It’s January, which means that the preceding few weeks have seen the midwinter ritual of the Cybersecurity Predictions for the Coming Year, from a wide variety of industry observers and analysts. As in the past couple of years, Tech Pro Research has collated a large number of these forecasts and assigned them to various emergent categories, in order to get an overview of the way experts see the cybersecurity landscape evolving in 2017.
What happened in 2016?
The past 12 months have seen no let-up in the relentless tide of cyberattacks and security breaches — a continuing reminder that, as ThreatQuotient’s SVP of strategy Jonathan Couch put it towards the end of 2016, “Unfortunately right now I think we’re still in that area where the bad guys are winning”.
A year ago, Tech Pro Research’s roundup of cybersecurity predictions for 2016 identified the Internet of Things (IoT) — including the ‘Industrial’ IoT (IIoT) and internet-connected critical infrastructure — as the main security concern for the coming year. Second, by some distance, came ‘CxO issues’ such as the evolution of cyber risk from an IT-department problem to a C-suite problem, a shortage of skilled cybersecurity professionals, user education and budgeting. The three remaining top-five predictions concerned ‘Politically motivated cyberattacks’ (with particular reference to the 2016 US Presidential campaign), mobile security and cloud security.
All of these issues — and more — were indeed prominent in 2016, with the Mirai malware, which recruits poorly-secured IoT devices into DDoS-generating botnets, identified as the ‘worst all-round troublemaker’ in Trend Micro’s rundown of the biggest cybersecurity incidents of 2016. Among other incidents and trends (ransomware, business email compromise, SWIFT vulnerabilities, Microsoft’s patching frequency, the Yahoo breach, the [alleged Russian] DNC hack, Apple zero-days and continuing Adobe Flash vulnerability), Trend Micro also highlighted the first successful cyberattack on an industrial facility — the SCADA-controlled Ukranian power grid.
What to expect in 2017
This year, we’ve examined 345 cybersecurity predictions from 49 organisations, assigning them among 39 emergent categories (occasionally splitting a prediction between two or three categories). Here are the results:
Heading the rankings, once again, is the IoT — even though, this time, we’ve split off the IIoT and critical infrastructure into a separate category that made ninth place on its own. So the Internet of Things — in business, at home and in the wider environment — is clearly the primary cybersecurity concern moving into 2017, and rightly so given the increasing frequency and scale of IoT-implicated attacks last year. These culminated in the Mirai-driven DDoS attack on DNS provider Dyn, which at 1.2Tbps is reckoned to be the largest on record (so far).
In second place is ‘Security automation and orchestration’, which includes topics such as behavioural analytics, threat intelligence, machine learning and artificial intelligence. These predictions are partly a response to the increasingly multi-faceted nature of today’s cybersecurity threats and partly driven by an ongoing shortage of skilled security personnel. Meanwhile, Forcepoint notes that this boot can easily be worn on the other foot, predicting the advent of ‘criminal machines’ (“automated — and autonomous — hacking machines designed to rapidly seek out vulnerabilities and potential breaches in networks”).
Cybersecurity is a never-ending arms race, so it’s no surprise to see ‘Malware and bad actor evolution’ in third place. Every year will bring a new crop of developments under this general heading. For 2017, the pundits predict, among other things: next-generation malware that can fool machine learning and artificial intelligence algorithms (Torrid Networks, Morphisec); the increasing ‘industrialisation’ of cybercrime (KPMG) and the rise of well-organised ‘cyber gangs’ (Mimecast); attacks on APIs as “the internet’s soft underbelly” (Cloudflare); the rise of bespoke and passive implants (Kaspersky Labs); and increases in the use of exploit kits and macOS malware (Palo Alto Networks).
Ransomware was the most prominent cybercrime modus operandi in 2016, and pundits predict that it will continue to evolve and escalate this year, propelling it from seventh to fourth in the rankings. Forcepoint suggests that ransomware could converge with corporate espionage (“Unethical organizations may fill their need for technological innovation and development by hiring ransomware hackers to obtain specific information from competitors”); Kaspersky Lab foresees a ‘lesser grade’ of cybercriminal entering this arena who fail to return ransomed files after payment, altering the dynamics of the ecosystem; and Morphisec predicts that “it could move from a strictly financially driven crime into attempts to affect strategic outcomes” (ransomware attacks against critical infrastructure or enterprises could be used to influence policy or business decisions, for example).
Nation-state cyberattacks — fifth-placed in the prediction rankings — are dominating the news headlines right now, thanks to the fall-out over the alleged involvement of Russian hackers in the 2016 US Presidential campaign. In this climate, Forrester’s prediction that “Within the first 100 days, the new president will face a cybercrisis” is pretty much a nailed-on certainty. FireEye echoes this with: “A new US President will take office in January 2017, presenting an opportunity for foreign governments to test the new administration’s resolve through various provocations”. Whether, as BeyondTrust suggests, things escalate to the point that “The first state cyber-attack will be conducted and acknowledged as an act of war” remains to be seen. Generally, as the University of San Diego notes, “Cyber crime today is a major threat not just for the private sector and for individuals but for the government and the nation as a whole.”
The top 10 cybersecurity concerns for 2017, as revealed by our large sample of predictions, are completed by: cloud security; regulation, governance & cyberinsurance; mobile security; IIoT and critical infrastructure; and social engineering. Regulation — especially the EU’s GDPR, which comes into force in May next year — loomed large, as did the subject of insurance against cyber-risks that cannot currently be defended. Social engineering — including phishing and business email compromise (BEC) — is also seen as an increasing problem, highlighting a general trend for the user to be seen as an attack vector: “We see more and more alerts and events indicating attacks against the end-user workstation instead of the corporate infrastructure” (NTT Security).
Turning the tide
Contemplating the 39-strong list of cybersecurity prediction categories in the graph at the head of this article, you’d be forgiven for wondering whether internet-connected data and systems will ever be safe from unwanted attention.
One approach that has been gaining traction in recent years is ‘data-aware storage’, where data is classified and indexed at the point of creation, with integrated real-time analytics available to address security and compliance issues as they arise. According to Paula Long, CEO of data-aware solutions startup DataGravity, “You hear people drone on about it [data security and compliance], and lots of people would rather stick needles in their eyes than talk about what data can go where. I think that’s going to have to become much more targeted and actionable, and one of the things our product does is give you a 360-degree view of your data, so you can go clean up.”
Only when intelligent security is built into IT systems from the ground up can we expect to make progress. When it isn’t, we get security headaches like the Internet of Things.
Online security has moved far beyond the IT department and the boardroom, with cyberattacks of many kinds now shaping international relations and at times threatening the stability of the internet itself. As 2017 gets under way, it looks set to be a pivotal year in the arms race between the good guys and the forces of darkness. Any individual, family, business, organisation or government that fails to put cybersecurity — and particularly the security of IoT systems — front-and-centre in its planning is risking serious consequences.
Five overlooked flash points for CIOs in 2017
Internet of Things policy
Threat intelligence: Forewarned is forearmed
Cybersecurity Research 2016: Weak Links, Digital Forensics, and International Concerns