Just recently I sat down with Marc Goodman, whom I’ve known for many years, and chatted about his new book “Future Crimes”. (I strongly recommend you take time and read it. You can find it here http://www.amazon.com/Future-Crimes-Everything-Connected-Vulnerable/dp/0385539002 on Amazon). It got me thinking about the past five years or so of security prediction articles that have come out. For the vast majority they result in little more than a listing of more attacks, more data loss and more vulnerabilities. Not only does this add little value but it squanders a significant opportunity of reflection and insight that all of us should do. To that end I’ve tried to detail out my predictions for 2015 based on my thoughts on what drives the industry.
In order to predict what will happen we first need to establish the influencers on it and where those influencers are going. Without this we are leading blindly and without a framework of why. The security industry is influenced by a few major categories. Global economics, technology changes, public awareness, vendor economics and threat economics
Influencers of Information Security
Every major evolution in security has followed a major evolution in IT. From mainframe shift to client-server to client-server to client-cloud, the security industry has evolved in its wake. These new technologies drive a need to evolve security, with technical, process and people means, in their use, management and awareness. We can predict changes in security by seeing the early changes in technology.
Over the past 20 years mainstream media never spent much time on Security. It wasn’t until recently with the story of Snowden that a significant focus was placed on the massive compromises that have occurred. Media coverage has the capability to drive the consumer and enterprise focus on the issue where without is generally ignored. The more focus the media has on the issues the more attention customers have to vendors. The more questions a vendor has the more they drive advancement in the solutions they provide.
“Follow the money” is what my history professor used to say. The global economy has a huge hand in shifting attention and action on various issues. This was most notable in the most recent 2008 recession where businesses around the globe drove significant cost cutting measures for self-preservation. We also see this played out on a State level where the investment in IT infrastructure drives significant growth. That same investment that enables growth can also become a pathway for malicious use. This is because malicious individuals need connectivity, education and resources which are all needed for technical growth of a State.
The ability for companies and consumers to defend themselves includes the ability for solutions to be available. The majority of these solutions come from companies researching and developing them. While a very small amount of solutions are from altruistic individuals, the majority are from “for profit” entities. The delta between security risk and marketability is the area that security vendors exploit to drive solutions and subsequent profits. This vendor industry has been around for a very long time but just recently, since 1990’s, exploded with a plethora of growth startups and companies. This highly competitive and constantly shifting vendor landscape not only drives profits but is critically depended upon by global entities to defend themselves.
The motivation to commit crimes has always had a strong financial undercurrent. Since the economic globalization and the fall of the USSR the rise of global criminal syndicates and crime has risen and taken hold. What followed in 2005 and beyond was the migration of individual criminals to cyber criminal syndicates due to the realization of revenue from cybercrime. While we are in the very early stages in a great crime migration the impact has been deeply felt. The influence in the practitioner, vendor and consumer segments has driven significant media, public policy and spend. Where the threats migrate to significant effort and money will be follow to try and mitigate it.
· The tech curve will create new areas of exploitation. While security evolutions typically follow IT evolutions there is also typically a gap in between. What results is the ability for that gap to be exploited for political or financial gain. In the near term is the mass migration of corporate back-office functions to the “cloud”. We will see a continuation of that gap as cloud providers and companies still work to implement security mechanisms. On the very early stage of that gap is the Internet of Things (IoT) and other component level Internet connected devices. The new growth area of TV’s, refrigerators, etc. to distribute SPAM, malware and (D)DOS attacks will see a growth.
· The threat landscape will begin to evolve. The ability to make large amounts of money by leveraging cybercrime is just in the beginning stages. It’s a high growth market that hasn’t begun to realize what the total addressable market is. We will see an increase in crime, as expected; however, new markets and applicability to legacy physical markets will increase faster. Specifically, the ability to conduct extortion based cyber-monitoring, illegal sex trade, currency counterfeiting and narcotics.
· An increase in criminal protection due to consumer service confidentiality. As major consumer Internet services begin to resist subpoena requests and implement solutions where they have no ability to see consumer data, the opportunity for criminals to proceed undetected increases. Historically, criminal activity, such as child pornography, has been a huge problem on the Internet as consumer services, such as email and file-sharing, enable anonymous access. When those consumer services increase their ability to not see content and/or respond to subpoena requests without stronger identity identification, the criminal actions will have a stronger ability to not be taken down. This will drive an increase in the global activity and financial growth of child pornography and other crimes.
