Tom Espiner surveys the security landscape for the shape of things to come.
When my editor asked me to predict what would happen to security over the coming year, and over the next 10 years, my heart sank. The permanency of internet publishing, caching and so forth means predictions have a habit of coming back to haunt you.
Plus, I'm a firm believer in chaos theory and the natural entropy of any system. So any detailed prediction is unlikely to come true — just look at the weekly weather forecast.
Nevertheless, I shall bite the bullet and make my predictions for the security landscape at the end of next year and in 10 years' time. Just make sure you keep a copy of this article, ready for ridicule in 2020.
1. Ubiquitous cloud computing
By the end of 2010, more companies will have moved their data into the cloud, and this process will continue over the next 10 years. Cloud computing makes sense from an economic point of view, but it will bring fresh security challenges for IT professionals.
Smaller companies will reap the benefits of the security mechanisms of cloud providers, which are generally very good, but having all your data in one basket constitutes a security problem. Even one security breach, just one server successfully hacked, could spell disaster.
My advice: make sure your cloud provider federates and encrypts your data. In addition, European data-protection law requires that data held by a European company must be hosted in a European datacentre.
2. ID and access management
Identity and access management will become increasingly important. As the cloud grows, it will also become vital to give employees and third-party contractors access to business systems. A number of companies have recognised this issue and brought out products to address it.
3. Public sector moves online
There are a number of laudable UK government IT aims at the moment, one of which is to provide a government cloud, known as the G Cloud.
Another is to increase accessibility to services, by educating people and making websites easier to use.
The government also wants to make public data available in a format that allows mash-ups. All well and good, but of course these policies bring security issues.
The government's record of keeping our data safe is appalling. There has been an avalanche of reported data-breach incidents following the loss of 25 million child-benefit claimant details by HM Revenue & Customs in 2007.
Government data-sharing plans will facilitate the flow of data, but they also mean it can be more easily compromised — either by hacking the government systems, bribing government employees or through civil-service incompetence and complacency. The government is only now waking up to the value of our data.
More government websites with transaction mechanisms will mean more attacks on citizens through phishing and man-in-the-middle attacks. Weak encryption on Wi-Fi networks is not going to go away, making such attacks more likely.
That said, in 10 years' time we shall probably see fifth- or sixth-generation networking standards being deployed, with improved security built in from scratch.
4. The internet of things
As more devices become internet-capable, the internet will move to the 'internet of things'. For example, you will be able to hook up your fridge to the internet. Sensors in the fridge will allow you to automate online food shopping. Running out of milk? Your fridge will order some more.
However, this development will obviously require very strict security and privacy measures to be successful. That kind of data will become very valuable from a marketing perspective and so will need to be protected.
Device manufacturers will also have to be aware of possible unintended security consequences of networking devices on a grand scale. Your fridge should not become a means of compromising business data on the home network, for example.
Surveillance is also in danger of becoming ubiquitous, as cameras and other bugging devices become so small you cannot see them.
5. Mesh networks
Mesh networks, where devices act as traffic-carrying nodes, are a fantastic idea that has yet to take off. Some experts think mesh networking will become more popular. But the security implications of mesh are profound.
If you have a series of nodes that are carrying internet traffic, only some of them...
...will be keeping track of it. Parts of the internet will act in a similar way to The Onion Router, or Tor, but on a larger scale.
This shift is good news from a privacy perspective, but it could become almost impossible to track traffic. Security experts already have problems attributing attacks such as denial of service, because the computers in the botnets launching them are controlled by unknown agents. Mesh networks could magnify this problem.
However, mesh in the UK may be scuppered by the Digital Economy Bill, because the former would blur the divide between internet provider and subscriber. Internet providers have a legal obligation to keep a record of traffic flowing across their network, which would be beyond the means of most people.
6. Mobile botnets
As internet-enabled devices become more common, they will bring more opportunities for cybercriminals. Botnets, which are legions of compromised computers, are used to launch denial-of-service attacks, to send spam and to offer bulletproof hosting for unsavoury sites.
With the recent compromise of the iPhone, it is not impossible that mobile devices such as smartphones could be harnessed to do a criminal's bidding.
7. Super-fast broadband
With the government pledging to provide at least 2Mbps download speeds for every citizen, and fibre being laid to provide this performance, super-fast broadband is well within reach.
However, just as increased download speeds will bring opportunities for firms to conduct a larger volume of business, it will offer the same opportunities for cybercriminals.
The internet's addressing system, the domain name system (DNS), has gaping flaws, as publicised by security researcher Dan Kaminsky. It is possible to poison the cache of a name server so when a computer requests a lookup for a legitimate site, it is sent to a malicious one.
However, there is a secure DNS protocol called DNSSEC. VeriSign, a company that operates one of the servers at the root of the internet, recently announced that it would sign the root with DNSSEC.
I hope this initiative will be copied by the other organisations that control root servers, and DNSSEC will be rolled out over the whole internet. This measure would completely nullify the DNS cache poisoning vulnerability.
Internet protocol version 6 (IPv6) is the successor to IPv4, an internet layer protocol for packet-switched networks. IPv6, which is necessary due to IPv4 address exhaustion, will seriously improve internet security. IPv6 implements IPsec, which authenticates and encrypts each packet in a data stream — any intercepted data would be encrypted.
10. Cyber warfare and industrial espionage
A number of countries, including the UK, are developing cyber attack and defence capabilities. The government has said it would only launch a cyberattack in the greatest need, but you can bet that the people at the UK Cyber Security Operations Centre will have the capability both to break into networks, and defend them.
Foreign countries will also have this capability, raising the possibility of large-scale industrial espionage.