some websites are not accessible," the BSI said in a statement to Reuters. "There are currently no indications of direct effects on the respective service and, according to the BSI's assessment, these are not to be expected if the usual protective measures are taken."

Last fall Killnet was behind similar DDoS attacks against US airports last fall and has been escalating its nefarious cyber activities throughout Russia's invasion of Ukraine.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

German Government, Airports, Banks Hit With Killnet DDoS Attacks

The rapid maturation and rebranding of ransomware groups calls for relentless preparation and flexibility in response, according to one view from the trenches.

Analysis of ransomware trends in 2022 shows that business was booming last year for extortionary cybercriminals, with the highest volume of ransomware attacks lobbed by sophisticated criminals that organize into groups that utilize very consistent tactics, techniques, and procedures (TTPs) amongst themselves, even if these organizations "retire" and then come back, rebranded.

A Jan. 26 report from the GuidePoint Research and Intelligence Team (GRIT) showed that while at least one new ransomware group emerged every month last year, the majority of attacks were perpetrated by a relatively small group of entrenched players.

The "GRIT 2022 Ransomware Report" examined data and circumstances from 2,507 publicly posted ransomware victims across 40 industry verticals that were carried out by 54 active threat groups.

"The thing that we really wanted to emphasize was that ransomware is not going anywhere," says Drew Schmitt, GRIT lead analyst and an experienced ransomware negotiator for GuidePoint Security. "It's very present. A lot of people seem to think that ransomware is potentially declining, because of things like Bitcoin payments are becoming less valuable. But ransomware is still happening at crazy rates."

    

Source: GRIT 2022 Ransomware Report, GuidePoint Security

As a negotiator, Schmitt works with actively attacked companies to act on their behalf and interface with the extortionist. There are two goals: to either gain enough information and time to help their security operations centers (SOCs) recover, or to negotiate a lower payment.

Using his inside knowledge about how attackers operate, and the data freely available about victimology last year, he and his team were able to put together a number of insights for the report. Dark Reading caught up with Schmitt to not only dig into details the report, but also to glean observations from his ongoing work as a negotiator. He provided seven key points that defenders should keep in mind as they prepare for more ransomware campaigns in 2023.

**1\. There's a Definite Taxonomy to Ransomware Gangs**

A big part of the analysis revolved around the development of a ransomware taxonomy for categorizing ransomware groups, which the team organized into four buckets: full-time, rebrands, splinter, and ephemeral. 

The majority of attacks came from what the taxonomy dubbed full-time groups, which have been active for nine or more months and publicly claim 10 or more victims.

"These are the Lockbits of the world, and they're the ones that are doing very consistent operations \[and\] can maintain a very high tempo," Schmitt says. "They are very consistent in behaviors and have a lot of really robust infrastructure. Those are the ones that have been operating for a very long period of time, and they're doing it consistently."

As the report pointed out, Lockbit alone accounted for 33% of attacks last year.

Then there are the rebrand groups, which have been active for less than nine months but claim nearly the same number of victims as full-time groups, and with some examination of TTPs usually have some correlation with a retired group.

"Really the only difference between the rebrand and the fulltime is the duration of operation," Schmitt says. "Groups like Royal also fit into this type of category where they just have very robust operations and they're able to operate at a high tempo."

Meantime, "splinter" groups are those that have some TTP overlap with known groups, but are less consistent in their behaviors.

"The splinter groups are an offshoot from either a rebrand or a full-time, where it's maybe somebody going off and doing their own thing," he says. "They haven't been around for very long. Their identity is not solidified at this point in time, and they're really just trying to find themselves and how they're going to operate."

Finally rounding things out are "ephemeral" groups that have been active for less than two months, which have varied but low victim rates. Sometimes these groups come and go, while other times they end up developing into more mature groups.

**2\. Rapid Rebranding of Ransomware Groups Makes Threat Intelligence Key**

The classification into those four taxonomy groups looks cleaner in an annual report than it does on the ground when a SOC starts lighting up.

"When you start dealing with these types of groups that are popping up and going away very quickly, or they're rebranding, they're developing new names, it does make it very much more difficult for the blue teamers or the defenders to keep up with these types of trends," says Schmitt, who explains that keeping tabs on rebranding and splintering of groups is where threat intelligence should come into play.

