Monday, January 9, 2017

Three Critical 2017 Predictions for Global Cyber Security

Three Critical 2017 Predictions for Global Cyber Security
Leo Taddeo, Chief Security Officer, Cryptzone

The US will take a more aggressive position on international cyber security that will lead to cyber escalation between Nation States.

Typical to any transition of Presidential power, we’re in a honeymoon period between Nation States. Make no mistake, however: the first thing our adversaries are doing is figuring out where to “pick a fight” to see what they can get away with. 

For example, Russia has a track record of positive initial meetings with President-elects, while they test how much they can extract from them. But soon enough, Russia’s concerns will be intractable and Trump will be forced to face reality: Russia will not change its behavior.

We are already seeing Russia test Trump. Just this week, Putin said about Russia’s military,We can say with certainty: We are stronger now than any potential aggressor. Anyone!” These kinds of comments will not sit well with an aggressive President-elect, and a Cabinet full of former US military.

With relations strained between Trump and the Obama Administration, negotiations between the US and Russia have already been sent into a tailspin. All of this will lead to cyber escalation.

While Trump has been playing nice – some say too nicely – with Russia, he’ll eventually overact and take proactive measures, which is more his style.

Another “Russia intractable” is the Ukraine. Because the US having influence in Ukraine is threatening to Russia, and the US won’t leave Ukraine’s fate in Russia’s hands, both countries will use cyber tools to try and get what they want: information.

China is another example. Cyber relations with China are already unstable with the incoming US leadership. Trump is taking China head on, with regular comments on its currency devaluation, abuse of trade policies and the volatile Taiwan relationship.

In response to a new, perhaps more hostile Trade Secretary,  China has indicated that “China like every other country is closely watching the policy direction the US is going to take.” 

In September 2015, Obama agreed with China that neither side would engage in cyber espionage in business. It was a gentleman’s agreement, based on goodwill, that isn’t binding or enforceable. From detectable cyber activity, there seems to have been a decrease in cyber espionage, supporting the notion that both sides have been honoring the agreement. If that goodwill doesn’t exist with China, and it seems that it does not in the President-elect’s approach, all bets are likely off.

The world is not equipped to handle sophisticated, multi-site cyber attacks, especially against financial institutions. Stolen money will be reinvested in “hacker R&D” creating future chaos. 

Countries and corporations are not prepared to deal with advanced cyber attacks. In the February 2016 Bank of Bangladesh hack against the SWIFT system, criminals stole $81M—and most of it is still unrecovered. Hackers are already re-investing these funds to develop techniques to target lesser protected institutions, which isn’t good news for network defenders.

The IoT is becoming even more commonplace and the lack of set standards and regulations leave us with more and more unsecured devices, widening the playing field of opportunity for hackers.

DDoS is becoming sexy again because we’re entering a different era in terms of volume, in part due to the number of IoT devices now online. We should anticipate an acceleration in DDoS attacks because some of these devices simply can't be fixed or properly secured. 

The October 2016 DYN DDoS attack is a good example of the above two trends. And the IoT botnet (Mirai) used in this attack shows signs of evolving as its source code was released publicly.

Companies will soon make the official transition to cloud, as they’ll stop viewing it as a risk and more of a sanctuary. They’ll also start establishing a “TSA-type security pre-check in line” to services for approved clients that will isolate channels for customers (i.e., they won’t be public facing) in order to avoid the Internet cesspool. 

Context is the next evolution of identity and people will, finally, stop caring about giving up privacy in order to prevent attacks. 

We’ll see identity finally move beyond a username and password: things like what device you’re on, why or what’s the context, enterprise vs. mobile origination, etc. that are seamless (invisible to the user) will take precedent and they’ll be embedded in use, and travel wherever users do.

The resource (device, company, network, app, etc.) will care about who you are in the move to cloud and BYOD environments. As part of this, users will give up privacy to access the resource.

This trade-off is fair. You must provide enough proof of who you are when asking for access to a valuable, shared resource. Users already sign end user license agreements, which most don’t read, and scroll as fast as possible to click accept, granting necessary access. The vast majority of the population views this as a fair and acceptable trade.

About the Author
Leo Taddeo, former Special Agent in Charge of the FBI's NY cybercrime office, is now member of the Citizens Crime Commission of NYC and CSO at Cryptzone.