It takes vision to spot a trend. With global offerings in digital business consulting, managed application services, workplace and cloud solutions, and data center and edge computing, NTT has a unique vantage point from which to comment on cybersecurity strategy. NTT’s deep bench in cryptography, including the NTT Research Cryptography & Information Security (CIS) Lab, also provides it with insight into the cybersecurity threats and opportunities on the more theoretical level.
What trends do NTT experts see having a major impact on the security landscape of 2024 and beyond? Here are four answers from the practical side, also unveiled in this NTT press release, and a fifth that provides several more points from an academic perspective.
Leveraging AI. Both criminals and cybersecurity experts will be leaning on AI in 2024. “Cyber criminals and state actors are already taking advantage of generative AI to create phishing campaigns, write malicious code or identify vulnerable systems to exploit,” NTT Chief Cybersecurity Strategist Mihoko Matsubara said. “However, AI capabilities are not only being used for nefarious purposes. Cybersecurity professionals have also found generative AI helpful to automate some tasks, data analysis and vulnerability research.” NTT Security, for instance, has noted that generative AI can very quickly and efficiently identify phishing sites.
Safeguarding Elections. Experts anticipate more attempts at electoral subversion. Malicious actors, for instance, will likely use generative AI and bot farms to disseminate misleading or false content during upcoming presidential campaigns in Taiwan and the United States. Implementing cyber and physical countermeasures will be critical to maintaining public trust. “The ability to validate and log results manually to address questionable issues will become increasingly important in the United States,” NTT Security CISO David Beabout said. “This shift toward resiliency and result validation is expected to gain more prominence in 2024.”
Implementing Zero Trust. As the threat landscape has evolved far beyond traditional network-based perimeters, Zero Trust has shifted from buzzword to strategic cornerstone. “The concept of Zero Trust is all about risk-based management and continuous process,” NTT CSIS Visiting Fellow and Senior Manager of Cybersecurity Taro Hashimoto said. “This includes the implementation of a variety of underlying technologies, including Identity and Access Management (IAM), Endpoint Detection & Response (EDR), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Security Information and Event Management (SIEM), etc. that seamlessly integrate within an organization’s cybersecurity strategy.”
Prepping for Y2Q. When Years to Quantum (Y2Q) reach zero, the cybersecurity threat posed by cryptographically relevant quantum computers will no longer be speculative. Preparation is already underway, with the U.S. National Institute of Standards and Technology (NIST) leading an initiative to shore up defenses. “With NIST’s expected release of more PQC (post-quantum cryptography) standards in 2024, industries, governments, and others are expected to begin ramping up their migration planning efforts,” NTT Research President and CEO Kazuhiro Gomi said. “This is based on the concern that malicious actors are currently collecting ongoing communication data and could compromise security once scalable quantum computers become available.”
Advancing Cryptography. Academic cryptographers are not on the frontlines of cybersecurity practice, but their work nonetheless impacts the field, if sometimes over extended timelines. The emergence of attribute-based encryption (ABE) as a commercialized offering, 18 years after its introduction in a conference paper co-authored by CIS Lab Director Brent Waters, is a case in point. Reviewing research milestones in 2023, Dr. Waters points to two notable results that could affect the future, and looking ahead to 2024, identifies one area of growing interest:
- One of the Best Paper Awards at Crypto 2023 went to a paper by Keegan Ryan and Nadia Heninger titled “Fast Practical Lattice Reduction through Iterated Compression.” (Dr. Henninger is on the faculty at UCSD and spent part of her summer in 2023 visiting NTT Research.) Lattice-based cryptography, which is believed to be quantum resistant, is a leading popular replacement for classical algorithms. Lattice reduction is part of many attack algorithms, making it of interest to cryptographers. “When setting the security parameter or keysizes of such primitives, it is important to have a reasonable estimate of what the best attacks are so one can put the keysize out of reach of such attacks, but not so high that one unnecessarily loses performance,” Dr. Waters said. “The [Ryan, Henninger] paper greatly improves on existing lattice reductions and makes interesting theoretical contributions, as well as provides usable software for their algorithms.”
- Also noteworthy, according to Dr. Waters, was a paper by Wei-Kai Lin, Ethan Mook, and Daniel Wichs presented at STOC 2023 and titled “Doubly Efficient Private Information Retrieval and Fully Homomorphic RAM Computation from Ring LWE.” It also won a Best Paper Award. (Dr. Wichs is a Senior Scientist in the CIS Lab and on the faculty at Northeastern University.) “The authors solved a long standing question of whether one could achieve private search with a server that did not need to touch every piece of data in its evaluation,” Dr. Waters said. “This result was quite surprising to the community. Interestingly, it brought together ideas from both cryptography and data structures.” A hypothetical use case is an encrypted version of the Google search engine that would enable users to search the internet privately.
- Dr. Waters said expanding private search queries to private interactions with AI systems is a potentially new area of academic research going forward. Interest in this topic reflects the explosion in the use of large-language models like ChatGPT over the past year. “Whenever I have used ChatGPT, it is always in the back of my mind that there are no guarantees about the privacy of my interactions,” Waters said. “One could imagine that such interactions might be even more sensitive than standard search queries.”