"We really like to focus on emphasizing communication when it comes to threat intelligence — whether it's threat intelligence talking with the SOC or the incident response team, or even vulnerability management," he says. "Getting an idea of what these trends look like, what the threat actors are focusing on, how much they pop up and go away, all of that is very valuable for the defenders to know."

**3\. RaaS Groups Are a Wild Card in Negotiations**

Even though the underlying TTPs of fulltime groups makes a lot of ransomware detection and response a little easier, there are still some big variables out there. For example, as many groups have employed the ransomware-as-a-service (RaaS) model, they employ a lot more affiliates, which means negotiators are always dealing with different people.

"In the early days of ransomware, when you started negotiations, there was a good chance you were dealing with the same person if you were dealing with the same ransomware," Schmitt says. "But in today's ecosystem, there are just so many different groups, and so many different affiliates that are participating as part of these groups, that a lot of times you're almost starting from scratch."

**4\. Ransom Demands Are Climbing Sky High**

One of the anecdotal observations Schmitt made was the fact that he's seen a lot of very high initial ransom demands from ransomware operators lately.

"We've seen $15 million, we've seen $13 million, we had $12.5 million. There's a lot of very high initial ransom demands that have been happening, which is a little bit surprising," he says. "And a lot of times we do successfully negotiate significantly lower ransoms. So starting at $15 million and getting down to $500,000 is not uncommon. But at the same time there are just certain threat actors that are like, 'You know what? This is my price and I don't care what you say, I'm not going to negotiate.'"

**5\. Improved Backup Strategies Are Making a Difference in Preparation**

The ratio of clients he sees who can successfully recover without caving to the extortion demands versus those that need to pay a ransom is coming close to a 1:1 parity, Schmitt says.

"In the early days it was like, 'Well crap, we got encrypted. We can't recover unless we pay this ransom,'" he notes. "As time has gone on, having really effective backup strategies has been huge for being able to recover; there are a lot of organizations that get hit with ransomware and they're able to recover simply because they have a really solid backup strategy in place."

**6\. Double Extortion Is the Norm**

However, there are still plenty of organizations that are still behind the curve, he says, which keep ransomware more profitable than ever. Additionally, the bad guys are also adjusting through doubleextortion, not only encrypting files, but stealing and threatening to publicly leak sensitive information as well. All of the groups tracked in the report utilize double extortion.

"It's a little bit unclear whether that's just because people are getting better at securitynor the groups are really realizing that maybe it's not worth the effort to deploy the ransomware if the client already has a backup strategy in place that's going to allow them to recover," he says. "So, they've been focusing on that data exfiltration because I think they know that that's the best chance that they actually have to make money off of an attack."

**7\. There's No Honor Among Thieves, but There's Business Sense**

Finally, the big question in dealing with criminal extortionists is whether the bad guys are even going to keep their word once the money drops in their account. As a negotiator, Schmitt says that, for the most part, they typically do so.

"Obviously, there's no honor among thieves, but they do believe in their reputation," he says. "There are edge cases where something bad happens, but most commonly the bigger groups are going to make sure they don't post your data and they're going to provide you the decryptor. It's not going to be some malware backdoor decryptor that's going to do more damage. They're very focused on their reputation, and their business model simply just doesn't work if you pay them and then they still leak your data or they don't give you what they're supposed to."

7 Insights From a Ransomware Negotiator

Only one in 10 enterprises will create a robust zero-trust foundation in the next three years, while more than half of attacks won't even be prevented by it, according to Gartner.

The zero-trust approach to security promises to reduce threats and make successful attacks less damaging, but companies should not expect that implementing zero-trust principles will be easy or prevent most attacks, business intelligence firm Gartner said this week.

While interest in zero-trust architectures is high, only about 1% of organizations currently have a mature program that meets the definition of zero trust. The firm also estimates that only a 10th of all organizations will create a mature zero-trust framework by 2026, and by that time, those measures will end up only blocking or minimizing the impact of about half of all attacks. 

Even so, moving from 1% to 10% is significant progress, says John Watts, vice president analyst at Gartner.

"That's a relatively large increase," he says. "\[Ten percent\] may seem low, but at the same time, right now, when we talk to clients, and we look at other industry data points, it doesn't seem like there are many large organizations you can point to that have a mature and measurable zero-trust program."

