It has been an exciting and eventful year in the world of computer and information security. As I look back through the stack of articles, conference notes, political and regulatory wrangling, technology winners and losers, and most captivatingly, the behaviors of the attackers, I find myself giggling like a schoolboy. It is truly a wonderful time to be in this industry. We certainly live in interesting times.
As the chapter of 2012 has come to a close and the blank pages of 2013 open before us to be written, it is time once again to look into the future and predict what the next 12 months hold for the cyber and information security domain. Based upon nailing last year’s predictions, I believe I have earned consideration to wear the turban of Carnac the Magnificent.
…which as I think about it, may be a reference which most readers may not get: Johnny Carson, The Tonight Show. Oh, never mind. I am old, go Google it.
Many aspects of security will continue to hold true. Malware will increase, vulnerabilities will be discovered, systems will be hacked, patches will be issues, fraud and loss will be rampant, stories will be sensationalized, victims will cry, attackers and defenders will get better, legislatures will demand action, and the citizens will be aggressive in expressing their opinions and asserting their rights. Certain characteristics of security are persistent. These are pedestrian predictions. They go without saying. Above and beyond those are my security predictions for 2013 and beyond:
Top 10 Security Predictions for 2013 and Beyond:
- The devastating Internet-infrastructure Cyber-DOS attack, will NOT happen!
Fear mongers relax. The debilitating Denial-of-Service of our precious Internet-of-Things will not happen, at least in 2013 and likely not for some time, if ever. The only real chance of this is if an all-out war broke out between major technology-vested countries. When troops and tanks roll, all bets are off on the potential for collateral damage in the cyber world. Short of that, an elaborate attack to do irreparable harm to the Internet is just not likely. Those who can, rely upon it themselves. Those who want to destroy the evils of the Internet, likely do not have the ability to succeed. It is a stalemate. Targeted attacks may occur, but the great “Cyber Pearl-Harbor” is just not realistic.
But what about the rapid advances of nation state cyber warriors and technologists? Heavily financed, well resourced, and highly motivated to fight and win in the cyber battlefield? Well, here is the real story. Any professional investigator, military strategist, or intelligence operative worth their merit, will tell you the goal is to compromise a command, communications, and control network. Not to destroy it or take it offline, but rather to conduct surveillance, gather intelligence, and then use it in ways to undermine and target the enemy. The last thing you want to do is take it offline! The professionals know this. It is the amateurs who launch DOS attacks, as the pro’s play a smarter game.
- The real target for 2013 and beyond, are BANKS!
Forget DOS attacks against social sites, vulnerabilities in toasters, lost health records at the local clinic, and data compromises at NASA. The real targets are banks. Professional criminals and syndicates are getting smarter and realizing the Internet is a much better means to achieve financial gains, than the local streets and traditional businesses they play in. With unimaginable wealth sitting just beyond the keyboard, they have the resources to invest in order to seize major scores.
Where are all these riches you ask? Mr. Willie Sutton, an infamous bank robber of the 20’s, would likely tell his compatriots to ‘go where the money is’. Banks. This is how it has always been, as thieves gravitate to where the loot is.
With banks rushing to connect with customers online and via phones, they have underestimated the lurking dragons waiting to pounce. These attackers range from the rudimentary to the highly organized. But the truly dangerous villains are experienced in being selective, stealthy, and planning for multi-million dollar heists and scams. It is happening already and we have seen but the tip of the iceberg. The banking industry needs to wake up. Security must be taken seriously as they expand to reach and service their customers. In 2013, we will see many failures of this. Only those organizations who invest in both superior security leadership and technology will stand confident.
- Arrests, prosecutions, and pressure against threat agents will continue go up!
Last year we witnessed an aggressive crackdown on hackers and cyber criminals. Security and law enforcement capabilities, techniques, and cooperation continue to grow and improve. Tangible success in security reinforces investment. This momentum will accelerate in 2013 and we will see many of the less savvy players brought to justice. Expect this trend to thankfully continue forward.
- Cyber regulations remain inconsistent across borders, vague, and ineffective. But will continue to slowly coalesce.
Politics, economics, social expectations, and regional differences in what is considered an individual’s right will continue to hamper globally adopted regulations. But this is an important and valuable effort, which is the one thing everyone agrees in common. They will continue to slowly align, find tradeoffs, and coalesce for everyone’s benefit. Patience. It will be a bumpy ride with false starts and turmoil, but it will get a little better in 2013, then 2014, etc.
- Governments invest heavily in Cyber
Tech savvy governments have no choice. They must now invest in cyber technology to defend their systems, people, privacy, and national infrastructure. Larger governments are investing heavily in offense, defense, detection, infrastructure testing, survivability, intelligence, resilience, SOC/CERT's, Hunter Teams, etc. They will evolve to both establish and defend their online territory and systems. As we saw in 2012, many governments are openly recruiting and establishing centers of excellence for the particular skills necessary to reach out and influence or affect others. In 2013, many such entities will have created and begun training in earnest with viable offensive cyber weapons. Welcome to the fifth domain of warfare. There is no going back.
- Regulations increase in depth, breadth, and specificity for high technology
Technology hardware, software, cloud services, mobile devices, and the data collected from all those sensors will come under regulatory scrutiny. It won’t all come at once, but it will come. Privacy, critical infrastructure protection, government systems standards and minimum controls, data aggregation, and remote surveillance will be the first targets for more specific and comprehensive requirements.
Many of the current or first generation government regulations were broad in nature. They are getting more explicit and lengthy. Ever read the NIST 800 series? This is not necessarily a bad thing, but bureaucracy can sometimes be slow to respond to rapidly changing environments. Satisfying regulations is always a start, but never a guarantee of security. In 2013, we will see more required oversight, business practice investigations, clarity in technical and behavioral requirements, and those out of compliance will be penalized.
- Mobile malware and attacks increase
No surprises here. Although it falls into the category of blazingly obvious, it still deserves a call-out. The rapid adoption of smartphones worldwide has spawned an insatiable vortex of desire for applications and services. Each an opportunity for attackers. The rush and competition for product releases has left security as a distant bystander. This environment is ripe for rampant malware and attacks. We all will start to see and feel the pain in 2013.
- Covert attacks get better, more sophisticated, and tougher to decipher
Amateur night is over. Although the vast majority of malware out on the Internet is basic and well understood, this will begin to change. Sophisticated covert attackers have learned that discovery is the death knell of their malware. They will take innovative steps to stay hidden, be more resilient, survive counter-attacks, and make it much more challenging for security researchers to understand the inner working of future malware.
- Innovation rules. Attackers and defenders get better, at a much faster rate than before.
Investment spurs innovation. The world is becoming more connected between people and valuable services. With governments, businesses, and consumers investing in security, the stakes and investment are raised. Both attackers and defenders will improve to counter their respective adversaries with innovations backed by these investments and opportunities. The race will simply get faster.
- Patent lawsuits to infiltrate the security services industry?
Patent lawsuits are rampant in the technology sector. Will security become the latest target in 2013? Perhaps. This prediction will come down to economics. I will confidently predict more patents will be filed for security in 2013. Only if a significant paycheck is plausible, will the patent lawsuit community begin to circle. I give this a 50% chance of seeing a security technology patent lawsuit by the end of the year.
There you have it. My top 10 predictions for 2013. Come back in December and we can celebrate together or you can berate me mercilessly. Either way, it should be a fun and interesting 12 months.