After an eventful year, it can be comforting to put a framework around the uncertainty of the future and try to look ahead at what next year may bring. And it’s in that spirit that we talked to the RSA Conference Advisory Board to find out what they think will happen in the world of cybersecurity as we enter 2017.
What’s the value of looking at predictions? According to Todd Inskeep, Principal, Commercial Consulting at Booz Allen Hamilton, it goes beyond quelling our anxieties. During an Interactive Birds of Feather session at RSA Conference 2016, Inskeep facilitated a number of conversations that touched on predictions. What he noticed is people continue to show interest in looking ahead at what's next for the coming year as a check against what they are thinking about themselves. Predictions offer an opportunity to look at how these forward-looking ideas align with current plans, strategies and budget allocations. Additionally, it allows people to take a look to see if their staffing meets their needs, or if they need to make additions or provide training.
So what’s ahead for 2017? Here’s our glimpse into the future.
On the heels of a historic election year, Dmitri Alperovitch, Co-Founder and CTO of CrowdStrike Inc., anticipates 2017 will bring inter-governmental cyber conflict.
“For a long time, we've focused on the kinetic effects of cyber, but we are now seeing nation states engage in propaganda campaigns and strategic information operations that happen to be conducted through cyber-intrusions. Looking ahead, we will likely see the U.S. weigh tougher response options to such activities, not limited to cyber-tactics, but also including diplomatic, law enforcement, economic and other policy means.”
Ed Skoudis, Founder of Counter Hack, notes hacking and politics have—and will continue—to collide.
“This means some of the unsavory parts of our political parties—both nationally and internationally—will see hacking as a viable method for opposition research. Therefore, political parties and their infrastructure will need to get more involved in the information-security space, through regulation and direct participation. This is not just important from a public-policy perspective, but also is important to keep their jobs during increasingly rancorous election cycles. Over the past decade, we’ve seen the increasing militarization of cyberspace; now, we'll see the politicization of hacking and cyberspace. We'll also likely start to see hacking incidents for attackers to gather Big Data in the form of vast numbers of email messages and files for the upcoming Senate and House elections that will largely unfold from now through at least 2020.”
This also will bring with it the increasing visibility of cybersecurity, according to Wade Baker, an independent InfoSec consultant and Co-Founder of the Cyentia Institute: “We have started to see increasing momentum up the chain for cybersecurity visibility from the boardroom at large enterprises and within the consumer base. We'll see this shift continue in 2017, especially if it is coupled with high-profile or large-scale attacks.”
How large-scale are we talking here? Baker says Boards may not consider this problem until a hack results in losses of more than $1 billion. He continues that even the largest breaches are minor for many of the victim organizations in terms of percentage of revenue lost. Will 2017 be the year we see a billion-dollar attack? Baker thinks it could be, especially as hackers get more competitive and we see larger DDoS attacks.
Inskeep agrees, adding 2017 will likely be the year we finally start to see some standardization about how security is communicated to boards. “Every CISO you talk to is sending a different message to their boards via a different communication method. You'll start to see some standardization here so they know what is expected from a cybersecurity perspective. Most are pretty passive, except when there is a big breach. A more consistent approach will help them learn what to look for when they are talking about cybersecurity.”
Here, Skoudis commented he has seen first-hand the start of this approach at luncheons hosted by the SANS Institute for CISOs to learn how to talk to the board. They are very well attended, showing there is a real thirst for this kind of knowledge.
The Internet of Things was a hot topic in 2016, and it will continue in the next year.
Benjamin Jun, CEO of HVF Labs, anticipates it will be a rocky road ahead for IoT. “Someday we’ll look back on the DDoS attacks of 2016 in the same way we look at ‘quaint’ website defacement attacks of the late 90’s. IoT security will become much worse with (1) a lot more devices, (2) connectivity without manual WiFi pairing (think AirDrop for everything), and (3) serious physical consequences when certain devices fail. At this scale, these problems can't be fixed with recalls or device patching. Look for smarter firewalls and home routers that can isolate individual devices and “patch-in-place” at the network layer. Network Access Control will come back into fashion, and even home networks will have local sandboxing capabilities.”
Wendy Nather, Research Director, Retail Cyber Intelligence Sharing Center, agrees, adding we are headed for an IoT botnet fallout. “The impressment of Internet-connected devices into botnets amplifies two problems: the inability of consumers to add security their devices should have had to begin with, and the externality of risk—neither manufacturer nor consumer are currently penalized except at a distance, when infrastructure is taken down by collective insecurity. We’ll see more pressure to identify and recruit centralized Internet controls to deal with the IoT botnet fallout, such as ISPs filtering traffic, and only then will consumers put enough pressure on manufacturers when their devices stop working.”
Skoudis brings together IoT and 2016’s DDoS attack, noting the extreme could be yet to come. “We've seen that IoT is a beautiful platform for DDoS—weak, poorly managed systems connected to the Internet in vast numbers—ensuring the attacks will continue for a long period. Whether it's to knock off political opposition or cause a competitor to have a bad day, DDoS will reach an unimagined level that nearly no one can handle. Based on the vulnerabilities of these IoT devices, we will continue to see these products recalled after attacks. 2017 may very well be the year of the IoT recall.”
On the flip side, is there anything we’ll see a complete shift away from in 2017?
According to Alperovitch, “We are beginning to see some indications of a tectonic shift away from legacy solutions as people start thinking about security in different ways and replace those old-style security products they've relied on for decades. This has been a slow ball that's been rolling down the hill for several years, and it's picking up momentum heading into 2017, where it will likely reach a critical mass. Fortune 500 companies are starting to take a totally different approach to how they manage security, and we'll likely to see a similar change in smaller companies. Companies' philosophies are changing. They are starting to think about when they will have an intrusion, not if. They are starting to work to figure out how they can get more visibility across all of their hosts and networks. The shift away from legacy will be to the next gen that's based more on machine learning and advanced behavioral analytics. The industry has been talking about replacing these solutions for 15 years, and now we are finally starting to see the trend accelerate.”
While we will likely see another attempt to eliminate passwords, the success of that attempt is in question. “Due to account takeover and credential-stuffing attacks, someone will try once again in 2017 to eliminate passwords, and they won’t succeed. Which is a shame, because the lowly password may be the worst thing we have ever invented. It’s as if medical associations all over the world handed out scalpels to laypeople and said, ‘Here, do it yourself,’” says Nather.
Finally, Jun builds on his DevOps prediction from 2016, anticipating security roles will come full circle and circulate out of DevOps. “More security responsibility will shift outside of DevOps work cells and back to traditional ops roles. Developers have critical responsibility for baking in security, but deployment security involves observation, system tuning, and detection. These roles are well suited to dedicated ops teams. New advances in standardized security definitions are allowing security profiles to be meaningfully shared across both development and operations roles. And today’s container, SDN, and VM environments support finer-grained security control. Expect security automation tools to help non-developers evaluate, monitor, and manage production systems.”
You can download a copy of our 2017 Predictions Infographic here: RSAC 2017 Predictions