Zero-trust initiatives continue to be an aspirational goal for companies and their cybersecurity teams, with 80% of executives indicating that the strategy is a top priority and 77% increasing their budget for implementation, according to a 2022 survey published by the Cloud Security Alliance in June. A separate report published by Microsoft in 2021 found that 96% of security leaders considered zero trust critical to their success — and 76% were "in the process" of implementing a zero-trust initiative.

**Turning Zero Trust Into Action**

As companies mull their paths forward, they should recognize that getting to a comprehensive zero-trust architecture is not easy and will take time, says Christopher Hallenbeck, CISO for the Americas at Tanium, a provider of converged endpoint management.

"The process of migrating to zero trust can seem overwhelming, and it often causes paralysis," he says. "I’m surprised the \[forecasted\] number is as high as 10%. While many organizations have zero-trust aspirations, few have made holistic changes to fully embrace it."

It can also be confusing, given the widespread use of "zero trust" in the marketing of cybersecurity products and services. 

In a prior Insights report, Gartner pushed back against the overzealous use of the term. Neil MacDonald, a distinguished vice president and analyst at the firm, said that zero trust requires that the degree of trust granted to users and devices need be explicitly granted, continuously calculated, and then adapted to allow the right amount of access only for as long as necessary.

"Zero trust is a way of thinking, not a specific technology or architecture," he said. "It's really about zero implicit trust, as that's what we want to get rid of."

While the notion of removing implicit trust from enterprise computing infrastructure is a good one, the architecture is difficult and time-consuming to implement and does not solve all problems, the analyst firm stated as part of this week's post.

As such, organizations need to move to integrating zero-trust initiatives into specific pieces of their operations, Hallenbeck notes.

"You need to configure each system to bring it under zero trust and should prioritize those systems holding the most sensitive information," he says. "It all comes down to knowing what you have in order to form a plan."

**Know the Limits of Zero Trust**

Indeed, knowing the scope and limits of zero trust is critical, Gartner's Watts says. The architecture and technologies used in zero-trust implementations are good for blocking lateral movement and containing the impact of an initial breach. However, companies should not expect a zero-trust service to prevent compromises of consumer-facing systems.

Anything that's intended for consumer consumption and exposed to the Internet, where anybody can find and try to use the service, is not a candidate for zero trust and not in scope for a company's initiatives, Watts says. Attackers are already starting to bypass some identity and authentication techniques, such as last year's compromise of Rockstar Games through spear-phishing and an internal collaboration platform. They will continued to find entry points that are not controlled by zero-trust protections, or they will focus on the weakness of zero trust, he says.

The firm, in fact, predicts that by 2026, zero trust will not be able to prevent more than half of all cyberattacks.

Still, adopting zero-trust frameworks will eventually pay off, Tanium's Hallenbeck says. A company with a mature zero-trust program knows "what systems \[they\] have and where data lives," he says. In that way, even if an attacker bypasses a zero-trust protection, the organization can limit the damage by limiting the attacker's access to internal systems and data.

"We're just starting to move past this phase, from where every vendor tells you they can solve all your zero-trust problems, and into the space where organizations now are implementing more zero-trust controls," Watts says. "They're facing a reality of both good and bad, right? And it's not all good, and it's not all bad."

Companies Struggle With Zero Trust as Attackers Adapt to Get Around It

**25****th****January 2023**– The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment has released its report ‘Deconstructing Application Connectivity Challenges in a Complex Cloud Environment’. The survey, conducted in partnership with AlgoSec, a global cybersecurity leader in securing application connectivity, sought to better understand the industry’s knowledge, attitudes, and opinions regarding application connectivity security in the cloud.

“Increasingly, organizations are taking advantage of SaaS applications to the point where application security has become an integral part of many organizations' security strategies. Despite their growing prevalence, organizations are still faced with a host of pain points when it comes to application connectivity security and risk management,” said Hillary Baron, Senior Technical Director for Research, Cloud Security Alliance, and a lead author of the report.

Among the key findings:

**Managing risk for application connectivity is a complicated task**. Lacking a single source of truth, organizations are trying to use multiple methods to get similar information: 53 percent of respondents reported using a cloud provider’s assessment service; 50 percent use a third-party cloud-only tool, another 45 percent use a generic risk or vulnerability assessment tool, and 32 percent use a third-party hybrid network security tool.

