In a world of digital connectivity and political tensions, cybersecurity is one of the top priorities for businesses in the new decade. After spending record levels on cybersecurity services and products in 2019, the question still remains, what will cyber threats and defense strategies look like in 2020?
To answer that, we turned to two of IronNet’s top strategists, VP of Strategy and Partnerships Jamil Jaffer and Senior Security Strategist Greg Conti, to get their opinions of some key trends to prepare for in 2020.
- Collective defense will be on the rise.
While some organizations will attempt to stand alone against sophisticated state threat actors, often unsuccessfully, other organizations will adopt a teamwork-based approach. The government will learn to be a better partner and will address quality issues and classification restrictions hindering the sharing of information with the private sector. We’ll see improvements that demonstrate the real possibilities of public-private, information-sharing partnerships. Commercial solutions will emerge that share threat information between private companies at high speed, better defending critical infrastructure sectors and large cities. The combination of these efforts will improve security among all participants.
- Manipulation attacks will increase.
One key challenge companies will be presented with in future attacks has to do with the level of trust they are left with in their data after the attack. After an attack, companies have to not only recover their data — but trust the data they recovered. So, for example, a committed attacker might get into a system and rather than exfiltrate data or destroy it, they may choose simply to modify it—perhaps even in subtle, hard-to-detect ways. Over time, such manipulation can have serious effects.
These kinds of attacks can start small with subtle discrepancies. For example, when your smart phone starts lying to you about false meetings on your calendar or a disappearing email, it doesn’t seem like a big deal until it happens more frequently. Given the scale of connected device penetration (estimated at 27.1 billion devices worldwide by 2021), the nature of how we use these devices, and the criticality of the data we transmit over them, if you cannot trust your own connected devices, that can rapidly become a huge problem.
- Attack vectors like phishing will continue.
We are also still seeing attackers use basic access methods like phishing because, put simply, they work. And this is likely to continue until these methods stop working. As a result, we need to learn how to live with the fact that the enemy is likely to get in—particularly a committed actor with strong resource backing, like a criminal hacker gang or a nation-state actor.
As a result, we’ll need to harden systems to prevent problems or find attackers before they take data out of a system or conduct an attack. This is where collective defense can help. If organizations share best practices and potential behavioral threats in advance of an attack, other organizations receiving that information can detect new and novel campaigns faster and leverage the collective knowledge and capabilities of the entire ecosystem.
- Social media will remain a tire fire.
Despite the efforts of social media companies, social media will continue to be a playground for bots, sock puppets, and state information operations. Automated analysis of individuals and target groups will make these efforts even more effective and specific. This activity will reach a crescendo as the elections approach. Governments will be hard pressed to respond.
- Major cloud providers will find a bullseye on their backs.
As more and more organizations move their critical systems and data to the cloud for efficiency, scalability, and cost reduction, cloud provider infrastructure will increasingly become a high payoff target —a target that, if compromised, could have devastating effects on the economy and national security. In 2020, we believe state adversaries will redouble their efforts to attack cloud systems. Whether the defenses in place will withstand the attacks remains to be seen.
- Election security will be comprised, but not devastatingly.
We certainly expect some significant degree of election manipulation, but we do not expect direct vote manipulation—at least not the kind of vote manipulation that affects the outcome of an election—for a number of reasons. First, it is very hard to do at scale and requires fairly close-in access to systems. Second, the systems we use for voting, and the software they use, are fairly diverse even if they are made by a small number of manufacturers; and at least some jurisdictions are now employing systems that have some measure of paper backup and/or auditing. Finally, I think most nation-states understand—and may very well be deterred by—the fact that we are almost certain to respond fairly swiftly and aggressively to any actual attempt to manipulate votes in a major election.
At the same time, there is certainly a very high likelihood that we’ll see a lot more of what we saw in 2016—including efforts to undermine candidates, parties, and confidence in the system, as well as to create discord and dissent between groups and individuals in the electorate. Likewise, we may see attacks against voter databases, including through ransomware, that are designed to either extract revenue or to undermine confidence in our voting system. These types of attacks—which can be partly mitigated by the use of provisional ballots as created by the Help America Vote Act—can still achieve the goals of attackers. Ultimately, these nation-state actors—Russia principally, but possibly including China, North Korea, and Iran—seek to create uncertainty and undermine people’s confidence in the system.
- The threat of deep fakes is real.
One of the most serious new threat vectors to consider will be deep fakes and the impact they will have on the confidence in technology. People have been talking a lot about this problem but there aren’t a lot of good solutions out there today. One thing we might consider is whether there is a way to create assured data that is certified as valid from birth to death and that can be checked against a known good data store for validation. In many ways, you might think about this like the Twitter “blue check mark” not just for online identities but for videos, files, and other data sources. The evolution of such an assured capability could help substantially address the threat posed by this new threat vector.
- State and local attacks and compromises will increase.
Whether it is a city, a school district, or a community hospital, we will continue to see state and local organizations compromised by cyber attacks. These organizations simply do not have the resources to fend off nation-state cyber actors and sophisticated criminal groups. The pseudo-anonymity of crypto currencies will allow the ransomware business model to flourish in 2020.
- We will recognize academia has been compromised by state actors.
Over the past decades, parts of the U.S. university system have been infiltrated by state actors. Universities are effectively businesses and are financially incentivized to admit students and hire faculty from threat countries. Whether directly through the students and faculty themselves, or indirectly through their loved ones, these individuals can be leveraged and exploited by threat states to gather intellectual property. Increasingly, we will publicly recognize that the battle is ongoing and that much of academia’s R&D is being fed to our adversaries.
- Actionable quantum computing will remain elusive.
While significant progress has been made in the field of quantum computing, practical, actionable advances are unlikely to occur, despite news to the contrary. While we don’t predict that there will be any game changing breakthroughs, we do believe quantum computing will continue to advance incrementally. We anticipate game changing quantum security applications will be at least a decade away, probably longer.
- The U.S. government will organize better to execute and counter information operations.
U.S. cyber forces will take a more aggressive role in countering both adversary information operations and cyber operations through its strategies of persistent engagement and defending forward. Additionally, we will see U.S. forces create synergies by blending cyber operations, influence operations, and electronic warfare teams into cohesive operational organizations.
- U.S. government cyber operations will (partially) emerge from the shadows.
As U.S. cyber operations become more assertive, they will become better at sharing their successes. Public disclosure will help policy makers support these activities and will also help increase public understanding and support. However, the most important benefit may be the deterrent effect these public relations efforts will have on our adversaries.
- We will see increased urgency around cybersecurity.
Cybersecurity is a critical national security and economic threat. Both inside the government and in private companies, we will see increased urgency. While we would like to put in place a few security technologies and then check cybersecurity off our list as complete, this will not prove viable. The drumbeat of compromises will increase recognition that cybersecurity is an ongoing process that must be embedded into business operations, not one that can be “solved.” The outcome will be a sense of urgency to address cybersecurity.
- Virtually all corporate boards will recognize the importance of cybersecurity.
Over the past decade, companies have learned painful lessons that cybersecurity is important. Many company boards have adopted a methodical approach toward reducing cybersecurity risk. We believe most other boards will see the writing on the wall and take positive action rather than become a statistic.
- Cyber insurance will not fix everything.
Cyber insurance promises much, but will not be a panacea in 2020. We do not yet have sufficient resolution on cyber vulnerabilities, exploits, attacks, probabilities, and impacts to appropriately evaluate risk and cost. Progress will be made, but there are too many open questions, such as “what is an act of war in cyberspace?” Until these foundations are in place, cyber insurance will remain a work in progress.