2022 Cyber Predictions: Former White House Chief Strategy Officer Weighs In on MITRE ATT&CK and More

This is part of our 2022 cybersecurity predictions series. Top leaders from across the industry shared what cyber could bring in the new year.








Jonathan Reiber, Senior Director of Cybersecurity Strategy and Policy at AttackIQ and former White House Chief Strategy Officer:


Over the coming year, trends indicate an increased focus on cybersecurity prioritization at the organizational and national level to improve cybersecurity effectiveness.


A year after the SolarWinds intrusion and approaching the one-year anniversary of the Colonial Pipeline ransomware attack, the country is focused on improving cybersecurity for high priority critical infrastructure. At the national level, this includes identifying which organizations require the most federal cybersecurity support; at the organizational level, it includes identifying which priority assets to protect within an organization, and then making sure that they are effectively protected.

Trends indicate that the national prioritization discussion in Congress will take on the form of macro-level catastrophic risk analysis for managing top-tier risks to the country. Building on earlier analysis of companies across the United States that could present a strategic risk to the country if disrupted (known as the “Section 9” list), Congress will deliberate about how the federal government can help manage systemic cybersecurity risks to the U.S. economy and society, to include mission-critical functions in key sectors like healthcare, elections, and energy. This will logically include a discussion of expanding CISA’s authorities, roles, and missions.

As the federal government expands its zero trust architectural investments following the Biden administration’s 2021 executive order, federal agencies should improve their defensive capabilities for high-value assets in federal networks. Zero trust takes time and effort to deploy effectively, and after the publication of the May executive order, trends would indicate that zero trust capabilities should be operational in the first half of 2022. As the federal government adopts the practice, more private organizations will follow suite, building higher walls around high-value assets.

Over the course of 2022, MITRE ATT&CK will continue its movement from a niche tool used by experts to become a foundational element of cybersecurity management with increasing resonance in the C-suite.


The result will be a broader adoption of the practice of threat-informed defense. MITRE ATT&CK is a globally available, free, open framework of known adversary tactics, techniques and procedures (TTPs ), published in 2015, and has codified for the first time the cybersecurity industry’s collective intelligence about adversary behaviors. MITRE ATT&CK has taken hold amongst a cadre in the cybersecurity industry, particularly in the financial, information technology, and public sectors, as they work to test their defenses against known threats. To date, however, many in the corporate sector and in the media are only vaguely aware of MITRE ATT&CK and how it works. This is changing.

The last year saw the increased use of MITRE ATT&CK to describe attacker behaviors and help defenders prepare for what’s coming next. For example, CISA used ATT&CK to describe the behaviors of the SolarWinds intruder and the Colonial Pipeline ransomware attack, focusing defenders on the adversary’s threat behaviors and offering clear mitigation recommendations. The increased use of ATT&CK accompanied a shift in the industry away from a focus on meeting cybersecurity standards and towards outcomes-driven metrics for measuring security success. On the one-year anniversaries of the SolarWinds attack and discussion and the Colonial Pipeline attacks, senior leaders will look back at their organizations over the last year and ask: after a year, are we prepared for the most dangerous threats that we face? Are we sure we can defend our most important assets? They want to see results.

As private companies and government agencies continue to use ATT&CK as a tool of defense operations and public communications, and as more people begin to recognize it as a foundational element for countering ransomware (in particular), ATT&CK will continue to elevate within corporate structures and the mind of the public, moving the world further towards a threat-centric view of cybersecurity. Senior executives should know how well their defenses perform against key threats.

The connection between healthcare services and technology will continue to tighten, elevating risks in the healthcare sector -- particularly from ransomware – driving further investments in telehealth functions, like mobile technology, and enterprise cybersecurity.


Telehealth and other technological innovations accelerated under the pandemic, and while access to telehealth has improved patient care under extraordinarily difficult circumstances for patients and doctors and IT departments alike, it has increased risks and forced security teams and application teams into a sprint. According to IBM’s Cost of a Data Breach Report, the average cost of a healthcare breach increased almost 30 percent (by over $2 million) in 2021. Over the coming year, threats to the healthcare industry will spur continued maturity in the sector’s approach to cybersecurity. The healthcare sector will continue to be an early mover in grasping the benefits of a threat-informed defense and MITRE ATT&CK, principally for getting ahead of ransomware.

Trends indicate increasing pressure to regulate the spread of disinformation on social media, including with practical recommendations for amending Section 230 of the Communications Decency Act.


Over the last two years, pressure rose in Congress and the executive branch to regulate Section 230, and increased following the disclosures made by Frances Haugen, a former Facebook data scientist, who came forward with evidence of widespread deception related to Facebook’s management of hate speech and misinformation on its platform. Concurrent to those disclosures, in mid-November the Aspen Institute's Commission on Information Disorder published the findings of a major report, painting a picture of the United States as a country “in a crisis of trust and truth,” and highlighting the outsize role of social media companies in shaping public discourse.

Building on Haugen’s testimony, the Aspen Institute report, and findings from the House of Representatives Select Committee investigating the January 6, 2021, attack on the U.S. Capitol, we should anticipate increasing regulatory pressure from Congress. Social media companies will likely continue to spend large sums of money on lobbying efforts to shape the legislative agenda to their advantage.

The crackdown on spyware and hacking tools will continue and could lead to a consequent development of spyware capabilities on the global black market. On the defensive side, trendlines indicate a growth in mobile device cybersecurity solutions.


In November, 2021, the U.S. Department of Commerce blacklisted the NSO Group, prohibiting American companies from doing business with the firm without specific U.S. government authorization. The move was a clear punishment of a group that had enabled criminal activity and helped autocratic governments spy on vulnerable and dissenting groups within their own borders and globally. Over the coming year we will see coordinated international efforts to curtail the spread of digital espionage technologies and curb the technologically enabled repression of marginalized and dissenting voices abroad. Autocratic governments will continue to use spyware to serve their objectives, and the spyware market will turn increasingly black as a result of international pressure against it. We can expect an increase in spyware development from researchers within the People’s Republic of China, the Russian Federation, Belarus, and other autocratic regimes that openly reject international norms. On the defensive side, following a year of highly publicized spyware attacks on mobile phones, logic would stipulate increased attention on mobile device cybersecurity.


###