**Managing application connectivity risks in the deployment process is changing**. Traditional security teams are responsible for identifying and mitigating risk and this still holds true for 42 percent of organizations. However, there is a shift happening: Thirty-two percent of organizations utilize infrastructure as code with embedded security checks, suggesting organizations are beginning to use more automation, leaving less room for human error.

**Human error leads to significant application downtime.**Nearly 75 percent of organizations have experienced an application outage in the past 12 months, and for over half (52%) of the outages, operational human error and mismanagement was the cause—unsurprising, given the skills gap that has plagued the information security industry.

“As cloud-native business applications become the standard for business transformation and innovation, the need to incorporate security into the DevOps process is paramount,” said Jade Kahn, Chief Marketing Officer, AlgoSec. “However, cumbersome security processes and lack of visibility are slowing applications’ time-to-market and compromising security in this new paradigm. This research underscores the importance of identifying risk early in the DevOps process and aligning all stakeholders around risk and compliance gaps from the start.”

The survey, which was sponsored by AlgoSec, was conducted online by CSA in August 2022 and received 1,551 responses from IT and security professionals from organizations of various sizes and locations. CSA research prides itself on vendor neutrality, agility, and integrity of results. Sponsors are CSA Corporate Members who support the findings of the research project but have no added influence on the content development or editing rights to CSA research.

New Study Examines Application Connectivity Security in the Cloud

Program provides financial assistance to aspiring information security professionals, enabling students toward long-term career success.

**ALEXANDRIA, Va.****,** **Jan. 26, 2023** **/PRNewswire/ --** The Center for Cyber Safety and Education, the charitable arm of (ISC)² - the world's largest nonprofit association of certified cybersecurity professionals – announced it is now accepting applications for its 2023 scholarships. The scholarships award qualifying information security students financial support as they pursue associate, undergraduate, and graduate degrees. The application period began January 17 with the (ISC)² associates and undergraduate, graduate, and women's scholarships and KnowBe4's women's scholarship all opening for applications. 

The scholarships were created to provide financial assistance to aspiring cybersecurity professionals from diverse backgrounds from around the world. Applicants must be pursuing, or plan to pursue, a degree with a focus on cybersecurity, information assurance or a similar field in the fall of 2023 and have at least a 3.3 GPA on a 4.0 scale. The Center for Cyber Safety and Education evaluates applicants based on academic excellence, passion for the industry, and financial need.

"Since the launch of our scholarship program in 2011, the Center for Cyber Safety and Education has provided financial aid to more than 700 students pursuing a cybersecurity career path," said Holly Schneider Brown, Center Senior Director. "We aim to remove financial barriers and foster greater diversity by providing additional pathways into the cybersecurity field." 

In addition to the financial award, the Center for Cyber Safety and Education's scholarship program provides opportunities for recipients to learn from cybersecurity professionals and past scholarship recipients and get more information about internship and career opportunities. As part of their scholarship, recipients can pursue the Certified in Cybersecurity certification exam for free through the (ISC)² One Million Certified in Cybersecurity program.

The deadline to submit a scholarship application is February 28, 2023. To complete an application and learn more about the scholarship opportunities, please visit https://www.iamcybersafe.org/Scholarships/.

**About the Center for Cyber Safety and Education** 

The Center for Cyber Safety and Education, formerly (ISC)² Foundation, is a non-profit charity formed by (ISC)² in 2011 as a means to reach the general public and empower students, parents, teachers, and members of society across all age groups and demographics to secure their online life with cybersecurity education and awareness programs. The Center breaks down barriers in exposure and access to the cyber profession and provides opportunities for underserved individuals, groups, and organizations to benefit from the commitment of (ISC)² to the profession. 

Visit www.iamcybersafe.org.

**About (ISC)²**

 (ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates, and members, nearly 280,000 strong, is made up of certified cyber, information, software, and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter, or connect with us on Facebook and LinkedIn.

Center for Cyber Safety and Education Opens 2023 Cybersecurity Scholarship Applications

Advanced workflow, approval process, and management dashboard enhance control, distribution, and supervision, while reducing errors and streamlining the entire SBOM management process.

