By Ira Winkler, CISSP
I am frequently asked to write predictions for the coming year. To summarize my expectations for 2020: the same as 2019, but worse. It’s not possible for the industry to make sweeping changes in a mere 12 months.
Security is an iterative and an evolutionary problem, not revolutionary. When you look at what happens, there are only a few major changes from year to year – all you see are the same attacks that manage to stay a step ahead of the latest security technologies.
When looking to the more distant horizon, say 20 years, the story is completely different. Consider that 20 years ago, social media didn’t really exist in its current form. Cellphones weren’t “smartphones” loaded with sophisticated apps and equipped with cameras. Pagers were still common. Today, we all carry powerful computers in our pockets.
But the evolution of malware over the same timeframe has been iterative. For example, WannaCry is just the Morris Worm by another name. Criminals have more fruitful targets available on computers. The underlying hacks just involve different ways of exploiting the technology in use. Vulnerabilities are pervasive, and security programs have not kept up. Asymmetric warfare is a large potential, and we are lucky that no entity has tried in earnest to exploit security weaknesses in a large western infrastructure. The successful attacks against the countries of Georgia, Ukraine, Estonia, among others, are a warning of what’s likely to come to the West.
So, as I look forward 20 years to determine what security will look like, the challenge is to predict how the technologies we use for our work and personal lives will change.
First, a mea culpa: In 1995 I laughed at a coworker who told me that shopping online would become more popular than heading to brick-and-mortar stores. I owe him an apology.
So, with that in mind, here are my predictions for the next two decades:
- Ransomware will target connected devices. The Internet of Things (IoT) is a target rich environment because the majority of these products have poor, if any, security built-in.
- Terrorists and nation-states will attack major infrastructures. Their objectives may not be to cripple a power grid or mass transit system, but to generate the fear, uncertainty, and doubt.
- Cyberattacks against the healthcare industry will result in deaths. The industry has been under siege for years. Notable examples include the WannaCry ransomware attack that shut down the United Kingdom National Health Service’s IT systems, and the Nyetya attack that did the same to Ukrainian medical facilities. To date, the hackers’ targets have been patient medical records and other sensitive data. But it’s inevitable that the frightening hypothetical scenarios of attacks that injure or kill people become reality.
- Attackers will target vehicles’ autonomous and semi-autonomous driving systems for financial gain or other malicious reasons.
- Human embedded computers will happen, creating a rich target environment for cyberattackers. While I think this technology is asinine, it is inevitable that many people will embrace it. Attackers always follow the money.
- We will continue to see the same variants of attacks on any systems that may emerge. The vulnerabilities might change from system to system, but they all result from errors in software coding or poorly configured, yet otherwise secure systems. This will never change.
- Despite all of this, people will continue to adopt insecure technology. People want new functionality. Companies want to save money. Security practitioners will continue playing catch up. Unless there is some “Terminator”-like catastrophe, there will not be a crippling disaster that will send us back to the Middle Ages.
I could likely be completely wrong, as I was when I dismissed my friend’s online commerce prediction. I however remain steadfast to my prediction that we will continue to see similar attacks against new technologies. Likewise, we will see advances in technologies that are embedded in our lives.
The infamous Willie Sutton said he robbed banks because he followed the money. His 21st century contemporaries are no different.