2022 was a busy year for digital security. In our connected world, threats are increasing, and digital trust has never been more critical so that users have confidence in their digital interactions.

This post will review what occurred this year in digital trust. Additionally, don’t miss our security predictions for 2023.

DigiCert News

• In October, DigiCert welcomed Dr. Amit Sinha as CEO  and member of the DigiCert Board of Directors. Sinha brings over 20 years of technology, strategy and operational experience from Zscaler, Motorola, AirDefense and Engim. Sinha’s leadership will ensure the right focus and strategy to help DigiCert define digital trust for the real world and continue to accelerate its leadership in digital trust.
• DigiCert acquired IoT cybersecurity provider Mocana, enabling end-to-end IoT security and quickening time to market for IoT device manufacturers and operators. The combination of DigiCert and Mocana provides customers with a comprehensive platform for managing security across the full IoT device lifecycle.
• Earlier this year, DigiCert acquired DNS Made Easy,  a provider of managed Domain Name System (DNS) services for enterprises. This expands DigiCert’s digital trust portfolio and will enable DigiCert to offer a seamless approach to certificate lifecycle management.
• DigiCert is also partnering with researchers at UC San Diego and Stanford to prevent future DNS attacks by understanding DNS hijacks, identifying maliciously obtained certs and building countermeasures.
• DigiCert Secure Software Manager now supports the GPG Keyring. For those who need to sign code on Linux or for git commits, or who need OCI-compliant container signing with Redhat tools, this is a significant milestone.  
• DigiCert, partnered with EONTI, was selected by the Western Canadian NG9-1-1 network operator to secure the next generation of 911 systems.

IoT

• The Connectivity Standards Alliance (CSA) released Matter 1.0  on Oct. 4 and DigiCert’s Root Certificate Authority (CA) became the first Matter-approved root CA  by the CSA for Matter device attestation, allowing for rapid time to market for smart home manufacturers and automatic security for customers. Matter has been a multi-year project, bringing together all the biggest names in smart home manufacturing, including Apple, Google, Samsung and more to create a reliable, secure way for devices by different manufacturers to interoperate. DigiCert has been highly involved in Matter  and can help manufacturers achieve compliance with device attestation.
• Google Cloud announced plans to shut down its IoT Core service  by August 2023, which surprised customers and industry specialists. A year to transition seems like a generous runway, but why the change now, and are they doing the right thing? Learn more in this blog post. Additionally, Google IoT Core customers searching for alternatives should consider DigiCert for Connected Devices. 
• The U.S. PATCH  act was put forward recently, which would make it  easier for medical device manufacturers to patch devices.  It would also require manufacturers to follow security best practices for the design, development and maintenance of these devices.

Email

• The S/MIME Certificate Working Group of the CA/Browser Forum, chaired by DigiCert's Stephen Davidson, approved the S/MIME Baseline Requirements, the first standard for CAs issuing publicly-trusted digital certificates used in email security. The new Baseline Requirements are expected to take full effect in September 2023.
• VMC adoption continued to grow this year, with new Email Service Providers (ESPs) like Apple deploying it and additional trademark (TM) options approved for VMC, moving closer to a world where customers can see your logo in every email sent. Additional countries were added in Gmail for TMs, including: France, Netherlands, Switzerland, Denmark, Sweden and New Zealand. Learn more about BIMI and VMC at  https://www.digicert.com/support/resources/faq/email-trust/what-is-bimi-and-why-is-it-important.

Browser

• Microsoft  retired Internet Explorer  June 15. Internet Explorer had been functioning for about  27 years  and Microsoft is retiring it in favor of the newer Microsoft Edge. If users are still going to Internet Explorer, Microsoft plans to temporarily redirect them to Microsoft Edge.
• Chrome announced a new Root Program  in a blog post in September. Previously, Chrome relied on the Root store on the platform it was running, but with this new move, Chrome will have a consistent, more secure root across all platforms with minimum requirements for all CAs to be trusted in their Root program. We covered the Chrome Root program and its requirements in more detail in our June recap of the CA/Brower Forum:  https://www.digicert.com/blog/ca-browser-forum-recap-june-2022.

European standards

• The E.U. announced its first move for IoT cybersecurity legislation, the first E.U.-wide legislation that will impose cybersecurity rules on manufacturers and enforce massive fines and penalties on manufacturers and developers for failure to comply. For E.U. consumers, this is a major step forward in giving them better purchasing power and trust in their devices. The EU Cyber Resilience Act is currently still being examined by the European Parliament, but once passed manufacturers will have up to two years to enforce compliance.
• The European Parliament and E.U. Member States reached an agreement on a  directive on measures for a high common level of cybersecurity across the Union  in early May. The existing rules were the first E.U.-wide legislation on cybersecurity; however, an update was needed to offer more digital trust amidst increasing
• The legislative process for updates to Europe's eID and electronic transactions laws (known as eIDAS2) are in advanced negotiations and expected to move to vote in 2023. One important goal is to foster a Europe-wide eID scheme, with interoperable digital wallets provided by each eID country. The goal is to have 80% of EU citizens regularly using eID by 2030.
• Switzerland’s Federal Council announced  that the new data protection law will enter into effect on Sept. 1, 2023. The Data Protection Act (DSG) is designed to ensure that Switzerland maintains a high level of data privacy compatible with E.U. regulation for cross-border data transmission to continue without additional requirements.