Media and Public Policy
· Media will decrease in their security stories – The sensationalism of Snowden has worn off towards the end of 2014. The subsequent breaches in the fall and winter of 2014 also resulted in little media attention counterpart to their predecessors of the summer. This shifting of the story will continue unless there is a major governmental leak. This is unlikely as they are fairly rare and as a result media attention will nearly die on the story. Expect the security conversation to be, not just pushed to a second story, but all the way to the back page.
· We will not see any significant Privacy, U.S. Intelligence reform or Information Sharing Acts. With the last two years of the Obama administration and Republicans holding the Senate, there is little chance of any reform or legislation getting through. It’s even more complicated by the fact that privacy and national security are at odds in anything substantive being agreed on. As a result, initiatives such as CISPA will be discussed but not materially accomplished. In addition, NSA reform will be more of a political football as no one is really wants to limit the mission of the intelligence gathering as opposed to make it a 2016 presidential debate issue.
· International Privacy policies will increase in their restrictiveness. While the U.S. will continue in light privacy legislation, the increase in Singapore, EU, Canada, Brazil and other countries will increase. There has always been strong privacy advocacy in many countries but they will increase due to the media attention over the past year on intelligence gathering. This could complicate technology adoption in those countries and potentially create a Balkanization of cloud services. If those countries begin to require cloud services in region it more than likely will create a economic competitive hurdle as companies in those countries will be forced to use services that are not competitive. As a result, foreign companies will have the ability of using more agile and enabling services for their market.
· Intelligence agencies will change intelligence gathering tactics. As major capabilities of intelligence agencies’ information gathering begin to be shutdown they will be forced to other methods. This is most notable with the tapping of datacenter communication, which is now beginning to be encrypted. This will drive an increase in existing methods and creation of new ones. As server oriented and server-to-server opportunities become limited the drive to client monitoring will increase. The migration of information gathering will occur in a few ways.
o First, the adoption of malware to infect workstations and monitor user activity. This is and will continue to be used, however, is limited by the inability to be controlled once it’s in the wild.
o Second, the direct attack and compromise of foreign corporation consumer Internet services. By compromising the consumer services’ servers directly, large amounts of data can be gathered. This is more than likely detected and will be used by countries lower on the intelligence / technical capability spectrum.
o Third, the increase in cryptographic “cracking” capabilities. The development of increased compute power will increase as intelligence agencies are forced to crack the raw encryption keys being used. This is more realistic as it can be done offline and without the majority of entities knowing. This is even more beneficial as most applied encryption is done with poor encryption key rotation or management. So once they encryption key is found there’s little chance of it being changed to thwart the data gathering effort.
o Fourth, direct attack on corporate and Internet key management providers. One of the most difficult things to manage in a corporation is the encryption key service. By compromising the servers that store the keys directly, the intelligence gathering can be done passively with extreme success. This means the compromise of consumer corporate networks for the direct intent of key compromise.
· Minor improvements in Consumer Security will take hold – The compromises of consumer corporations will drive moderate improvements for consumers. In addition, the short-lived focused attention will drive a small amount of them to focus on credit reports, password controls and anti-malware solutions.
· Investments in Security will slow. The increase in the media’s focus on security resulted in board members and CEO’s to focus on it. That, in turn, focused financial incentives to the respective security teams. As the media attention starts to wane it will also drive a regression of focus in the board members and CEO’s minds. This, in turn, will start the normalization of funds to the security teams placing downward pressure on staff and solutions. This won’t regress below what we’ve seen in 2012 and before.
· Increasing corporate applied confidentiality. The realization that international communications between datacenters, in applications and services has driven consumer cloud providers to implement deeper layers of confidentiality. Encryption over private telecom lines, keyless endpoint encryption and more have started to be implemented to ensure the consumer providers are removed from having access. This
· A significant security vendor disruption will take hold. Vendor community will go through significant disruption, as new vendors focusing on the new model will usurp legacy vendors. This is significant as two major facts hold true. The first is that new startups focusing on driving legacy controls to the cloud gain traction. The second is that these new startups are more resistant to acquisition due to the strong growth in the security space. The result is that larger vendors, who have a very hard time to incubate solutions, will fall behind as their market share is migrated to these new vendors that are driving new solutions.