Breach Fatigue, Cyber Cold War, IoT, and Cybersecurity Skills Gap
In just the first half of this year, more than than four billion records were compromised in publicized data breaches, with 559 of the incidents taking place in North America. This number reflects a 133 percent increase from the first half of 2017. These figures are alarming, and leave us wondering where the numbers will landy by June of next year. This year was certainly a busy one for the cybersecurity industry, and 2019 shows no signs of slowing down.
While we’ll have to wait and see what surprises the new year has in store, I tricked, I mean gathered, experts from within our organization to reflect on 2018, and chat about their security predictions for 2019 and beyond. Curious to find out more about an impending cyber war, the future of IoT, or the evolution of the skills gap? Read on…
Another Day, Another Breach
Tim Chen and Corin Imai
With data breaches occurring at a disconcerting rate, our CEO Tim Chen anticipates breach fatigue to truly set in next year. All but the most damaging breaches (such as Marriott) are no longer newsworthy, and individuals have finally come to realize and accept that absolutely nothing they do online is fully secure and never has been. Based on the widespread and growing breach fatigue, senior security advisor Corin Imai expects the public to start holding companies more responsible based on their faltering approaches to security. In a classic “chicken or egg” situation, Corin notes that some companies will, “see the writing on the wall and act first to protect their brand, while other companies will wait for the fallout to see what damage has been done.”
A Crippling Cyber Cold War
Sean McNee and Corin Imai
Between the Sony breach and Russia’s unprecedented tactics and cyber espionage, the nature of cyberwarfare is undergoing a significant shift. We’ve seen some nation states lead the way in the use of targeted cyber actions as part of larger objectives, and now other nation states are following suit. While Corin Imai and senior data scientist Sean McNee don’t foresee a specific cyberwar on the horizon, there will continue to be smaller proxy cyber wars as part of broader regional conflicts, where nation state actors provide resources to support actors that are furthering their interests. These regional conflicts will be testing grounds for new tactics, techniques and procedures as larger nation states determine how cyber warfare integrates into their larger military objectives.
Sean elaborated, “Nation states will also start experimenting more this year in adding ‘disinformation’ campaigns as part of their cyber warfare efforts. The goal of these campaigns is to mask the nation state performing the attack by using the TTPs of a different nation state as part of their attack. These attacks may be more ‘straightforward’ with the goal of being detected and other nation state actor blamed. These kinds of attacks will make true attribution more difficult.”
Moreover, nation states have been using more innovative tactics to carry out their initiatives, such as social media. Through the use of new tactics, Sean expects nation states to target corporations with a new set of goals: manipulation and control. Instead of infrastructure destruction or data exfiltration, the goal is long-term data manipulation to affect public perception and financial performance. Results can be the undermining of strategic deals, introduction of supply chain inefficiencies and increased employee churn. This will lead to missed quarterly earnings, with nation-state friendly actors benefitting from shorting the stock, or leads to nation-state friendly competitors taking over in the marketplace.
Corin agrees, and urges the cybersecurity industry and the private sector to start thinking of our critical infrastructure as more than just physical. In 2019 and the coming years, we will need shift our perception and consider the disruption to our democracy as one of those infrastructures. According to Corin, “the more our teams talk about election hacking and the impact political campaigns have on our democracy, the more likely that disruption could be the next attack on our critical infrastructure.”
IoT Devices: Still Creepy
Sean McNee and Tim Helming
IoT: The buzziest of buzzwords. But, it has this reputation for a reason. Every recent year seems to be the “Year of the Internet of Things,” with internet connected electric cars, toasters, toys and even pacemakers entering the market. But the more we connect devices to networks and the Internet, the more at risk our private information becomes. While the industry is well-aware of the security precautions that must be in place for these devices, there are still plenty of foolproof methods available for threat actors to exploit vulnerabilities.
According to Black Hat Review Board member Adam Shostack, these IoT devices have unique sets of real-world properties which can still be attacked and exploited remotely. Based on this analysis and the past year’s trends, Sean expects attackers to, “create exploits to target the physical components of IoT devices with the goal of degrading performance or completely disabling them: remotely cause batteries to discharge rapidly, overload compressors or heating elements, or cause them to stop responding. Prime examples of these exploits include: electric cars running of out battery power on the freeway, toasters catching on fire, or in a worst-case scenario, pacemakers turning off.” These “toasting” scenarios are dangerous and within the realm of possibility.
In response to the seemingly endless headlines about IoT security flaws and vulnerabilities, director of product management Tim Helming believes an official set of security standards for consumer and small business-grade IoT devices will be drafted in the New Year. According to Tim, this proposal could include something analogous to the UL listing for electrical devices: it would state that a device with the certification meets specific minimum standards for what he dubs ‘securability.’
Mind the (Skills) Gap
Sean McNee and Corin Imai
As the threat landscape evolves, so do the profiles of threat actors and cybercriminals. Given the shortage of experienced cybersecurity professionals, including both whitehats and blackhats, we expect more blackhats, especially those working for nation states, to be moonlighting as cybercriminals in order to make some additional cash. As a result, Sean predicts an increase in muddling, disinformation campaigns and complex relationships between nation states and cybercriminals. To mitigate these issues, the industry will need to directly address the talent shortage. According to Corin, we will see more medium and small organizations shift to more outsourcing to MSSPs that have expertise in the specific areas of need for their organizations (vCISO, vDPO, security architects, security researchers, etc.).
The industry might be hurting, but there is light at the end of the tunnel. A survey from Champlain College Online revealed that the majority of Americans are now concerned about cybersecurity threats, and many are even willing to consider returning to college to pursue a cybersecurity education. Of those surveyed, 41 percent said they would probably or definitely consider returning to college to earn a certificate or degree to prepare for a cybersecurity job. Corin sees this as a positive trend and meaningful promise for solving the significant skills gap in cybersecurity, which is unmatched by any other industry. The growing investment and interest in fostering cybersecurity talent among companies including IBM, HP and (ISC)2 will likely continue, with more scholarships for IT-related degrees and more K-12 STEM programs.
The skills gap won’t close tomorrow but 2019 will bring strides towards filling it.
What do you think 2019 has in store? Tell us in the comments below whether you agree with our predictions, and what your organization plans to do in preparation for changes on the horizon. Finally, be sure to join CTO Bruce Roberts and company on December 11th at 10 AM PT / 1 PM ET for a roundtable discussion on 2019 predictions.