**TEL AVIV, Israel****,** **Jan. 26, 2023** **/PRNewswire/ --** Cybellum, provider of the award-winning Product Security Platform for connected product and device manufacturers, announced today the release of version 2.22, providing enhanced SBOM management and security capabilities for the automotive, medical device, and industrial sectors. Generation of reliable SBOMs is only the first step in the process. Version 2.22 offers greater visibility for managing SBOMs via advanced workflows for approval process and management dashboards, and improved support for protecting against supply chain vulnerabilities.

Increased pressure from regulatory bodies and asset owners requires that manufacturers provide better visibility into their software components using Software Bill of Materials (SBOM). But generating SBOMs is not enough. It is only the first step for manufacturers who need to monitor and manage the multitudes of SBOMs created, now and into the future. 

"There is heightened focus on Software Bill of Materials in connected devices, especially since the Presidential Executive Order 14028 was released in May 2021, and as a result of the work that CISA and the NTIA have been doing in this area," said Eran Rosenberg, VP of Products and Strategy at Cybellum.

"But it's not enough to just create SBOMs," Rosenberg stressed."SBOMs must be managed - vetted, edited and approved - so they correctly represent the software make-up of a device. In addition, security and compliance stakeholders should be able to seamlessly share the SBOMs and support must-have use-cases for vulnerability management, supply chain security and support of product security incident response teams (PSIRT)."

Version 2.22 includes new features and capabilities for product security teams to streamline the management process including:

*   **Management dashboards** - for managing the control of SBOMs, their distribution and approval processes across product, security, compliance and management teams.
*   **SBOM approval process** - locks an SBOM for further editing, designates it as "approved" for further usage, and logs approver details in the platform's audit log.
*   **Improved Access Control** - for role-based access control with SBOM-level access permissions.
*   **Ability to track KPIs and Risk -** reveals the organization's SBOM readiness and cyber risk status, helping managers identify areas requiring immediate attention.
*   **Multiple SBOM formats** - support for managing formats including CycloneDX, SPDX, SWID.
*   **Hierarchical product configuration** \- including system, product and component level.
*   **Support for NTIA minimal elements for SBOMs** - component vendor, name, CPE, CPE aliases, version, latest version, website, reference and dependencies.
*   **Lifecycle support** - for SBOM lifecycle phase, component End-of-Life and End-of-Support.

To schedule a demo of the SBOM management capabilities, click here.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybellum Releases Enhanced SBOM Management and Compliance Oversight for Manufacturers with New Release of its Product Security Platform

New guidance seeks to cultivate trust in AI technologies and promote AI innovation while mitigating risk

**January 26, 2023-****WASHINGTON —** The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has released its _Artificial Intelligence Risk Management Framework_ (AI RMF 1.0), a guidance document for voluntary use by organizations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies. 

The AI RMF follows a direction from Congress for NIST to develop the framework and was produced in close collaboration with the private and public sectors. It is intended to adapt to the AI landscape as technologies continue to develop, and to be used by organizations in varying degrees and capacities so that society can benefit from AI technologies while also being protected from its potential harms.

“This voluntary framework will help develop and deploy AI technologies in ways that enable the United States, other nations and organizations to enhance AI trustworthiness while managing risks based on our democratic values,” said Deputy Commerce Secretary Don Graves. “It should accelerate AI innovation and growth while advancing — rather than restricting or damaging — civil rights, civil liberties and equity for all.” 

Compared with traditional software, AI poses a number of different risks. AI systems are trained on data that can change over time, sometimes significantly and unexpectedly, affecting the systems in ways that can be difficult to understand. These systems are also “socio-technical” in nature, meaning they are influenced by societal dynamics and human behavior. AI risks can emerge from the complex interplay of these technical and societal factors, affecting people’s lives in situations ranging from their experiences with online chatbots to the results of job and loan applications.   

The framework equips organizations to think about AI and risk differently. It promotes a change in institutional culture, encouraging organizations to approach AI with a new perspective — including how to think about, communicate, measure and monitor AI risks and its potential positive and negative impacts.

The AI RMF provides a flexible, structured and measurable process that will enable organizations to address AI risks. Following this process for managing AI risks can maximize the benefits of AI technologies while reducing the likelihood of negative impacts to individuals, groups, communities, organizations and society.

The framework is part of NIST’s larger effort to cultivate trust in AI technologies — necessary if the technology is to be accepted widely by society, according to Under Secretary for Standards and Technology and NIST Director Laurie E. Locascio. 

