Digital trust and security predictions from DigiCert

Mike Nelson, along with a team of experts at DigiCert looks back at the past year's security developments and makes some bold predictions of technology, identity, and digital trust. Here are DigiCert's top predictions:

Prediction 1: Senior executives will become more knowledgeable about post-quantum cryptography, and companies will accelerate their investments.

A recent Ponemon Institute survey revealed that, while the risk of "harvest now, decrypt later" cyberattacks worries most IT leaders, many business executives are still unaware of quantum computing’s implications. The survey also revealed that the majority of organizations lack clarity in ownership, budget, and strategy for post-quantum cryptography (PQC) preparation. Fostering proactive, effective communication is key.

In 2024, PQC education and planning activities will accelerate investments in this area. We predict companies will move aggressively to start enforcing policies around PQC. NIST is expected to release its final standards in February, which will push organizations to take steps to consider, document, and specify their quantum strategy and crypto-agility approach. One of the most vital steps will be a move to a certificate management platform and discovery.

Prediction 2: Identity and provenance will become the foundation for web content authenticity.

The eIDAS regulation has long played a key role in the governance of electronic identification and trust services for the EU. A new piece of legislation places a stronger emphasis on Qualified Website Authentication Certificates (QWACs), requiring browsers to display the information in these certificates prominently and intuitively.

We predict that browsers will begin rolling out special displays for QWACs, as required by law. This will be a game-changer because as merchants, governments, and financial institutions realize the value of having their identities displayed, they’ll advise that customers only do business with entities displaying QWACs.

These EU developments will impact global trends. Verified identity will become the foundation of the trust we place in the source and authenticity of content. Companies will begin exploring ways to establish digital identity one time, without the need for additional proof checks.

We expect the United States' coming election season to put the issue of content authenticity front and center.

Prediction 3: Software and hardware supply chains will see trust embedded in building blocks: inspect before you sign, check packages, and provide software bill of materials transparency.

Last year, in the wake of high-profile software supply chain attacks, we predicted that software bills of materials (SBOMs) would be widely adopted in 2023 because of the information and visibility they provide. In the coming year, we believe the software supply chain (SSC) will continue to become more robust, with inspections at various points of delivery. The composition of embedded software will grow more transparent as SBOMs become more widely used.

On the hardware side of the supply chain, we predict that more malware will be embedded within hardware components manufactured in certain regions. Placing malware inside devices like digital cameras, modems, and laptop microcontrollers is an easy way for bad actors to compromise the entire supply chain. Manufacturers will begin to demand that suppliers utilize a trust-by-birth and security-by-design approach to chipsets and other components to assure day-zero security.

Prediction 4: IoT trust will enable real-world use cases, such as EV chargers and medical devices.

As the world grows increasingly mobile and dynamic, device security is becoming more important than ever. With individual identity now frequently tied to smartphones and other devices, the root of identity must be specialized per device and individual - all protected under the umbrella of trust.

We predict that more and more devices will be secured with identity and operational checks to confirm authenticity, enabling individuals to interact with devices that support everyday activity with the confidence that the devices are tamper-resistant and their information is secure. Increased levels of IoT trust will also open up more opportunities for particularly sensitive use cases, such as electric vehicle chargers and medical devices.

Prediction 5: AI will shift from defense to attack, and organizations will need to prepare.

In 2023, we heard a lot about utilizing AI for defensive solutions like intrusion detection and prevention systems. But in 2024, the tables will turn, with AI being used far more often for attack surfaces. Attackers will begin using AI capabilities to harvest the landscape, learning about an individual or enterprise to later generate AI-based attacks. With today’s technology, a bad actor could pick up a phone, pull basic data from LinkedIn and other online sources to mimic a manager's voice, and perform malicious activities like an organizational password reset.

The ability to render sites on the fly based on search can be used for legitimate or harmful activities. As AI and generative AI searches mature, websites will grow more susceptible to being taken over by force. Once this technology becomes widespread, organizations could lose control of the information on their websites, but a fake page’s malicious content will look authentic thanks to AI’s ability to write, build, and render a page as fast as a search result can be delivered.

Just as they’re doing with PQC, leaders will need to create a strategy to combat AI threats and assure trust for public-facing websites and other key assets.

Prediction 6: Chief Digital Trust Officers will emerge as key participants in business-leading executive teams.

According to our 2022 State of Digital Trust report, 99% of businesses believe that losing customers’ trust will mean losing their business. More organizations are considering trust's role in digital transformation and are looking to modernize their security protocols to extend beyond traditional network boundaries and include personal identities. This will become a foundational element of business resiliency and customer retention. But that direction will need to come from the top, requiring Chief Digital Trust Officers (DTOs) to have a seat at the executive table.

A DTO is responsible for ensuring that an organization's partners and customers can trust the organization's digital assets and capabilities. Their work is focused on keeping an organization's digital presence secure and reliable and ensuring that trust is built into all digital interactions. Having a DTO leader not only brings a more strategic approach to security and compliance but conveys a message of confidence and assurance in the safety and security of the digital infrastructure within the company.

Prediction 7: Mark certificates will forge a path for certificates for small and midsized businesses and nonprofits.

Verified Mark Certificates (VMCs) have existed for years. The email equivalent of a checkmark on social media provides added validation and security requirements to help companies protect customers and their brands against phishing and spoofing attacks. In 2024, a new type of certificate will be introduced that will put these verification capabilities within reach for smaller organizations. Instead of the trademark required by VMCs, mark certificates will require proof that the owner has been using their logo or mark.

This more accessible approach opens up the market to organizations like small and medium businesses and nonprofits that don't have trademarks. They'll now be able to have their logo displayed in mail clients appropriately, which will help customers recognize the emails they receive are coming from a legitimate entity. This massive step forward will continue to drive broad acceptance of authenticatable email experiences for both businesses and consumers.

Prediction 8: Zero trust as an architecture will proliferate, its foundation resting on digital trust.

"Never trust, always verify" architectures will become pervasive through information technology, product security, and consumer ecosystems, replacing networks and VPNs that formerly provided implicit trust to their users. The use of certificate-mediated authentication to deliver identity, integrity, and encryption to application and data interactions will continue to grow.