Cyber security predictions for 2022. What the experts expect.

Cybersecurity predictions

New cybersecurity challenges will invariably arise in 2022 as the threat landscape continues to shift. But what exactly does the future have in store?

We reached out to experts from multiple disciplines – including cybersecurity practitioners new and not-so-new, journalists, policymakers and influencers, professors and their students, and a science fiction author – to get their opinions as to what we can expect to see in 2022. 

Here’s what they had to say.

Christopher Ahlberg, Co-founder and CEO at Recorded Future

In 2022, the transition from an Internet that is a reflection of the world, to a world that is a reflection of the Internet, will radically accelerate. Threats that see convergence between cyber, kinetic, and disinformation vectors will likewise accelerate, and the Internet will be the centerstage of even the most kinetic conflicts. We all better become very good Internet observers, fast, when democracy, power, war, currency, identity and more move online.


Dmitri Alperovitch, Chairman at the Silverado Policy Accelerator; Co-Founder and former Chief Technology Officer at CrowdStrike 

I think we will see much more ransomware from Iran and DPRK.


Charles Carmakal, Senior Vice President and Chief Technology Officer at Mandiant

Ransomware-as-a-service operations regularly involve multiple actors/groups, each performing a specific component of the attack for a fee or a cut of the proceeds. We see conflict amongst these actors today and we anticipate the conflict will continue to escalate throughout 2022, unfortunately leading to bad outcomes for victims. Since late 2019, most “reputable” threat actors haven’t published stolen data when paid by a victim. However, we anticipate some situations where a victim’s stolen data gets leaked despite the victim paying. This could happen because a threat actor has gone rogue or they feel they didn’t get their fair share of the payment. This will force the industry to re-think paying extortion demands for the purposes of preventing the disclosure of stolen data. 

Charles Carmakal

Kevin Collier, Cybersecurity reporter at NBC News 

I think ransomware actors won’t be as geographically concentrated as they are now, with such a high proportion coming from in and near Russia. I wouldn’t be surprised to see more from North Korea and Vietnam, for instance.


Gareth Corfield, Security and Legal Correspondent at The Register

More attributions of known threat actor/APT crews to state spy agencies, having precisely zero effect in deterring them.

More RaaS crews springing up as the big-name gangs get taken down by law enforcement and/or ratted out by greedy small fry.

Gradual decrease in botnet activity as new laws (over this side of the pond, anyway) start choking off the supply of trivial-to-pwn landfill IoT crap.

Shotgun targeting (Sophos’ phrase, I kinda like it) of email spam to continue unabated.


Cory Doctorow, Science fiction author, activist and journalist

Facebook will continue to object to the kind of interoperability that will allow the hostages of its walled garden to escape its confines. Facebook will claim that the walled garden is how it keeps its users secure from the likes of Cambridge Analytica, and hope that no one points out that Facebook actually DIDN’T keep its users secure from the likes of Cambridge Analytica. In related news, Facebook will continue to insist that it is called Meta, Google will continue to insist that it is called Alphabet, Microsoft will continue to insist that it is a friend to open technology and Apple will continue to insist that its offshore billions exist in a state of pristine, tax-free bliss in an indeterminate quantum flux somewhere past the international demarkation line in the Irish Sea.


John Fokker, Head of Cyber Investigations and Principal Engineer at McAfee Advanced Threat Research.

In 2022, expect more self-reliant cybercrime groups to rise and shift the balance of power within the RaaS eco-climate from those who control the ransomware to those who control the victims’ networks.

As another prediction, I expect GO Malware to become bigger and essentially allow threat actors to build more sophisticated cross-platform malware. Right now we see GO Malware as a separate binary for *NIX or ESI systems, but I wouldn’t be surprised if this becomes more and more integrated in adversary frameworks.

And finally, I suspect an increase of data exfiltration malware that will scan more deeply for sensitive files and take care of the exfiltration since the usage of open source tools is being detected more and more. 


Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation

Governments and law enforcement will continue to insist that they need to backdoor end-to-end encryption. Ordinary people, tech companies, and civil society will once again have to rise up and behead this stupid shambling zombie of an idea.