“The AI Risk Management Framework can help companies and other organizations in any sector and any size to jump-start or enhance their AI risk management approaches,” Locascio said. “It offers a new way to integrate responsible practices and actionable guidance to operationalize trustworthy and responsible AI. We expect the AI RMF to help drive development of best practices and standards.”

The AI RMF is divided into two parts. The first part discusses how organizations can frame the risks related to AI and outlines the characteristics of trustworthy AI systems. The second part, the core of the framework, describes four specific functions — govern, map, measure and manage — to help organizations address the risks of AI systems in practice. These functions can be applied in context-specific use cases and at any stages of the AI life cycle.

Working closely with the private and public sectors, NIST has been developing the AI RMF for 18 months. The document reflects about 400 sets of formal comments NIST received from more than 240 different organizations on draft versions of the framework. NIST today released statements from some of the organizations that have already committed to use or promote the framework.

The agency also today released a companion voluntary AI RMF Playbook, which suggests ways to navigate and use the framework. 

NIST plans to work with the AI community to update the framework periodically and welcomes suggestions for additions and improvements to the playbook at any time. Comments received by the end of February 2023 will be included in an updated version of the playbook to be released in spring 2023.

In addition, NIST plans to launch a Trustworthy and Responsible AI Resource Center to help organizations put the AI RMF 1.0 into practice. The agency encourages organizations to develop and share profiles of how they would put it to use in their specific contexts. Submissions may be sent to \[email protected\].

NIST is committed to continuing its work with companies, civil society, government agencies, universities and others to develop additional guidance. The agency today issued a roadmap for that work.

The framework is part of NIST’s broad and growing portfolio of AI-related work that includes fundamental and applied research along with a focus on measurement and evaluation, technical standards, and contributions to AI policy.

NIST Risk Management Framework Aims to Improve Trustworthiness of Artificial Intelligence

Expect more regulatory and enforcement action in the US and around the world.

In 2022, we saw broad support behind federal privacy legislation in the US Congress. While the American Data Privacy Protection Act (ADPPA) did not see the president's pen prior to the midterms, the fact that such a bill saw a committee vote in the House — approved 53–2, with bipartisan support — and both industry and advocates promoted passage is notable. The question is no longer whether we will see federal privacy law, but when. And while the ADPPA took up much of the attention in the US in 2022, the year also brought a progressive Federal Trade Commission (FTC) launching a broad regulatory initiative, continued growth of state privacy issues in California and beyond, and the introduction of an executive order to repair the Privacy Shield program. In 2022, US privacy was searing hot.  

Last year also saw continued growth in the international realm. China's new law began to show the significant risks of noncompliance. India continued its parliamentary moves toward passage of a comprehensive data protection law. And the Europen Union saw significant traction in enforcement activity. More than 100 countries now have national privacy laws, and the field grows every day.

These trends will continue, and accelerate, in 2023. Expect more state law in the US, more regulatory and enforcement action from the Federal Trade Commission, an active enforcement environment in the EU — major cases are expected in Ireland, very soon — and continued maturity and growth around the world as privacy professionals grapple with the complexity and risk of these laws.

**Predictions for 2023**

2023 will be a turbulent year in privacy. Economic headwinds and disruption in the tech industry may give rise to calls for additional privacy protections and stronger enforcement. M&A activity may highlight the fact that corporate privacy policies may be modified or ignored when competing interests take priority. Data transfers will still be a central concern, with the EU assessment of adequacy for the updated Privacy Shield emerging early in the new year.

Here are a few key trends to watch:

*   **Tighter budgets, but an even tighter talent pool.** Privacy leaders will struggle with two competing themes. On the one hand, privacy budgets, like all expense lines in organizations, will feel the pressure of recessionary forces in the global market. Privacy leaders will need to do more with less in many cases. Conversely, the talent shortage in the privacy field will continue to get worse with experienced privacy pros commanding greater salary levels and poaching of top talent across the field.

*   **Who's your data privacy officer (DPO)?** The EU Data Protection Board has announced that the appointment and role of the DPO under the General Data Protection Regulation (GDPR) will be a shared enforcement priority across the EU for 2023. Now is a good time to make sure that: (1) you have a DPO; (2) you have registered them appropriately with your DPA; (3) they are adequately trained, experienced, and resourced for the job; (4) they have independence in their duties; and (5) they have access to the top levels of management. Expect more from the European Data Protection Board (EDPB) guidance too. We may see expectations emerge around proper qualifications, independence, and conflicts within the DPO role.

