Just about everyone agrees cybersecurity will be paramount in 2020, and governments and regulatory bodies are already taking action. While GDPR allows citizens in Europe to manage their digital footprint and data, the EU’s Cybersecurity Act provides strong support for member nations to alert one another and act against bad actors.
Still, cybersecurity is a difficult line of work. It’s dynamic, and IT pros often feel harrowed by the amount of ground they’re expected to cover. Instead of seeing what new cybersecurity trends will develop in 2020, we thought we’d ask the experts.
We polled a massive number of CTOs, VPs, experts, and at least one “InfoSec Personality” on what they thought 2020 would have in store for us. If there’s one core takeaway, it’s the headline for this article could have swapped ‘132’ for ‘5’ and we’d still not have covered all the feedback.
Cybersecurity professionals have huge jobs, and varied concerns. Still, these are some of the trends we saw dominating our feedback channels.
5G is scary
While carriers like Verizon rile consumers up about 5G, Paul Lipman, CEO of BullGuard, would rather we pump the brakes.
“5G is set to be the most sweeping communication revolution we have ever experienced and will usher in an area of innovative new consumer services,” Lipman tells TNW. “Because 5G is a switch to mostly all-software networks, and upgrades will be like the current periodic upgrades to your smartphone, the cyber vulnerabilities of software poses potentially enormous security risks.”
This alarm has been sounded before. Huawei, the leading manufacturer of 5G equipment for carriers, is still embroiled in a trade war with the United States Government over concerns its 5G equipment and consumer devices will allow foreign governments to spy on citizens.
The core concern with 5G is the number of connected devices sending and receiving information – combined with routine network upgrades and the ability to remotely access a network – will create a minefield for cybersecurity professionals.
Josh Lemos, VP of Research and Intelligence for BlackBerry Cylance, says a near full-stop is possible:
“As cities, towns and government agencies continue to overhaul their networks, sophisticated attackers will begin to tap into software vulnerabilities as expansion of bandwidth that 5G requires creates a larger attack surface. Governments and enterprises will need to retool their network, device and application security, and we will see many lean towards a zero-trust approach for identity and authorization on a 5G network.”
Phishing emails will still be big
Matt Jakubowski, Director of Cybersecurity at Uptake, says “phishing is still one of the number one ways an attacker will get into a network or infect users.” Though he (naturally) advocates IT teams upskill workers to be vigilant about phishing attempts, hackers are becoming increasingly sophisticated.
Moreover, experts think hackers will continue to exploit old avenues, like email. “While there are threats that you can completely mitigate by disabling a service or whitelisting/blacklisting, phishing is not one of those as you have to allow access to email,” says Christopher Hass, Director of Information Security and Research at Automox. “It is also much easier to craft a good-looking phishing email than it is to discover and weaponize a zero-day.”
CTO and founder of Illumio, PJ Kimer, takes it even further, saying those around a main target will be at-risk. “Whether it’s the child of an executive, an executive assistant, or even someone with administrative privileges, it only takes one wrong click for them to implant malware on their parent’s phone, opening up the back door for a bad actor to get into the company network.”
Unfortunately, there’s no silver-bullet solution. Email requires open lines of communication; educating employees helps, but spoofing Karen’s Sur La Table coupon email is an easy point of entry. In Europe, EU agencies approved the Cybersecurity Act to support member nations against these types of attacks. In addition to providing a framework for combating cybersecurity threats, it allows for wider information sharing on new attacks and vulnerabilities which may be widespread.
The 2020 election should be… interesting
However you align yourself politically, the 2020 election will be worth watching because cybersecurity pros think we’ll see some hacking – and learn a lot.
2016 was the first time we became generally aware of a disinformation campaign from a foreign entity specifically to disrupt the United States’ democratic election process. Social media played a big part in surfacing misleading or outright false information, and it’s just not fixed. Aanand Krishnan, CEO & Founder of Tala Security, says “without more comprehensive website security controls in place, ad networks and session hijack, like those enabled by today’s significant client-side security vulnerability, will continue to put the integrity of these information resources at risk.
French Caldwell of The Analyst Syndicate says the actual act of voting is in jeopardy, too. “Hackers with ties to Russia did gain access to voter databases in some counties, but they did not alter voter data. The evidence of vulnerability of voter databases could tempt foreign actors to go even further in 2020 – not only gaining access, but perhaps locking down voter databases with ransomware.”
“Ransomware attacks in the days just prior to the election would prevent the distribution of voter lists at polling places. Without the voter lists, election judges would not be able to verify registered voters, meaning thousands and maybe millions of people in affected localities would have to use provisional ballots or, if the ballots run out, may even not be able to vote at all.”
Casey Ellis, Founder, Chairman and CTO at BugCrowd, says “much of the voter narrative on election security focuses on the cybersecurity elements,” which he predicts will make agencies more accountable. “The good news is, we’re already seeing a move in the right direction with the call for vulnerability disclosure programs across agencies, which would allow whitehat hackers to help surface flaws in election websites and applications in lead up to and through the elections.”