Meredith Griffanti, Managing Director and Head of FTI Consulting’s Cybersecurity & Data Privacy Communications practice

In 2022 I think we will see the threat actors’ extortion tactics become even more aggressive – in particular when it comes to their own ‘PR stunts.’ In 2021, we noted particularly creative outreach in effort to garner media attention for successful attacks on victims – from taking out Facebook ads, to threatening to hold press conferences, to spam email blasts to employees, to phone calls to customers, to posting Microsoft Teams chats from victims on shame sites. With the renewed spotlight on RaaS and the evolution of various threat actor groups, this kind of publicity will only grow more attractive to the adversary as they seek to secure payment. Expect to see heightened media engagement with cyber bloggers and reporters by threat actors themselves, and even more heckling, leaks and targeting of sensitive information that can be particularly damaging to the victimized organization’s reputation.


Samantha Hubner, Master’s Candidate at the Fletcher School of Law and Diplomacy; Senior Consultant at Premise Data

2022 will be a critical litmus test for the future of standardizing federal cyber security standards, particularly in securing the Defense Industrial Base (DIB) as a complex multi-tiered supply chain of sensitive information. Last month, the Department of Defense announced the Cybersecurity Mature Model Certificate 2.0 (CMMC 2.0) to address lingering concerns about standardizing, financing, and enforcing cybersecurity protocols across all levels of contractors housed within the DIB. There is a particularly fascinating new pilot program under CMMC 2.0 called Project Spectrum, created to assist small businesses like tech startups in overcoming barriers in finances, talent, and knowledge to provide more accountability toward cyber readiness, therefore aiming to achieve parity with larger, more well-resourced contracting firms. If CMMC 2.0 succeeds, this year will usher in an urgently needed new status quo for not only the DIB, but the federal cyber ecosystem more broadly.


Mikko Hyppönen, Chief Research Officer at F-Secure

The largest ransomware gangs will try to lie low during 2022. They’ve made so much money over the last few years that the risk is not worth it as international law enforcement finally reacts to the biggest cybercrime problem we have. 


Birgitta Jónsdóttir, Poetician, former Icelandic MP, former Wikileaks activist and the  co-producer of “Collateral Murder.”

We will see an ongoing erosion of human rights in cyber – in order to “protect” us. That will however not protect us from an increase in attacks where data is held hostage, nor will it stop increased boldness in hybrid warfare, where hardware in critical infrastructure will be compromised as a part of destabilization or fuelling internal conflict. China, Israel, the USA and Russia have mastered this with slight variants. Information is the new gold, accumulation of private information with biased AI in the wrong hands is an underestimated threat. Exploitation of private information breaks even the most robust firewalls if applied smartly and ruthlessly.


Chris Krebs, Partner at Krebs Stamos Group; Former Director of the United States Cybersecurity and Infrastructure Security Agency

I think we will see more coordinated activity against ransomware operators. That will involve two things: more aggressive CyberCom operations, and improved collaboration between the private and public sectors. 


Joseph Marks, Author of The Washington Post’s “Cybersecurity 202” newsletter

I predict 2022 will see:

A deterioration in bipartisan support for cyber reforms as Republicans balk at increased cyber regulations of critical infrastructure and as election security becomes once again politicized.

More global efforts to rein in the spyware industry.

At least one disruptive, headline-grabbing cyberattack that hits an industry/sector people hadn’t previously considered critical (in the vein of the Sony and DNC hacks).


Alexander Martin, Technology Reporter at Sky News

I predict the U.S. will uncover at least one espionage campaign conducted by the SVR which has very limited collateral risk but causes a lot of complaining, and at least one by China or the GRU which ends up leaving its targets exposed to quite a lot of risk.


Ciaran Martin, CB., Professor of Practice at the Blavatnik School of Government at the University of Oxford; Former and founding head of the UK National Cyber Security Centre at GCHQ

2022 will be a year to watch in the boring but crucial area of cyber economics. Cyber insurance will shrink, but might recalibrate and start to come back. Governments will get more into the regulation of security in technology products, particularly IoT. They will still talk about, but ultimately shy away from, regulating cyber security for critical infrastructure but pressure will build. And buyers, sellers and investors will – and should – start to ask more penetrating questions about the performance of cyber technological tools. Not the most exciting set of developments, but ultimately one of the most important.


Joseph Menn, Cybersecurity reporter at Reuters; Author of “Cult of the Dead Cow”

Ransomware will be democratized and more chaotic, making it even harder to stop. More regulation is coming for breach disclosure, minimal required defense, and the trade in exploits.


