It is important but difficult to stay current with relevant issues in our industry. Cybersecurity is furiously changing, fast in pace, and rising in global importance. Professionals must keep abreast not only with what is happening today, but also with what is emerging on the horizon and heading our direction. Security becomes stronger when professionals collectively explore ideas and actively collaborate on developing better practices. As a cybersecurity strategist, my eyes are fixed on the future risks and opportunities. Here is my list of what we all must learn, discuss, and deliberate about now, so that we can be prepared for what lies ahead.
Integrity attacks will become the next wave
One constant in cybersecurity is the continual rise in sophistication and creativity of the threats. We are seeing the beginnings of a fundamental expansion to attackers’ techniques. Integrity compromises will rise and join the more familiar confidentiality (for example, data breach) and availability (denial-of-service) attacks. Integrity attacks undermine the trust of transactions and communications. Ransomware, business email scams, and financial transaction fraud are all growing examples of integrity compromises. This third wave will bring about significantly greater impacts due to their nature, the lack of available security tools, and weak processes to manage the risks. We are already witnessing savvy attackers making hundreds of millions of dollars in a single campaign and will likely see a billion-dollar heist by the end of the year. Everyone is at risk.
• The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide
• $2.3 Billion Lost to CEO Email Scams: FBI Warns of Dramatic Increase in Business E-Mail Scams
• Bangladesh Bank Hack: How a hacker’s typo helped stop a billion dollar bank heist
IoT Security: Digital life-safety and privacy issues meet consumers
Our insatiable desire to integrate technology with our lives is changing the equation of security and safety. With the growth of the Internet of Things (IoT) predicting that devices will increase from 15 billion to 200 billion by 2020 and the focus by attackers to gain more access to critical capabilities, we may be unwittingly handing life-safety controls to the cyber threats. Such devices capture our conversations, video, health, activities, location, conversations, relationship connections, interests, and lifestyle. Will personal discretion and privacy survive?
IoT security is a huge and complex topic in the industry, earning the attention of everyone from researchers to mainstream media. Although transportation, healthcare, critical infrastructure, and drones capture most of our interest, connected devices and sensors are destined to be interwoven throughout businesses and across all walks of life. The benefits will be tremendous, as will the accompanying risks.
• Growth of global IoT Security Market To Exhibit 55% CAGR As Threat Of Security Breaches Rises
• Trust and security fears could hold back the Internet of Things
• IoT and Privacy: Keeping Secrets from your Webcam
• Police called after ‘drone’ hits plane landing at Heathrow
Ransomware: the next scourge
The rise of ransomware has been phenomenal, fleecing hundreds of millions of dollars from consumers, businesses, and even government agencies. This financial windfall for cybercriminals will fuel continued innovation, creativity, and persistence to victimize as many people as possible. The threat has found a soft spot, taking advantage of human frailties while targeting something of meaningful value to the victim, then offering remediation at an acceptable price point. This form of extortion is maturing quickly, exhibiting a high level of professional management, coding, and services. Ransomware is proving very scalable and difficult to undermine. It will surely continue because it is successful. Can it be stopped? How can people and businesses protect themselves? Will security solutions rally? What will we see next in the rapid evolution of ransomware?
• Cyber Threat Alliance report: Lucrative Ransomware Attacks – Analysis of the CryptoWall Version 3
• US Computer Emergency Readiness Team: Ransomware and Recent Variants
• Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection
The hidden long-term impacts on cybersecurity?
The industry looks at cybersecurity as a series of never-ending tactical issues to be individually addressed. This is a symptomatic perspective, when the reality is a systemic problem. The real impacts on the future are hidden from view and are staggering. It is time we mature our perspectives and see the strategic problem and opportunities. Estimates range from $3 trillion to $90 trillion of global economic impact by 2030. We as a community must understand the scale of the challenges and how addressing security in a tactical manner is simply not sustainable. This challenge has become a deep intellectual discussion topic among cyber strategists. How do we change the mindset from short-term expensive fixes to a long-term effective treatment at a holistic level?
• The Hidden Costs of Cyber Attacks
• Cybercrime may cost $2 trillion by 2019
• $90 trillion dollars cyber impact for one scenario affecting the global benefits of Information and Communications Technologies by 2030
• $3 trillion aggregate economic impact of cybersecurity on technology trends, through 2020
Battle for security leads to hardware
As attackers evolve, they get stronger, smarter, and more resourceful. We have a cat-and-mouse game between the threats and the pursuing security capabilities. The trend is for attackers to move further down the technology stack. Each successively lower lever affords more control and the ability to hide from the security above. The most advantageous position is in the hardware, where the root-of-trust originates. The game is afoot. Advanced researchers and attackers are looking to outmaneuver security by compromising the hardware and firmware of devices.
Traditional defensive structures must also advance to meet the new challenges. Security features embedded or enhanced by hardware can be incredibly powerful to support effective defenses and visibility, even against the most advanced attackers. Control of hardware and firmware will play an ever greater role in protecting technology and users. Who will win?
Job crisis in cybersecurity
Cybersecurity is in dire straits. There are not enough talented security professionals to fill the need. In a few years, there will be an estimated 1.5-2 million unfilled cybersecurity positions. This absence will have a catastrophic effect on securing people and technology. Organizations have two problems: finding candidates to fill open positions and retaining the professionals they currently have from lucrative competitive offers. The disparity between supply and growing demand drives up salaries, spurs aggressive headhunting, increases the costs of security operations, limits the overall comprehensiveness of shorthanded teams, and artificially enlarges the window of opportunity for attackers. It’s like trying to play competitive soccer without a full team.
The best way to correct the problem is to address the supply side of the equation. We need more cybersecurity professionals. In the long term, only academia can save cybersecurity, yet universities are struggling to retool to sufficiently prepare the next generation of security professionals. Until then and potentially for years to come, this problem will affect every organization that needs security staff and may drive up the use of Managed Security Service Providers.
• The Center for Cyber Safety and Education report: 2020 predictions expecting the shortfall of information security positions to reach 1.5 million
• One Million Cybersecurity Job Openings in 2016
• Higher Education Must Save Cybersecurity
• Job Market Intelligence: Cybersecurity Jobs 2015 report published by Burning Glass Technologies
Cybersecurity predictions for 2016
A slew of expert predictions is now available from a variety of sources. Although some are better than others, all of them provide perspectives for 2016 and beyond. Peering into the future of cybersecurity provides valuable insights around the challenges and opportunities. The industry is changing rapidly and attackers always seem to be one step ahead. Take advantage of what the experts are taking about, but beware some are trying to sell you their wares. Understand how anticipated trends will affect your organization, customers, and partners in the industry. Plan how you can adapt to find a sustainable balance in managing the security of computing capabilities and technology.
How versed are you in these topics? I believe they will have far-reaching repercussions and every cybersecurity professional should understand these areas. Those who benefit from the insights of the future will be better prepared to adapt to the changes.