U.S. standards

• The White House hosted a meeting with tech industry leaders in October to create a new standard for security labels for IoT devices, planned to launch Spring 2023. This security “nutrition label” will help consumers easily access information about their smart devices, such as vulnerability and interoperability with other products. Learn more.
• NIST, the U.S. National Institute of Standards and Technology,  outlined what IoT and software security labels could look like. Similar to nutrition labels, these labels would give consumers more information about their purchase, specifically in regard to the privacy and security of the device or software. 
• President Joe Biden signed the CHIPS and Science Act  into law in early August. The legislation will provide billions in incentives to CHIP manufacturers and will fund public research to help boost the United States’ competitive edge and solve supply chain issues. As CHIP manufacturers move operations to the United States, they should partner with a leader in digital trust capable of helping them inject trust into their silicon and manage it at any stage in the product lifecycle.
• The  FBI announced they will form a digital currency unit  specializing in blockchain analysis and virtual asset seizure. The announcement comes after the largest virtual asset seizure to date, with the FBI charging a New York couple with laundering over $4.5 billion in bitcoin

Quantum

• NIST selected the first quantum-resistant cryptographic algorithms, meaning now is the time to prepare your organization’s crypto-agility and start testing new cryptographic algorithms. However, one of the final algorithms selected, Supersingular Isogeny Key Encapsulation (SIKE), was cracked within an hour on a traditional PC. If this vulnerability cannot be fixed, then NIST will have to  drop the algorithm from further consideration.  This is an important reminder of why crypto-agility is critical so that algorithms can be changed out easily if vulnerabilities are discovered, whether in classical or PQC algorithms.
• The Cybersecurity and Infrastructure Security Agency (CISA) published a paper  urging leaders to prepare for quantum computing risks now, and not to wait until quantum computing is commercially available. “Do not wait until the quantum computers are in use by our adversaries to act," the CISA warned.  

Vulnerabilities

• According to cybersecurity researchers at Proofpoint, hackers have been increasingly finding ways around multi-factor authentication  (MFA), including using phishing kits. Phishing kits  allow attackers to harvest and use credentials and are typically inexpensive. Newer kits enable hackers to steal not only usernames and passwords but also MFA tokens and more.
• GitHub announced that it will start using code signing  for its npm software packages to protect its open-source registry. The move comes after vulnerabilities like Log4Shell raised concerns that there is no guarantee that open-source packages on npm are built from the same source code that’s published. Code signing builds will authenticate where the software came from, adding another layer of digital trust. 
• Meta Platforms announced that it would be notified about a million  Facebook users of their account credentials being compromised  after they identified more than 400 malicious Android and iOS apps scamming users to share their login information. Apple and Google have both removed the apps, and Meta says it will be sharing tips to help potential victims avoid compromising their credentials with problematic apps.

Data breaches

• A recent survey  found that about half of businesses from over a dozen countries have experienced a data breach in the last two years. The study found that data breaches are increasing, and with an increasing threat landscape comes increased costs and resources spent in remediation.
• Nearly  $2 million worth of NFTs  were stolen in just three hours in an apparent phishing attack. The attack targeted OpenSea users using a vulnerability in the open-source standard underlying most NFT smart contracts. The attackers were able to use valid digital signatures in partially complete contracts but transfer the contract to their own wallets.

Malware

• In what experts are calling a parallel cyberwar, Russia has been  attacking Ukrainian sites with malware. On the day of Russia’s first ground attack on Ukraine, an  Estonian cybersecurity group detected malware  affecting computers at a Ukrainian bank and Ukrainian government agencies.
• Furthermore, the U.S.  Cybersecurity and Infrastructure Security Agency and the FBI  advised that both public and private organizations implement “shields” to protect against potential Russian cyberattacks, including malware.
• In January, Hacktivists claimed to have  infected the Belarus rail system with ransomware  to stop Russia from advancing into the country. On Twitter, they announced that they would only offer the decryption key if Belarus President Alexander Lukashenko agreed to stop aiding Russian troops and released political prisoners in need of medical assistance. This attack was the first of its kind to be used in this way.
• Researchers warned that attackers are increasingly using  fake Microsoft and Google software updates to spread malware. HavanaCrypt is the latest ransomware to attempt fake updates in Windows 10, Microsoft Exchange and Google Chrome.
• In August, GitHub was flooded with about  35,000 clone project files that stored malware. While it’s common to clone open-source projects among developers, in this case, attackers cloned legitimate projects but added malware to them and reposted them to GitHub. GitHub has since removed most of the malicious repositories. 

TLS/SSL

• On July 21, it was publicly confirmed that Entrust suffered a cyberattack  on June 18. Their internal network was breached by a third party, and corporate data was stolen. However, it is not yet known if customer and/or vendor data was stolen. Entrust sent a security notice to their customers on July 6 letting them know of the data breach, saying that “we have found no indication to date that the issue has affected the operation or security of our products and services.”

Click here  to see the whole series on the latest news in digital trust.

Get the IDC whitepaper Digital Trust: The Foundation for Digital Freedom | DigiCert to read more about digital trust—what it is, how it works, and why it must be a strategic initiative for any organization, including yours.