Paranoid Technology All things cybersecurity

7Jan/16Off

8 Scary Security Predictions for 2016



2016 Security Predictions
1) Back Doors Open in Corporate Encryption

Paranoid Technology has already opined on why “opening” encryption is bad for businesses and citizens alike, but not much has stopped calls from Washington for a “magic bullet” to let the good guys in and keep the bad guys out.  What’s concerning is the predictions of those like Robert S. Litt, general counsel in the Office of the Director of National Intelligence, who wrote “the legislative environment [for passing a law that forces decryption and backdoors] is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”; it’s an eery and potentially prescient comment; right now strong encryption is winning, but it’s true that certain events would likely sway public opinion.

2) National Privacy Laws Weaken (Again)

While 2015 finally saw the USA Freedom Act passed, reining in NSA surveillance (including bulk collection of phone records) as of November 29th 2015 (but still not going far enough in the eyes of many civil liberties groups), the end of 2015 also saw Republican lawmakers introduce a new bill that would roll back the USA Freedom Act and reauthorize the government’s collection of phone records through 2017; that said, many lawmakers feel that the rollback is not enough, and senators like presidential candidate Marco Rubio would actually prefer to see a permanent reauthorization of key provisions of the Patriot Act.  The Republican response is a bellwether of what to expect in 2016, especially if there are terrorist or criminal events that demonstrate mass surveillance would have made some difference (see Litt’s crystal ball, above). 

3) No More Safe Harbor (for Good)

As of the drafting of this blog, no replacement for Safe Harbor is on the horizon; the European Court of Justice (ECJ) has put the onus clearly on the United States to come to the table with a solution and the expected timeframe for a resolution is Summer 2016 – at best; the main requirement of Safe Harbor is that EU citizens’ data must be afforded the same protections overseas as they have at home; the latest guidance from the ECJ is no different than at the ruling - companies doing business with the US should rely on “alternative transfer tools” to share data, meaning Binding Corporate Rules (BCRs) or Model Contract Clauses (MCCs), both of which take time and money to implement.  So, our original guidance still stands, and the US delay in getting an alternative on the table means it’s more important than ever for US companies doing business with the EU to figure out their own strategy and roadmap.

4) Mass Internet Surveillance Goes Global

Even thought the EU currently upholds it’s Data Protection Initiative and the rights of its citizens, the omnipresent power of terrorism is everywhere and seemingly increasing every day; it’s easy to imagine a future where the tables have turned. Governments (developed and developing) citing the need for citizen’s safety will demand - and gain - more control to monitor citizen activity. In immediate reaction to a terror attack, this seems like the logical thing to do, but powers granted during such stressful times are rarely (or with difficulty) pulled back and the indiscriminant effects of mass data collection will make oppressive regimes even more oppressive (some would argue even the seemingly democratic ones could slip into the Dark Side); in the Western world this can and will be devastating on the freedoms that we take for granted.

5) Sophisticated Malware / 0 day Attacks = More Breaches

2015 was a year for high-profile breaches including ones on Sony, Anthem, OPM, the Hacking Team, Ashley Madison and many others who didn’t make the news; hackers are revealing the significant flaws in their targets’ security programs, which only inspires other hackers to try their luck with a host of fresh victims. Aside from the opportunity for fame and hacker glory, Paranoid Tech sees this trend continuing due to:

  • High numbers of dormant and undiscovered breaches that will be revealed in the coming year
  • More sophisticated 0 day attacks – the black market on 0 day attacks is alive, well and growing – and vendors’ secure coding practices haven’t caught up yet
  • More sophisticated polymorphic malware using discrete channels that will be harder to detect and will operate in a more targeted manner

6) Spending on Data Breaches & Cyber Threats Continues Unabated 

With the unprecedented number of high profile data breaches and increasing mitigation expenses, there’s a parallel uptick in information security spending. According to 451 Research’s Q2 2015 Voice of the Enterprise survey on Information Security, most companies (44.4%) spend 5-10% of their IT Budget on Information Security, and the great majority (95%) expect to continue - or increase - their spending on information security over the next 90 days (note: the 3Q 2015 report shows that the number of respondents increasing spending went up another 10% in one quarter).  The PWC Global State of Information Security Survey 2015 found that information security budgets have grown at almost double the rate of IT budgets over the last two years.  Net net, information security and its business unit companions risk, compliance and audit will continue to be critically important for the foreseeable future.

7) Dawn of the (IoT) Zombie Army

Due to lax security settings in embedded devices – it is quite possible that we will see IoT (Internet of Things) Zombie Armies. Otherwise known as a botnet, a zombie army occurs when, unbeknownst to the owner, devices forward transmissions (for example spam or viruses), to other devices on the Internet, effectively serving the wishes of a master spam / virus originator. This has been predicted since early 2010s, the difference now is that we have critical mass; Gartner says 6.4 billion connected "things" will be in use in 2016, up 30 percent from 2015. It also creates a scary opportunity for mounting massive DDoS attack. As soon as an IoT Zombie Army becomes a reality, expect a swift uptick in defense of IoT Networks and the tightening DDoS defenses. Just don’t expect IoT device vendors to come to the rescue with patches!

8) Qualified CyberSecurity Professionals Will Still Be Hard to Find

Symantec’s annual tracking of the demand for cybersecurity professionals reveals a disturbing trend - by 2019, workforce demand will expand to over 6 million positions globally, with a (currently) projected shortfall of 1.5 million.  While Symantec, Cisco and a variety of universities are driving STEM education to ease the pain, this takes time, and security managers report significant obstacles to implementing security projects due to lack of staff expertise and inadequate staffing, says 451 Research; the net result is that only 24% of enterprises have 24x7 monitoring in place, using internal resources. Given the projected increase in spending, and the lack of resources, a safe bet is to capture good talent now, and make sure their skills are laser focused on your business’s problems.

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.

Stop SOPA