Three Critical 2017 Predictions for Global Cyber
Security
Leo Taddeo, Chief Security Officer, Cryptzone
The US will take a more aggressive
position on international cyber security that will lead to cyber escalation
between Nation States.
Typical to any transition of Presidential power, we’re
in a honeymoon period between Nation States. Make no mistake, however: the
first thing our adversaries are doing is figuring out where to “pick a fight”
to see what they can get away with.
For example, Russia has a track record of positive initial
meetings with President-elects, while they test how much they can extract from
them. But soon enough, Russia’s concerns will be intractable and Trump will be
forced to face reality: Russia will not change its behavior.
We are already seeing Russia test Trump. Just this
week, Putin said about Russia’s military, “We
can say with certainty: We are stronger now than any potential aggressor.
Anyone!” These kinds of comments will not sit well with an aggressive
President-elect, and a Cabinet full of former US military.
With relations strained between Trump and the Obama
Administration, negotiations between the US and Russia have already been sent
into a tailspin. All of this will lead to cyber escalation.
While Trump has been playing nice – some say too
nicely – with Russia, he’ll eventually overact and take proactive measures,
which is more his style.
Another “Russia intractable” is the Ukraine. Because
the US having influence in Ukraine is threatening to Russia, and the US won’t
leave Ukraine’s fate in Russia’s hands, both countries will use cyber tools to
try and get what they want: information.
China is another example. Cyber relations with China
are already unstable with the incoming US leadership. Trump is taking China
head on, with regular comments on its currency devaluation, abuse of trade
policies and the volatile Taiwan relationship.
In response to a new, perhaps more hostile Trade
Secretary, China has indicated that “China like
every other country is closely watching the policy direction the US is going to
take.”
In September 2015, Obama agreed with China that
neither side would engage in cyber espionage in business. It was a gentleman’s
agreement, based on goodwill, that isn’t binding or enforceable. From
detectable cyber activity, there seems to have been a decrease in cyber
espionage, supporting the notion that both sides have been honoring the
agreement. If that goodwill doesn’t exist with China, and it seems that it does
not in the President-elect’s approach, all bets are likely off.
The world is not equipped to handle
sophisticated, multi-site cyber attacks, especially against financial institutions.
Stolen money will be reinvested in “hacker R&D” creating future chaos.
Countries and corporations are not prepared to deal
with advanced cyber attacks. In the February 2016 Bank of Bangladesh hack
against the SWIFT system, criminals stole $81M—and most of it is still
unrecovered. Hackers are already re-investing these funds to develop techniques
to target lesser protected institutions, which isn’t good news for network
defenders.
The IoT is becoming even more commonplace and the lack
of set standards and regulations leave us with more and more unsecured devices,
widening the playing field of opportunity for hackers.
DDoS is becoming sexy again because we’re entering a
different era in terms of volume, in part due to the number of IoT devices now
online. We should anticipate an acceleration in DDoS attacks because some of
these devices simply can't be fixed or properly secured.
The October 2016 DYN DDoS attack is a good example of
the above two trends. And the IoT botnet (Mirai) used in this attack shows
signs of evolving as its source code was released publicly.
Companies will soon make the official transition to
cloud, as they’ll stop viewing it as a risk and more of a sanctuary. They’ll
also start establishing a “TSA-type security pre-check in line” to services for
approved clients that will isolate channels for customers (i.e., they
won’t be public facing) in order to avoid the Internet cesspool.
Context is the next evolution of
identity and people will, finally, stop caring about giving up privacy in order
to prevent attacks.
We’ll see identity finally move beyond a username and
password: things like what device you’re on, why or what’s the context,
enterprise vs. mobile origination, etc. that are seamless (invisible to the
user) will take precedent and they’ll be embedded in use, and travel wherever
users do.
The resource (device, company, network, app, etc.)
will care about who you are in the move to cloud and BYOD environments. As part
of this, users will give up privacy to access the resource.
This trade-off is fair. You must provide enough proof
of who you are when asking for access to a valuable, shared resource. Users
already sign end user license agreements, which most don’t read, and scroll as
fast as possible to click accept, granting necessary access. The vast majority
of the population views this as a fair and acceptable trade.
About the Author
Leo Taddeo,
former Special Agent in
Charge of the FBI's
NY cybercrime office, is now member of the Citizens Crime Commission of
NYC and CSO at Cryptzone.