(I pulled this list together with the help of my colleague Martin Chorich. Or maybe it was the other way around. )
Every year, publications ranging from supermarket tabloids to serious academic journals issue forecasts for the coming year. Those with foresight hold on to these articles and read them again the following December for a good laugh, as we all know how accurate they can be. With that in mind, and following a long week of staring into a well and inhaling the fumes, we offer the following unofficial 2014 guide to trends for cyber security practitioners. These should not be construed in any way as representing Cisco expectations of future market or business conditions. As for their true value, this article and about $4.50 will get you a double mocha latté at a national coffee chain.
1. Changes in the Global Framework Governing the Internet – It is no secret that government policies around the world have had trouble keeping pace with the cultural and economic changes enabled by the Internet. At the same time, the Internet would not be the juggernaut it is without its borderless and unregulated nature. The Internet has developed around a multi-stakeholder model led by the Internet Corporation for Assigned Names and Numbers (ICANN). In recent years, some stakeholders have called for a more government-centric model of Internet governance. In 2014, this conversation will intensify. Debate topics will include whether governance of the Internet should change, and what sort of new governing bodies might find consensus, as stakeholders consider the risks of Internet balkanization and the potential stifling effects of mounting regulatory requirements.
2. CISOs Struggle to Reconcile Responsibility and Control – The notion of a security perimeter is gone for good and has been replaced by a sprawl of traditional IT assets (data centers, endpoints, networks), assets under ambiguous management (user-owned BYOD devices, virtualized devices, network guests), and assets completely beyond enterprise visibility and control (outsourced IT services, third-party cloud infrastructure, etc.). CISOs know, however, that they will be held responsible for anything that goes wrong with an IT operation whether or not they could have prevented it. Unfortunately, many CISOs will learn the hard way that blaming cloud providers for their handling of corporate data is no excuse for bad security. This means that CISOs and CIOs will demand more transparency and assurances from cloud service providers to maintain trust in externally sourced IT operations and services. In short, in 2014 CISOs will be feeling more pressure than ever in balancing unlimited responsibility for consequences with limited ability to control circumstances.
3. The Ethics of Threat Intelligence Sharing – Threat intelligence sharing has always been tricky. By its very nature, information that is helpful when shared might give a competitor or adversary an edge. Moreover, organizations reporting a compromise could be interpreted as admitting weakness or legal culpability. Because threat information sharing is risky, it must be built on trusted relationships that may be years in the making. The setbacks in trust brought about by this year’s revelations of pervasive online surveillance may impact public-private and government-to-government cyber security information sharing efforts in 2014. And new revelations may be in the offing. All of this may put the mechanics and ethics of information sharing under the microscope: How do we define the relationships between government and the private sector, when they share responsibility for the resilience of critical infrastructure? How does increased public scrutiny impact the unwritten diplomatic rules that govern international alliances? How much privacy are we willing to sacrifice in the name of security, and how do we build a single framework if the answers to these questions differ based on where we stand?
4. Hacktivists Go Big – Politically motivated attacks on Internet properties and brands have become one of the most common forms of cyber attack. Unlike criminals and spies who seek to avoid discovery at all costs, so-called hacktivists go for maximum splash. The emergence in the tech community of a Robin Hood culture of civil disobedience means that old-fashioned Distributed Denial of Service (DDoS) attacks are far from dead. Moreover, past high-profile successes in crippling or defacing sites have attracted the attention of legions of self-appointed avengers, providing additional impetus for even more high-profile takedowns in 2014.
5. Hacktivists and Cyber Criminals Pool Their Interests – Until recently, politically-motivated hacktivists and profit-motivated cyber criminals had little overlap. Hacktivists and terrorists prefer big and loud attacks to disrupt and undermine trust in targeted IT infrastructure. Cyber criminals work quietly, preferring their targets to remain unaware. Recently, however, the interests of hacktivists and criminals may be converging. In 2013, we saw DDoS incidents, such as the “Dark Seoul” attacks on Korean banks, which appear to have been staged to distract defender attention away from criminally-motivated data and resource theft.
