There is much uncertainty surrounding the security industry for 2017, and according to experts in the field, a lot of the trepidation is directly connected to what the nation’s next president will do.
Here’s what security vendors and analysts are predicting for the year ahead.
John B Wood, CEO of Telos Corporation, cites a need for cooperation between the government and the private sector. President-elect Donald Trump took a break from his “thank you” tour to meet with tech executives to smooth over a contentious time between the two sides during his campaign.
“President-elect Trump has been vocal about the need for a stronger and more aggressive cyber security posture, and I’m confident that he’ll work with leading members of Congress. Many non-political cyber experts throughout the government, various agency CISOs and [Federal Chief Information Security Officer] General Touhill will also be great resources to further refine cyber security policies to protect U.S. interests in the face of constantly changing threats,” Wood said.
He also noted the renewed focus on U.S. Cyber Command. The President-elect has promised to eliminate the threat of defense sequestration and to spend more on the military. “This needs to include working to roll back the budget caps for defense spending and providing additional resources for cyber security, including more money for U.S. Cyber Command, which I believe is grossly underfunded,” Wood added.
Speaking of funding, Wood does not believe that a change of administration will automatically lead to a change in regulatory policy.
“Although there will certainly be a big push by the Trump administration to roll back or modify overly burdensome regulations, I don’t see this affecting cybersecurity regulations, like the NIST Cyber Security Framework that has been developed in consultation with the private sector,” he commented.
Reuven Harrison, CTO and co-founder of Tufin, a provider of network security policy orchestration solutions for enterprise cybersecurity, said the thought of a Trump administration inevitably failing to uphold regulations will keep IT departments tossing and turning at night. “If Trump implements his deregulation promises, and penalties for non-compliance with industry-wide security regulations are relaxed, security teams will need to be self-disciplined to maintain a high level of security by turning to outside resources for security best practices,” he said.
Carson Sweet, co-founder and CTO at CloudPassage, said privacy will take center stage over security.
“Trump’s administration will create a fundamental shift in concerns as it pertains to security. There’s a new sheriff in town, and many posit that he has less regard for privacy concerns than the current administration. Case in point, Trump supported the FBI in its battle with Apple over iPhone privacy and security,” Sweet stated. “If this new administration demonstrates in their policies a value for law enforcement and intelligence access over citizens’ privacy, they’ll double or triple down on the government’s right to inspect data. The impact of such a reality would extend to the use of online services, cloud providers, even personal computing devices and IoT.”
What that impact would be is very hard to know, but it’s safe to bet that it won’t be positive, he said. The wars around PGP and personal encryption come to mind (anyone remember the Clipper chip?).
John Bambenek, threat systems manager at Fidelis Cybersecurity, said he never would have predicted last year that we would be talking about the DNC and hacking of elections.
“Ransomware will be on the upswing and evolve in new unforeseen ways. It will be more targeted and focus on more valuable targets as we saw with healthcare. And it will continue to attack new, more damaging industries like we recently witnessed with San Francisco BART and Muni,” he said.
While 2016 found the election under scrutiny because of alleged hacking by foreign powers, 2017 will continue the trend of identity theft and ransomware.
Forrester predicts that within the first 100 days, the new president will face a cybercrisis. The momentum of winning the election gives new presidents the public’s support to follow through on key initiatives of their campaigns. However, the 45th president will lose that momentum coming into office by finding the administration facing a cybersecurity incident.
Forrester suggests that the administration prepare for nation-states and ideologies looking to disrupt and degrade. They believe the U.S. should be on the lookout for China, North Korea and Iran.
“Political ideologies use electronic means to both recruit and spread information. DDoS attacks using IoT devices are becoming a common means of disrupting operations for companies or individuals that threat actors disagree with. A company can become a target not just because of its size or global presence but also because of its political donations or public statements. If you’ve never factored geopolitical concerns into your security risk analysis, you ignore them at your own firm’s peril.”
Civilian “casualties” in the Cyber Cold War
Corey Nachreiner, CTO at WatchGuard Technologies, follows Forrester’s way of thinking. “Whether you know it or not, the cyber cold war has started. Nation-states, including U.S., Russia, Israel, and China, have all started both offensive and defensive cyber security operations. Nation-states have allegedly launched malware that damaged nuclear centrifuges, stolen intellectual property from private companies, and even breached other governments’ confidential systems. Countries are hacking for espionage, crime investigation, and even to spread propaganda and disinformation.”
Carson Sweet, CTO, CloudPassage
He believes 2017 will be much of the same: Behind the scenes, nation-states have been leveraging undiscovered vulnerabilities in their attacks, suggesting that these countries have been finding, purchasing, and hording zero-day flaws in software to power their future cyber campaigns.
“In other words, the nation-state cyber cold war is an arms race to discover and horde software vulnerabilities—often ones in the private software we all use every day,” he said.
In 2017, expect to see a civilian casualty from the nation-state cyber cold war, Nachreiner said. “We expect to see at least one private business or citizen become a victim of a zero-day flaw that a nation-state held secret in their arsenal,” he said.
In an effort to combat terrorism and expand surveillance at least one Western government will follow Russia’s lead and mandate access to encryption keys and certificates, foresees Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Widespread government access to encrypted communications has the potential to demolish internet privacy and devastate security. Encryption is the backbone of secure and private communications on the internet — it protects online banking, shopping, all manner of consumer services that our economy and critical infrastructure rely on. Once we allow governments universal access to encryption the likelihood of abuse and misuse skyrockets. It’s time to stand up against governments’ efforts to hijack privacy and trust online,” he said.
Scott Millis, CTO of mobile security company Cyber adAPT, believes that by next year every adult in the U.S. will know a relative who has had their identity stolen. The Internal Revenue Service reported that 2.7 million people had their identities stolen in 2014, and according to TransUnion 19 people fall victim to identity theft every minute.
George Ng, co-founder and CTO of Cyence, believes many companies don’t realize even the smallest things can expose personal information and make them more likely to be targeted. For example, a job listing for a CSO or CISO indicates a lack of senior leadership for cybersecurity. “[Personal identifiable information] continues to be a target for hackers and criminals and is very tangible information that can be sold easily on the dark web, just as easy as credit cards. PII records will continue to be specifically targeted because they fetch a higher price and are more versatile in their usage for hackers.”
With privacy in mind, Forrester said surveillance marketing will blur the line between online and offline customer behavior. “The online ad world has been chipping away at people’s ability to keep their online and offline habits separate for years.”
New rules for U.S. internet service providers will unleash a flurry of lawsuits. Earlier this year, the U.S. Federal Communications Commission (FCC) determined that ISPs like AT&T, Comcast, and Verizon would be classified as “common carriers”—the same designation as landline telephony providers. On Oct. 27, the FCC voted on a set of rules that place limits on how these providers are allowed to monetize customer data. The carriers say that the FCC is restricting fair competition, since companies like Facebook and Google have no such rules.
“2017 will be a year of legal battles—between the internet giants and against federal regulators—while the promised consumer protections will fall short on enforcement,” Forrester writes.
More data breaches
Of course predicting more data breaches is not a real shocker. Forrester estimated that a Fortune 1000 company will succumb to a cyberbreach and ultimately close down.
There will be no improvement in the time companies take to react to a breach, Millis said. Ponemon Institute found that when a breach was identified within 100 days, average costs were $5.83 million per breach. However, if a breach went undetected for more than 100 days, costs rose nearly 40 percent.
Healthcare breaches…
