I spent most of Monday writing my Digital Defense column for Counterterrorism Magazine, looking forward at the cybersecurity issues we're likely to be facing in 2013. I'm also giving a lecture next week at the University of New Hampshire School of Law about cybercrime issues, so I've been doing a lot of thinking about 2013 trends over the past few days.
The bottom line is 2013 will hurt. When it comes to cyber-preparedness, we are not in the best position.
Here's a way to put this issue into perspective. I've talked to my fair share of generals and FBI SAICs (special agents in charge), and many of them seem far more freaked out about cyber-related issues than conventional threats. Remember that these are people who have access to a vast amount of real, live, go-boom firepower, and they're deeply worried at a pretty fundamental level about cybersecurity.
Cybercrime, cyberespionage, and straight out cyberattacks will increase in both frequency and ferocity over the next 12 months. Here are some of the challenges we're going to be dealing with:
1. Security breaches will be constant: Just today, the Japan's Ministry of Agriculture, Forestry and Fishery admitted it had been hacked, more than 3,000 documents stolen (which included some of their negotiating strategies).
2. At least one login credential for almost every user will be in the hands of bad guys: With the enormous user authentication database thefts of the past year, and the expected increase in penetrations over the next year, huge, aggregated, big-data databases of user authentication information will be available to criminals.
3. 2013 will be the year the password dies: Because so much data is available to criminals about how we humans think about assigning passwords, password-based security will become essentially useless.
4. 2013 will be the year of multi-factor authentication: Likewise, because passwords will become less and less secure, expect to see most services offer a multi-factor authentication capability, whether via a dedicated dohickey or mobile phone.
5. Mobile gets really messy: Speaking of mobile, 2013 will be the year that smartphones turn into mobile nightmares. While iOS devices are relatively secure, Android phones are one download away from being completely corrupted. From mobile spying devices to always-moving botnet nodes, these things are used by people with minimal technical skill, virtually no attention to security, and a desire for instant gratification. Plus, they contain rich catalogs of juicy identity theft information.
6. Light office users move to tablets for security: As a counterpoint to the previous trend, light office users will move to tablets like the iPad and Surface RT for their increased security and ease of maintenance. Rather than basic, cheap desktop PCs or laptops, users who only need to access Web, email, and Office applications will be running on these thin clients.
7. Cloud failures will result in substantial data loss: Users of large-scale PC applications like Office and Photoshop will be pushed even harder to rent their use online rather than install on their local machines, thereby providing an ongoing revenue stream to application vendors. With so much mission-critical data now residing in the cloud, expect at least one or two shocking cloud failures that not only result in breaches, but also devastating loss of data to users.
8. Hacktivist groups morph: Expect hacktivist groups like Anonymous to remain strong, even though international law enforcement is actively pursuing their members. Individuals, acting anonymously from all over the world, will continue to wreak havoc against any organization that annoys them. However, expect to see these groups infiltrated by both law enforcement and agents of nation-states, and expect the agendas of these previously apolitical groups to be pulled in different directions as professional spies dig in and apply hidden influence.
9. Healthcare-related fraud increases exponentially: As more and more healthcare organizations and doctors' offices go online, and as healthcare continues to get more and more expensive, expect to see shocking levels of healthcare fraud, especially since, as the Washington Post reports, healthcare security is among the worst of all industries.
10. Security-as-a-Service becomes a new cloud market: Some vendors, like GFI, already have solid cloud-based security offerings. But as security becomes more and more of a problem and continues to increase in complexity, expect to see a wide-range of cloud-based security offerings, including some that are very helpful and some that are nothing more than snake oil.
11. Companies will still be unwilling to spend what it takes for good cybersecurity: Even though the economy has been improving, it's certainly not going gangbusters. CTOs will be competing with CMOs for tech dollars, and senior executives will still not fully understand how bad things will get from a security breach or large-scale failure.
12. Nation-state cyberwar escalates: Stuxnet may well have been the tip of the cyberwar iceberg. Expect to see cyber-based attacks used to augment the more traditional work of on-the-ground spies and saboteurs with a longer reach and lower risk -- unless, of course, the attacking weapons fall into the hands of the bad guys, as was the case with Stuxnet. Oops.
13. Rogue nations use cybercrime for fund-raising: Even though many North Koreans don't even have light bulbs, the country has been using cybercrime as a way of raising cash. Expect to see more of this activity, not only from North Korea, but from many of the former Soviet states and smaller Asian and African nations.
14. Congress will continue to disregard the Constitution and our privacy rights: Whether it's a misguided way of protecting us against terrorist attack or simply a wholesale sellout to the music and movie industries, Congress will continue to field bills that undermine our Constitutional rights. Sometimes it's hard to tell who is worse for Americans: the cybercriminals or our politicians.
The bottom line is 2013 will hurt. When it comes to cyber-preparedness, we are not in the best position. Getting our senior executives, politicians, friends, and family to pay attention and pay for security is perhaps our biggest challenge.