This raises a number of possibilities. Hacktivists and terrorists could be adding quiet penetration skills to their repertoire. Criminals may be conjuring DDoS attacks to create diversions. Or, perhaps most intriguing, criminals might be contracting with hacktivists for a share of the take in a kind of distributed-denial-of-service-as-a-service (DDOSaaS) approach to political fundraising.
6. The Great Unraveling– We may be going out on a limb here, but it seems that the inter-connectedness of our lives and economies made possible by the Internet are creating a secondary, opposite reaction. Even as our economic interdependence deepens and communication becomes easier, central authorities of all kinds are being weakened. Power and influence are devolving to smaller, regional or individual groupings. Conflicting interests and arrests of leaders of the Anonymous hacker collective, for example, may be eroding that group’s cohesion, while regional or interest-based hacker groups are rising. National borders established early in the 20th century are being challenged. The influence and reach of the nation-state seems overshadowed by the rising power of mega urban centers, ethnic, religious, and interest groups, and even multinational corporations. Even as the Internet brings us together, it makes it easier for us to choose who we listen to, and that threatens to emphasize our differences and drive us apart.
7. Securing an Internet of Things – The number of things on the Internet is limited only by the number of available IPv6 addresses. IPv6’s 128-bit address space works out to a mind-blowing 340 billion addresses for every star in the known universe, so there are plenty of addresses to go around. It may be easy to fall into the trap of allowing many of these Internet-enabled things to be designed with processing, communications, and memory resources sufficient only to perform their designated functions, with little room for “luxuries” such as security, visibility, or manageability. Securing this new space may require a creative approach to security as a fundamental component of even the tiniest processors. Not every device or node will have the same security needs. But in 2014, it is not hard to imagine security managers vying for influence with sales and engineering colleagues over unprecedentedly limited processing real estate.
8. New Metrics Help Quantify the Challenge – Former White House cyber security chief Melissa Hathaway recently published a paper titled The Cyber Readiness Index 1.0, an effort to quantify progress made by nations to implement cyber security. She posits that the economic benefits brought by Internet adoption are being eroded by online theft and malfeasance, and argues that quantifying the challenge is the first step in tackling it. Until recently, many organizations treated security as an afterthought, but the creation of metrics such as the Cyber Readiness Index may help network stakeholders to grasp the scope of the problem by providing an empirical yardstick for assessing the national cyber risk/benefit quotient, and to measure progress.
9. Borderless Insecurity – In the 19th and the first half of the 20th centuries, advanced technologies were viewed as the product of Western cultural, economic, and political values. In recent years, however, that innovation and technology gap has been closing. At the same time, recent experience has shown that along with innovation and good ideas, no one geography has a monopoly on profiteering, crime, and espionage. It has also driven home the fact that inflicting damage can be cheaper than defending against it. Information security experts will be shifting their focus from tracking so-called Advanced Persistent Threats to protecting their networks from persistent, sophisticated threats, regardless of their origin. Going forward, we will need to defend against a 360-degree threat environment where attacks can emanate from any point on the compass.
10. Expect the Unexpected – The safest prediction for cyber trends in 2014 is that something unforeseen and unlikely will take place. Who could have predicted the wave of populist-fueled change that has swept the Middle East since 2011? Who could have reasonably expected Japan’s nuclear reactors to survive (or not) an earthquake topping 9 on the Richter scale, followed by a massive tsunami? Are we planning ahead for rising sea levels, and increasingly volatile weather patterns? Are our enterprises and governments designed to fail gracefully in an emergency, rather than black out? Are we thinking through the implications of a nuclear deal with Iran, or economic impacts of shale oil technology advances? Information security experts can start by cultivating the basics—keeping browsers patched, firewalls robust, being serious about business resiliency, staying on top of vulnerabilities and attack trends, and watching the news for evidence of politically exposed brands or web properties. Ultimately, however, because we cannot predict the future or the actions of criminals and spies in a real-time world, our best bet is to follow the data, build trusting relationships for reliable information sharing, and hope for the best. At least we won’t be bored.