The first set of predictions in this two-part series was largely around our theme of Human Element. As much as the relationship between humans and technology is expected to evolve, the coming year will also be a turning point for regulations, penetration testing, encryption and DevSecOps standards.
Cyberwar, Election Hacking and “Big Brother.” Who’s Prepared?
“Almost a decade ago,” said Dmitri Alperovitch, Co-Founder and CTO of CrowdStrike, “I coined the phrase that there are two types of companies: those that have been hacked and those that have been hacked and don’t know it yet. In 2020, we are going to see that more and more companies fall into a third category—they are being targeted but able to defend themselves even from the most sophisticated adversaries with the right leadership and strategy,” Alperovitch says.
Despite an anticipated spike in the number of organizations that are able to defend themselves against cyberattacks, companies large and small will continue to be the target of malicious actors, some of which will be successful. Where will cyberattacks be coming from? Even a crystal ball would have trouble channeling that tidbit, but Alperovitch predicts that nation-state adversaries will be upping their efforts next year. “Iran will launch a major cyberattack against the US, aiming to drive kinetic impact. The Chinese government will be even more aggressive in pressuring major Western companies to backdoor their technologies and ban the ones that are not open to it, and we will see at least one destructive attack attempt on critical infrastructure,” Alperovitch says.
Advisory board member Todd Inskeep, , also has some thoughts about what to expect from China in 2020. “China is going to become more of a "big brother" when it comes to cybersecurity companies operating in China, requiring more permissions and controls beyond encryption that will impact companies' security.”
One concerning prediction comes from Ed Skoudis, SANS instructor, who says, “In 2020, government leaders will become increasingly comfortable leveraging and talking publicly about their country’s use of offensive cyber operations to achieve military ends. Military cyber operations will increasingly be leveraged in lieu of kinetic action or to inhibit kinetic engagement in battle (e.g., ‘Aren’t you glad we hacked them and didn’t bomb them?’). As such operations become more common, though, offensive cyber operations will run the risk of actually triggering a kinetic response (e.g., ‘Oops … we over did it with this hack and now they are bombing us back.’).”
Basics Aren’t Sexy, but They’re Coming Back
Caroline Wong, Chief Strategy Officer at Cobalt.io, agrees that 2020 will see some major breaches, but she says, “75% of all major breaches I expect to see in 2020 are going to happen due to fundamental mistakes, not extremely sophisticated techniques.” Given this prediction, it’s not outlandish to suggest that there’s a strong likelihood that several new standards and regulations will drive a return to—or an implementation of—basic security best practices.
“Some unsolved fundamental problems, such as just-in-time asset discovery, are necessary for enterprise security, but haven’t been attracting startups because they’re not “sexy” problems such as catching or deceiving attackers. This will change as VCs realize that there’s a lot of money to be made from this in the traditional deep pocket sectors (such as banking), and that visibility tied with security, done right, is a game-changer. Besides, the basics are fundamental to implementing zero-trust models, so that trend will fizzle without the right backing,” says Wendy Nather, Head of Advisory CISOs at Duo Security (now Cisco).
Additionally, Inskeep predicts that the government’s rolling out of the CMMC—Cyber Maturity Model Certification—will drive enforcement of requirements that have been contractual for some time. “Now they are getting more serious,” says Inskeep. “Next year we're going to start seeing organizations miss out on government contracts because companies can't or haven't demonstrated a level of maturity. CMMC is going to improve some of the foundational security work that companies should have been doing all along. It’s also going to take some time. People are going to start auditing and getting audited against the CMMC, and that’s going to improve foundational security functions and processes.”
From Regulate to Automate
Related to the CMMC’s impact on enforcing requirements, Inskeep says we should expect to see innovation in the security services space, where companies will begin offering services that help companies meet the core control requirements in CMMC. “While cloud providers are doing some of this, I'm envisioning a new service to deal with legacy controls—automating configuration and patch management with scalability to meet the basics that should be more repeatable and haven’t been so far. We've seen lots of automation and services in "Detect" and "Respond;" think of this as "Prevent" becoming a service as well,” says Inskeep.
In her recent Forrester blog post, Predictions 2020: European Consumers, Regulators, and Digital China Seize the Initiative, advisory board member Laura Koetzle, Forrester Research said, “Europe will lay claim to the title of ‘regulatory superpower,’ bringing big moves in competition, privacy, and financial services rule-making and enforcement. EU Competition Commissioner Margrethe Vestager will pursue aggressive anti-trust enforcement and drive the digital single market forward. Additionally, Koetzle expects to see a “steady drumbeat of General Data Protection Regulation (GDPR) enforcement actions and an avalanche of consumer privacy class actions in 2020; further, the EU will finally adopt the new ePrivacy Regulation. EU regulators will also aim to remedy some of the shortcomings of the second Payment Services Directive (PSD2) and open banking 1.0.” ,
Clash of the Identity Titans
Given that scammers will likely see continued success, we will see an increased focused on identity and authentication; however, Wendy Nather, Head of Advisory CISOs at Duo Security (now Cisco) says, “We will see divergent attempts to “own” digital identities, between the traditional software players such as Facebook, Microsoft and Google, and the telcos, who are making efforts to build identity services based on their access to a hardware root of trust (namely, the mobile phone SIM card). The software players will try to counterbalance the hardware players’ advantage by using hardware U2F tokens, either self-built or in partnerships.”
Authentication and identity will also come to the forefront on conversations around election hacking, which are sure to be plentiful come 2020. “We will see an enormous number of claims of election tampering through cyber means, including social networking manipulation, voting machine compromise, and other forms of fraud. In the run-up to the US elections in November, both sides will raise increasing warnings of such problems, but little concrete action will be taken,” says Skoudis. “That will lead candidates who lose in November to claim the fundamental unfairness of the situation, resulting in actual reforms occurring in 2021 or beyond (e.g., lots of complaining and moaning with no real action until 2021).”
New Standards for New Development and Operational Models
“Whether you call it DevSecOps or something else, the current free-for-all will need reining in for the sake of security,” says Nather. “With development and operational silos gone, audit standards that insisted on separation will have to adapt, and today’s “best practices” and checklists for security won’t be enough. The need to reference a reliable, repeatable security process and model will likely result in leading tech companies sharing their experiences in working groups, and those practices will coalesce into firmer standards.”
Will Purple Reign?
Purple was trending throughout the RSAC 2020 Call for Speakers, with a call for red teams and blue teams to work together. Skoudis says that in 2020, “we will see that organizations seeking in-depth security testing will increasingly opt for red team and adversary emulation exercises. Likewise, the phrase ‘penetration testing’ will blend into ‘vulnerability assessment,’ so organizations will need to be careful to ensure they understand the differences between these various offerings (e.g., Be careful to know what you are paying for with vulnerability assessments, penetration tests, red team exercises, and adversary emulation projects).”
Certainly, we should expect to see the blending of many things in the year to come, particularly the coming together of all the different cross-sections of cybersecurity in February when industry leaders will share more insights at RSAC 2020 in San Francisco. Looking forward to seeing you there!