Bottom line: expect hacking, and expect accountability. If we really do see a more open sharing of information, we’ll learn more about sophisticated hacking at the top level, which is invaluable.
Want to work at Rijksoverheid? They’re hiring.
A.I. and ML can be hacked, too
InfoSec Personality (see, told you we had one!) and Security Advocate Johnny Xmas underscores the real problem with artificial intelligence and machine learning: they’re just plain “resource-intensive,” and that makes them hard to secure. Because A.I. and ML devices or services must be trained, the best ones are birthed and managed off-site, and cybersecurity pros can’t be sure what they’re getting.
“Since ML inherently requires ‘training,’ and this training is extremely resource-intensive (thus rendering hardware cost-prohibitive for the customers), the machines must be trained remotely,” says Xmas. “This means customers of ML products are using ML trained on data which is not specifically theirs, in turn meaning they are not reaping the full benefits of the technology as in the end the best the machine can only act on information it recognizes.”
Haiyan Song, SVP and General Manager of Security Markets at Splunk, tells TNW: “expect to see attempts to poison the algorithm with specious data samples specifically designed to throw off the learning process of a machine learning algorithm. It’s not just about duping smart technology, but making it so that the algorithm appears to work fine — while producing the wrong results.”
As the training becomes a new vulnerability, the automation of some cybersecurity workloads is in jeopardy. Axel Wirth, Cheif Security Strategist for MedCrypt, notes log and event data reviews and threat analysis modeling are both capable of automation. Further, he says “cyber adversaries” will use A.I. and ML to “uncover new vulnerabilities, to analyze and misguide our defensive tools, or to create realistic false information.”
Oh, the Cloud
Remember that old joke “the cloud is just someone else’s computer”? Well, if someone’s computer can be hacked, why not the ever-present cloud?
Darrell Long, VP of Product Management at One Identity, says “there is a ‘gold rush’ for organizations to move their data to the cloud. Large organizations are making rapid moves to the cloud without ensuring their data is secured in transit and once it’s there. In 2020, there will be multiple organizations that deal with data privacy breaches and regulatory fines, as these steps are not being adequately addressed from the beginning of the move. Even with the Shared Responsibility Model and news about vulnerabilities with cloud security, we foresee many organizations failing to conduct due diligence and being burned by leaving their data insecure in the cloud.”
“Enterprises should adopt solutions from companies which give cloud visibility, recommend security policy and orchestrate the policies to prevent attacks,” according to Umesh Padval, Partner at Thomvest Ventures. “Secondly, they should accelerate data protection and encryption while data is being transmitted, stored and processed.”
Haiyan Song reminds us that once data migration to the loud has occurred, it’s not smooth sailing. “Going forward, cybercriminals will exploit the emerging vectors brought to bear by cloud-native technologies such as containers and Kubernetes, taking advantage of organizations’ learning curves to launch new attacks at a scale and speed we have not seen in the [on-premises] world.”
CCPA for all?
The California Consumer Privacy Act (CCPA) is, at its core, the GDPR come stateside. Because the U.S. federal government refuses to act on user privacy in the digital era, California voters went ahead and took matters into their own hands with a GDPR-esque framework that takes effect January 1, 2020.
CCPA is significant for one simple reason: ignoring California is nearly impossible. It’s home to Silicon Valley, and is the nation’s largest economy (and would be the fifth-largest economy in the world if the state were a sovereign nation). If a smaller state enacted something akin to the CCPA, it would risk companies choosing to make their services unavailable to netizens residing there. California, though – not so much.
So what is CCPA? It’s a bill that “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.” Essentially, if you’re collecting user information, you have to clearly explain why, what exactly you’re collecting, what you’re doing with it, and how they can remove themselves from your database.
Aanand Krishnan, CEO & Founder of Tala Security, reminds us how powerful the GDPR is. “GDPR went into full effect in May 2018, and already in 2019 the EU has fined Google 50 million Euros, British Airways 180 million Euros, and Marriott 100 million Euros.” GDPR puts the onus on companies to secure your data, or face penalties. Expect CCPA to do the same.
GDPR fines are a warning shot to companies doing business in California, which will likely carry over nation-wide – and why wouldn’t they? But cybersecurity professionals need to be proactive about CCPA compliance. Relativity’s Chief Security Officer, Amanda Fennell, reminds us “best practices should include a thorough review of a vendor to ensure they are in accordance with these regulations and a concerted focus on this area with devoted resources to ensure they stay abreast of changes.”
Expect other states to simply copy-paste CCPA into legislation, even if the federal government never does. And once other massive or dense states like Texas and New York follow suit, it’s smarter to just comply and push on.
Conclusion: 2020 will be like 2019’s lingering JIRA ticket
These five topics are simply the most often-recited bits of feedback from experts, and far from the only we’ve received.
They’re also not totally new. Phishing has, in one form or another, been around since the 1980s. The cloud has been problematic since it became a consumer product. We all expected 5G to have issues.
It shows cybersecurity isn’t easy, or simple. If we’ve not solved these issues by now, they’ll continue to surface and morph to suit someone’s needs.