*   **Something old, something new.** New laws take up much of our focus in the privacy field, and rightly so. The American Data Privacy Protection Act (ADPPA), Brazil's General Data Protection Law (LGPD), and China's Personal Information Protection Law (PIPL) all present new compliance complexity for privacy pros. But do not lose sight of the number of laws that are being updated, even overhauled, around the world. Canada, Australia, New Zealand, and more have completed or initiated major reform of their existing privacy laws. These changes can be just as consequential as a new law.

*   **Enforcement risk and creativity.** Often, we focus on the monetary size of an enforcement action. But there are other enforcement tools available to regulators around the world. Watch for the rise of executive liability (sometimes criminal!), data disgorgement, and board oversight obligations as regulators look to change corporate behavior. These tools undoubtedly change the risk profile for privacy and may elevate attention to the highest levels in organizations.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Organizations Must Brace for Privacy Impacts This Year

One of the most closely watched security startups continues to build bank because its platform appeals to both developers and security pros.

Developers, security professionals, and investors all find something to like about Snyk and its developer security platform, which helps organizations mitigate their risk of exposure to software supply chain attacks.

After closing $196.5 million in Series G investment late last month, Snyk on Tuesday said it secured an additional $25 million from ServiceNow. ServiceNow's investment brings the total amount Snyk has secured to $1.4 billion since 2020.

During those three years, the company behind the developer security platform has been adding on customers. Snyk claims its revenues last year grew 100%, with net revenue retention growing 130%. Snyk reports that it closed out 2022 with over 2,300 customers who remediated more than 5.1 million vulnerabilities. Identity verification provider Veriff ranked Snyk first in an analysis of security startups based on funding amounts, number of investors, employee counts, Twitter following, and the uniqueness of the product portfolio.

**Integrating Snyk With ServiceNow**

Following this investment, ServiceNow will embed Snyk's open source software component analysis (SCA) and intelligence tools into ServiceNow's Vulnerability Response. While Snyk can boost ServiceNow's vulnerability detection capabilities, its developer-focused tools can bring Snyk to more DevSecOps organizations.

"Snyk's vision is all the way from code to cloud, and cloud is really code," Snyk chief product officer Manoj Nair says. "We get people to build security in from the start, rather than putting firewalls and scanners and all that after the fact to catch what's wrong."

ServiceNow VP and general manager of security products Lou Fiorello envisions the Snyk platform extending his company's vulnerability detection capabilities. "This significantly furthers ServiceNow's ability to provide a single view into vulnerabilities across the enterprise technology environment, driving workflows to better prioritize and expedite vulnerability management," Fiorello said in a statement.

**Appealing to Developers and Security Professionals**

Founded in 2015, Snyk has stood out amid escalating growth in software supply chain attacks. Snyk's Developer Security Platform helps organizations reduce the risk of an attack by letting those who build container-based applications generate software bills of materials (SBOMs) during the development process.

"Snyk has been successful at building security tools that the developers like," says Enterprise Strategy Group senior analyst Melinda Marks. Marks emphasizes that developers find especially appealing Snyk's tools to test open source code using SCA and to scan infrastructure as code.

"Snyk was a pioneer in the developer-first security category," she adds. "It's very easy for developers to use while giving security teams visibility and control for setting policies and related functions."

The ServiceNow announcement is significant, Marks adds, given how many large enterprises use ServiceNow for IT service management. ServiceNow says it serves 80% of Fortune 500 companies and approximately 7,400 enterprise customers.

**Recent Security Moves**

Organizations are increasingly looking at how to efficiently make SBOMs, especially in light of software supply chain attacks, vulnerabilities such as Log4j, and government mandates. In November, Snyk released an update to make it easier to automatically generate SBOMs during the software build process. Snyk added a "developer-first" API and command-line interface (CLI) to create SBOMs, which the company says provides broader visibility into customers' complete software supply chains.

Snyk also released an SBOM Checker, a free tool that scans SBOMs for vulnerabilities. Snyk also has added Bomber Integration, which scans SBOMs with the open-source Bomber application, testing them against its open source Snyk Vulnerability Database.

