In my last column, I reviewed the top security developments of 2004. Now I'm going to extrapolate on the trends that I see affecting IT security in 2005, both here and abroad.
First, I'll begin with a few easy predictions.
- Malware attacks will get worse, or at least more frequent.
- The Homeland Security Department and the White House Office of Science and Technology Policy won't do anything helpful for network security professionals, but some new regulations may cause more problems.
- More serious flaws will be discovered in non-Microsoft browsers and operating systems. This is likely to occur on an accelerated basis simply because many businesses are turning to Microsoft alternatives, making them bigger targets.
- Phishing attacks will continue to surge.
- The time between discovery of vulnerabilities and the appearance of exploits will grow ever shorter.
- There will be an increasing realization that antivirus software with weekly updates is inadequate to combat threats that appear, spread like wildfire, and compromise millions of PCs and networks within a few hours.
- The CAN-Spam Act will be viewed as a total failure. California had proven that regulating spam doesn't work and was planning to outlaw it completely, so Congress trumped state regulators by passing a weak "antispam" law, which actually provided legal loopholes for spamming people, thus protecting direct marketers. Spam volume is still surging from this boost, and 2005 will be the worst spam year in history, to date. Spam killer tools are improving and will begin to reduce the threat by the end of 2005, unless, of course, Congress gives even more unwitting legal protection to spammers.
Spyware will quickly become the biggest single threat to corporate IT departments. Individuals will plant spyware to watch their neighbors in the next cubicle; executives will authorize spyware to watch workers; outside hackers will use spyware to steal IT secrets; competitors will use spyware to steal business secrets; and script kiddies will flood the world with spyware just because they can.
Having authorized spyware makes it harder to deal with unauthorized spyware. Spyware not only lets people steal your passwords and other corporate information, it also compromises your clients' secrets and that will lead to calls for legal action to stop the spread of spyware and punish companies that fail to control it.
Legacy of failure
When Microsoft updated Windows XP with Service Pack 2, it was the first time that the company chose better security over legacy support. Since Microsoft got away with it, other companies, including Linux vendors, will probably follow the lead and begin to patch holes and update software, even if the fixes disable popular but dangerous legacy features.
Since legacy support is a major cause of software vulnerabilities, this will have a slow but positive effect on improving software security.
Let's talk money
There are also some less obvious developments that I expect to see in 2005 and beyond, and some of these developments are not directly related to IT security but involve economic issues that affect U.S. businesses and IT departments in general. Keep in mind that I've seen a lot of IT history going back to the punch-card computer days, so my guesses are usually fairly well-grounded.
Look for more big foreign buys of U.S. IT businesses, such as the recent purchase of IBM's PC division, but also look for high-profile failures of some of these purchases after a few years. A few decades ago, Japanese companies bought up a lot of U.S. real estate (which freed up U.S. capital for local investment). The market collapsed, leaving the Japanese holding the bag. Look for Chinese companies to use that country's massive trade surplus with the U.S. to buy up things that U.S. companies will be glad to get rid of.
Other important trends are also related to the U.S. deficit and the fall in value of the U.S. dollar. Gold and oil are mainly purchased with dollars, so the rising price of both just means the dollar is being devalued.
Government policy is obvious—a lower dollar means improved trade deficits as goods bought mostly from Asia become more expensive in the U.S., increasing the competitiveness of U.S. workers and making computers assembled in the U.S. comparatively cheaper.
On the white collar side, IT managers and software developers (and even help desk workers whose jobs have gone overseas) will become more competitive in the global market and some jobs could migrate back to the U.S. as a result.
Government and industry self-interest will both drive this trend as they realize fewer good jobs in the U.S. means fewer people will be able to pay taxes (especially Social Security taxes) and buy goods from U.S. companies. Buying goods cheap from China doesn't help a business if there are no local buyers they can resell to.
The government has encouraged the retraining of displaced U.S. workers in computer technology for the past decade but there has been little work for those graduated in the past five years (especially in rural areas). Many of the jobs they trained for went overseas instead. However, rural America (such as my part of central Pennsylvania) has a much lower cost of living than big cities, and IT workers can live quite well on a salary only half of what they would need in Arlington, Virginia or Silicon Valley. Thus, some U.S. companies are looking at "homeshoring" some jobs to workers that can telecommute rather than sending those jobs overseas, as reported by News.com.
Security professionals and administrators will continue to be under pressure on a variety of fronts in 2005, with spyware, phishing, and patch management continuing to cause headaches.
The best news for U.S. IT professionals is that I look for a resurgence of IT jobs in the U.S. in 2005 as U.S. workers become more competitively priced, and the cost of overseas outsourcing climbs due to the fall of the dollar.