Patrick Howell O’Neill, Cybersecurity reporter at MIT Technology Review

The ongoing ransomware crisis will be the primary reason people shake off the techno-libertarian, anti-regulation mindset that defined how policymakers and industry thought and acted for decades and will lead – is already leading – to the realization that when the free market fails consistently and impactfully for such a long period of time, the reasonable and historical response is stepping up regulation. See: safety in every other sector ever. More people will have that very basic but important realization over the next year to the point where it might lead to actual impactful regulation with the goal of raising the floor on cybersecurity across the board. 


Nicole Perlroth, Cybersecurity reporter at The New York Times; Author of “This Is How They Tell Me The World Ends”; Member of the United States Cybersecurity and Infrastructure Security Agency’s  Cybersecurity Advisory Committee

Ransomware will continue to “pen test” the United States. The attacks will escalate in both ingenuity and destruction. We will see one or more major ransomware attacks on U.S. critical infrastructure a la Colonial Pipeline, only this time the attack will hit the OT systems directly, and perhaps it won’t be a bumbling cybercriminal organization, but a concerted state-backed exercise. We are due for more short-term pain before we see any regulation raise the minimum cybersecurity standards for businesses in critical sectors. We are overdue for the infosec-equivalent of Sarbanes-Oxley for critical infrastructure. The question is how much pain will have to happen before we get there. Also, NSO Group will go bankrupt.


Mathew Schwartz, Executive Editor at Information Security Media Group

Ideally in 2022, the vast majority of businesses will ensure they have top-notch defenses, robust offline backup/recovery, and well-practiced incident response plans ready to activate at a moment’s notice. Youngsters won’t build the next loader, botnet, crypto-locker or mixer. All cryptocurrency exchanges will apply know-your-customer and anti-money-laundering rules to help blunt the flow of illicit profits. And as a result, digital extortion won’t continue to be so incredibly lucrative for criminals — never mind business email compromise attacks and all the other big earners.

But I’m not holding my breath. Not to be cynical, but I suspect 2022 will be a repeat of 2021, in that we’ll see the profits on offer from ransomware payoffs driving criminals old and new to maintain the pace of attacks. To keep profits healthy, also expect more innovation from attackers. Perhaps they’ll target small and midsize firms more, to try and better stay under law enforcement’s radar?  Or move away from data-leak sites to make attackers tougher to trace? Stay tuned.


Audra Streetman, Security Strategist at Splunk SURGe

Ransomware, third-party risk, and supply chain attacks will remain a significant threat in 2022. A coordinated, multilateral approach is needed to disrupt the ransomware business model. It is encouraging that the United States recognizes ransomware as a national security issue and is working with international partners to arrest and prosecute cybercriminals. In the year ahead, governments may introduce regulations for the cryptocurrency market and legislation to expand GDPR-style data privacy protections in the U.S. and abroad. Enterprise cloud migration will continue in 2022 with a shift to cloud-native approaches. Organizations will also need to address the cybersecurity skills gap by removing barriers to employment and providing on-the-job training to fill positions.


Joe Tidy, Cybersecurity Reporter at BBC News

I think we will see the end of large-scale ransomware attacks. They won’t die off entirely but they will become just another potential form of attack and no longer the biggest boogeyman in cyberspace. The reason I think this is that I have a glass half-full perspective and also the pressure building on the gangs is just too great. We’ve already seen the big bads of Darkside and REvil go and I think the landscape outside of Russia and within is becoming more tough for the groups. Will another form of cyber attack rise from somewhere else in the world? I hope not!


Joe Uchill, Cybersecurity reporter at SC Magazine

One of the more interesting trends year over year and even quarter over quarter seen by the insurance and legal professionals who handle ransomware attacks after the fact is that a lower percentage of victims seem to be paying ransoms. That appears to be due to a number of factors – including Emsisoft’s ability to intervene in a lot of attacks using a decryptor. But there are systemic factors as well – enterprises seem to be doing a better job segmenting networks, producing back-ups and generally improving resiliency. And actors seem to be doing a worse job successfully exfiltrating important files to use in secondary extortion, though that may improve with actors gaining experience. It’s a good sign overall that – fingers crossed – might continue into next year. But there are some caveats: making less profit per victim might mean making up the difference in volume, and ransomware groups have been pretty good at coming up with new ways to pressure victims when old approaches get stale.


Tom Uren, Editor of “Seriously Risky Business”; Fellow at the Australian Strategic Policy Institute

It’s a mug’s game to make predictions… but here we go anyway.

