Given the accuracy of DT’s 2016 predictions, it’s exciting (and unnerving) to present DT’s 10 Scary Security Predictions for 2017.
- IoT zombie army (the sequel) – from TVs to toasters people are connecting everything to the Internet, a little too carelessly. In 2016 the Internet of Things (IoT) was used as a force-multiplier in DDoS attacks. This was only a dress rehearsal and the attacks will get more sophisticated in 2017. Expect to see:
- Web Infrastructure Attacks – attacks like DynDNS at a larger scale.
- Utility Infrastructure Attacks – Thousands of pieces of SCADA & PLC, ICS equipment is unprotected and exposed to the internet. Most of these are connected to critical infrastructure that could impact human life in significant ways. For example, recently a Ukrainian power company was attacked and could not deliver power to its customers. Temperatures that day ranged from 30.2F to 15.8F – nobody was hurt reportedly, but a longer outage without power would be a problem.
- Human Life-Threatening Attacks –IoT may become an assassination tool this year. Connected pacemakers, insulin pumps and let’s not forget cars.
- Expect other new forms of IoT activity – swarms of “things” used as relays, conducting passive and active recon activities as an example.
- Pre-emptive hacking by government – this happened with no congressional debate or vote. According to this, if you are using TOR or a VPN service or if you are infected by malware the FBI can hack you without a warrant to understand what kind of a threat you are, or in the case of malware infections to identify the culprits (or to fulfill their jump-host quotas to launch attacks to whatever target); and they don’t even have to tell you. It’s the dawn of a new Internet era. Minority Report anyone?
- Get ready for GDPR – U.S. companies doing business in the E.U., or with U.S. citizens who reside in the E.U. will need to comply with GDPR requirements. The effective date isn’t until May 2018, but compliance will require planning, investment, and on-going reporting to keep the regulators and consumers happy. Three main things to watch are for are the requirement for each affected company to appoint a Data Privacy Officer (DPO), the fact that data subjects have new rights (including the right to be forgotten, to data portability, and to be informed of data breaches), and that there are steep fines for non-compliance.
- Machines learn to hack – machine learning will result in more sophisticated and harder to attribute attacks ranging from phishing and DDoS to Automated Target Selection and others. With Mirai-like IoT attacks, the capacity of humans to respond will significantly diminish and security workflow automation will gain importance. At DEFCON24 this year DARPA had its CyberSecurity Grand Challenge All-Machine Hacking Tournament the goals included reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses.
- Cyber-warfare on the rise – Increasing global tensions, constant use of cyber-warfare to impose political will, and the rejuvenation of nationalism has increased paranoia levels worldwide. Nations are rightfully improving their defensive positions. In 2017 expect an increase in tensions to the point where citizens will become indifferent to surrendering their freedom in exchange for security. Cyber-gangs will join forces with nation states to deliver intelligence in exchange for a harassment-free work environment. Expect more cyber-mercenaries in the form of “black hat-as-a-service” (BaaS). Despite growing awareness, expect an increase in fake news and perception management operations will be observed.
- Spending on data breaches & cyber threats continues unabated – consider it a component of industrial espionage via cyber-warfare. As nation state involvement in cyber-warfare increases expect more attacks on the financial systems. In 2016 the SWIFT system experienced sophisticated attacks on its infrastructure and attacks like this will continue. The shift toward smarter infosec spending will begin; more mature organizations will move towards risk-focused infosec to make the most of their investments. Measuring the performance of the Information Security organization will be increasingly important.
- Gap of cybersecurity professionals addressed with automation – with a 1.5 million person shortfall of cybersecurity professionals expected by 2020, and with over 62% of organizations believing themselves understaffed, it would be impossible to close the talent gap in 12 short months. To help fill the gap, expect companies to focus on workflow automation and expert systems.
- International intelligence sharing picks up – As terrorism and other undesirable activities increase globally – the U.S. and its partners, even the reluctant European ones, will increase intelligence sharing. The paradox is that national interests mean less desire to share on topics related to economic competitiveness and innovation; groups of nations like the E.U. care a great deal about privacy protection and will enact measures to achieve this (GDPR), that said addressing the global nature of terrorism requires collaboration and communication; how this is accomplished amidst conflicting regulation remains to be seen.
- Need for regulation increases, but deregulation is on the rise – as the attack surface grows – starting with 30B “things” in the IoT by 2020, there will be a massive push by the markets and most governments for increased regulation across industries; that said, the new U.S. administration has an expressed focus on deregulation and the middle ground is little to non-existent. The end result is that what is already a typically time-consuming effort to enact and establish regulation will become further bogged down in bureaucracy and lobbyist infighting. Net net – don’t expect much progress in 2017.
- Blockchain-based businesses proliferate – Thanks to Satoshi Nakamoto, the inventor of bitcoin protocol, there is blockchain. Bitcoin’s underlying technology, once vilified, is now loved by large corporations and even governments. What began with the FinTech blockchain frenzy (smart contracts) is expanding. The distributed nature of blockchain is a better fit for the IoT than FinTech (as its ultimate goal is to centralize transactions to maintain control), and especially as the Internet of Things grows the need for securing inter-device transactions and authenticating devices becomes greater. Overall, blockchain is a promising technology for satisfying these requirements in a distributed nature; expect the number and nature of products in this space to grow.