In November, Snyk Cloud — the outgrowth of the company's acquisition of Fugue last year — went live. Snyk Cloud has a common policy engine designed to ensure organizations' cloud applications are secure before deploying them.

"Snyk Cloud will help you secure your cloud environment with common policies for infrastructure code and cloud deployments," Nair said during the November launch event. "Taking a code-centric approach to find and fix cloud issues is something that we were fundamentally focused on."

Snyk Gets Nod of Approval With ServiceNow Strategic Investment

Delivering secure, global IoT device connectivity, deployment, and management at scale.

**ATLANTA, January 2023 --** KORE (NYSE:KORE), a global leader in Internet of Things (IoT) solutions and worldwide IoT Connectivity-as-a-Service (CaaS), is using Amazon Web Services (AWS) to simplify deploying, managing, and securing massive IoT solutions.

An expanding set of use cases are broadening the segment of Massive IoT, wherein organizations can implement widespread use of connected devices to drive efficiencies, optimize operations, and monitor conditions in industries including logistics, industrial, fleet, healthcare, agriculture, energy, utilities, and more.

With myriad network connectivity technologies, and widespread and oftentimes remote or hard-to-reach devices, the security risks can be heightened. KORE has introduced its OmniSIM™ SAFE using AWS IoT Core to decrease security challenges associated with global Massive IoT and large-scale IoT deployments.

The KORE OmniSIM SAFE connectivity solution is an innovative eSIM approach that uses the Global System for Mobile Communications Association (GSMA) IoT SIM Applet For Secure End-2-End (SAFE) standard. This standard enables device manufacturers and IoT providers to use the SIM as a root of trust to protect IoT data communications. This enables a standardized, device-level approach to security.

AWS IoT Core connects with the SIM to simplify secure device provisioning and management, as well as message routing to AWS services. From deployment to management, this is a holistic approach to widespread device security and dovetails with Massive IoT, because the KORE OmniSIM SAFE supports zero-touch provisioning – pairing device to cloud with minimal physical intervention.

"IoT is positioned to grow exponentially through this decade as organizations seek ways to optimize and streamline operations. An estimated 75 billion devices are expected to be connected by 2030, but with those connected devices comes a unique set of challenges," said KORE President and CEO Romil Bahl. "IoT security can be an area of concern across industries due to a lack of standardization and a fragmented ecosystem – this broadened landscape of devices exposes more security attack surfaces in kind. We are proud to deliver innovation in IoT security by using AWS."

KORE first launched its OmniSIM SAFE solution working with Energy Web, a nonprofit organization focused on building open-source software to accelerate the energy transition. The Energy Web stack enables enterprises to build and operate production-grade applications by leveraging decentralized technologies. One of the significant aims of Energy Web is to lower the use of carbon to meet global decarbonization targets.

"We are incredibly proud of KORE's leadership in the eSIM space and could not be more excited about the power of their technology powered by AWS and the Energy Web stack," said Jesse Morris, CEO of Energy Web Foundation. "We are on the cusp of a digital revolution for energy systems across the world; technologies like these must be deployed at scale in order for governments and corporations around the world to achieve decarbonization targets by 2030."

The participation of multiple organizations to simplify the use of IoT is the next evolution of how this technology is adopted.

"It is critical for end-to-end IoT security that devices are provisioned with individual, unique security credentials that are securely stored with the device. The logistics of managing the provisioning of large fleets of IoT devices can be complex for customers and not all IoT devices may offer secure on-device storage for credentials," said Yasser Alsaied, vice president of IoT at AWS. "We are excited to offer our AWS IoT Core customers a holistic approach to IoT security."

**About KORE**

KORE is a pioneer, leader, and trusted advisor delivering mission critical IoT solutions and services. We empower organizations of all sizes to improve operational and business results by simplifying the complexity of IoT. Our deep IoT knowledge and experience, global reach, purpose-built solutions, and deployment agility accelerate and materially impact our customers' business outcomes. For more information, visit www.korewireless.com.

**About Energy Web**

Energy Web is a global, member-driven nonprofit accelerating the low-carbon, customer-centric energy transition by unleashing the potential of open-source, digital technologies. We enable any energy asset, owned by any customer, to participate in any energy market. The Energy Web Chain — the world's first enterprise-grade, public blockchain tailored to the energy sector — anchors our tech stack. For more information, visit https://www.energyweb.org/.

Source

DARKReading