The big picture truth for cyber security is that governments and leaders everywhere are recognizing that cybersecurity is important and actually starting to do something about it. This means more regulation to provide sticks and carrots to get it right.

Increasing effort will result in cyber security improvements, but ‘security debt’ has built up over decades, so it’ll take decades to fix. As various problems and bug classes get identified and ‘fixed’ new types of bugs will be found and the merry-go-round will continue.

So we’ll see more logic bugs, and perhaps hardware and IoT bugs as entry vectors. Ransomware will moderate some, but won’t go away. I’m not yet worried that cyber security news will dry up.


AJ Vicens, Cybersecurity reporter at CyberScoop

The five eyes countries will become more aggressive with offensive security for ransomware actors, limiting the overall numbers somewhat, but making the targets juicier and bigger. The continued overlap between ransomware and intel/geopolitical purposes is going to be very interesting. DC will come forward with some policies that look good but a) won’t have broad agreement and b) will be very hard to implement. The smart stuff that does get agreement and funding will take too long


David S. Wall, Professor of Criminology at the Centre for Criminal Justice Studies, School of Law, University of Leeds

In a nutshell, the attackers will become even more adaptive, cunning and sophisticated, but cybersecurity and law enforcement will also become more effective and begin to close the gap. 

On the negative side:

On the positive side:

One thing is for sure, cybercrime is here to stay and the cybersecurity industry will continue to grow.


Neil Walsh, Chief of Cybercrime at the United Nations 

Threats will continue to evolve, yet the majority will remain “low hanging fruit” which may have been mitigated in advance had one had the time or resources.  Most CEOs will continue to see “cyber” as an “IT problem”. Threat vectors will continue to develop at a pace which leaves policy makers bewildered. Some major social media companies will do something that leaves many aghast yet unsurprised. And lastly – someone better will take on my job!


Jake Williams, CTO at BreachQuest; Senior Instructor at the SANS Institute; former hacker the United States National Security Agency.

I think in 2022 we’ll see a rise in vendor email compromise where threat actors compromise an organization’s email servers not to explicitly target them, but as a tool to target their business partners, customers, etc. We’ve seen variations of this attack for years, but it’s definitely on the rise. I believe some threat actors are seeing it as a “safe” revenue replacement model for more risky ransomware operations.


Josephine Wolff, Associate Professor of Cybersecurity Policy at The Fletcher School at Tufts University

Lots more policy initiatives (mainly proposed, but a few passed at both the federal and state level) to require organizations to report ransomware incidents and/or report the payment of ransoms; more attempts by policymakers to sanction specific cryptocurrency exchanges and recipients of cryptocurrency payments to cut down on ransom payments; and a strong incentive, as these policy initiatives ramp up, to assert that ransomware is decreasing and these measures are working even in the absence of any long-term data to back up those assertions (i.e., small, temporary dips in ransomware cases may give rise to overly triumphant claims on the part of regulators that their policy and diplomatic efforts are making a difference when, in fact, those changes may be short lived and unrelated to such efforts).


Fabian Wosar, Chief Technology Officer at Emsisoft 

I don’t think the recent arrests will have any major influence. The reality is, even the people that were caught are just small fish. Is it reason to celebrate that $6 million of REvil proceeds have been recovered during recent arrests? Yes. Is it in any way, shape or form significant given how much REvil ransomed over the years? I argue not.

Ultimately, ransomware threat actors will start taking operational security much more seriously. Most of the operators and key figures in these RaaS have always been very security conscious, as can be seen from the fact that the vast majority of arrests were affiliates and money mules – not the actual operators behind the operations.

I wouldn’t be surprised if the ecosystem as a whole will move towards more frequent rebranding. Evil Corp, for example, create new fake personas for every major victim and retire them immediately, making linking victims to affiliates and groups more difficult. Frequently rebranding may also enable groups to stay of the spotlight for longer. 

Putting identifiers into ransomware payloads that identify specific affiliates or groups has always been a rather stupid idea on the threat actors’ side and was bound to cause trouble eventually. It’s like leaving an anonymous card behind at every victim you hit. Sure, the card doesn’t tell who you are, but it is enough to cluster victims and look for patterns, combine the money trails, and ultimately allow the perpetrators to be caught. I expect this trend to end. 


A note of thanks 

We would like to extend our sincere thanks to everybody who shared their thoughts. Tackling cybersecurity challenges requires a collaborative effort, and we’re lucky to have such passionate, talented and insightful humans working for the right side. #TeamSport



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next