As cyber security pros look to 2017 there’s no shortage – as in previous years – of predictions that we’re going to see more of the same: More spear phishing attacks, more DDoS attacks, more ransomware, more suspected state-sponsored intrusions …
But the year may also be notable for another reason: The return of the fight to give police easier access to encrypted devices and documents through backdoors.
“In the Western world I’m sure we’ll see increasing pressure to do that,” says Jacob Ginsberg, senior director of products at Toronto-based Echoworx, which makes enterprise email encryption solutions.
“Canadian police came out this past summer saying they want access to people’s phones as part of an investigation … We’re seeing a pretty serious erosion of our privacy by way of technology.”
With the installation of Donald Trump as president a number of observers believe the fight over giving law enforcement and intelligence agencies in the U.S. better access to encrypted communications and devices will be re-opened after having been smothered in 2016.
It’s a debate that was included in the just-closed federal public consultation on a new Canadian national security framework, which saw the IT and telecom industry line up against any law forcing makers or distributors of encryption solutions to add backdoors to their software or make decryption keys available.
A discussion paper included the police arguments that encryption of mobile devices and data has stalled some investigations, although it also included arguments about expectations of privacy.
Meanwhile in the U.K. the new Investigative Powers Act came into effect in November, which allows the government to ask developers there to remove encryption – where practical – that they have applied to a solution.
This year saw the encryption fight burst into the open when Apple refused an FBI request to help it crack a suspect’s iPhone by installing a version of iOS that could break the password. The bureau found another solution, but observers note that at the time Trump told a TV show “To think that Apple won’t allow us to get into her cellphone? Who do they think they are?”
Others note that Trump’s nominee to head the CIA has criticized Silicon Valley’s opposition to encryption backdoors. Watch to see if Republican Senator Richard Burr, the chairman of the Senate intelligence committee, re-introduces his backdoor legislation.
As it looks over the responses to its public consultation, the Trudeau government will be keeping one eye out on what’s happening south of the border. It is unlikely the government will be ahead of the U.S. in the encryption debate. On the other hand, if Congress passes a backdoor law it may be hard for Parliament to refuse.
A greater push by governments around the world to the private sector to get serious about IT security. “Ignoring the regulations or inching toward adherence will no longer be acceptable. Extensive progress will be expected – and required.
–Tom Kemp, CEO, Centrify
Hackers are moving away from data theft and website hacking to manipulate data integrity. Attackers will use their ability to hack information systems to cause long-term, reputational damage to individuals or groups through the erosion of trust in the data itself – particularly worrisome for industries that rely heavily on public confidence (healthcare, finance, government).
Also, the Internet of Things will become the Internet of Vulnerabilities. We are already seeing this happen and they will continue to occur. In the breach of DNS service Dyn in October, the Mirai malware spread rapidly across an unprecedented number of devices. But many hacks of IoT devices this year have gone unreported, including those of printers, air conditioning units, video conferencing cameras, and even a coffee machine.
Gigabit connectivity … will enable the IoT and a new class of applications to emerge that will exploit the combination of big data, GPS location, weather, personal-health monitoring devices, industrial production and much more. Connectivity is now so affordable and prevalent that sensors are being embedded everywhere, increasing the flood of data and creating an ecosystem of embedded devices that are nearly impossible to secure. This will raise issues not just over privacy and data access, but also will expand the threat landscape exponentially, increasing the security burden for many organizations that are unaware of the scale and penetration of internet enabled devices that are deploying IoT solutions without due regard to risk management and security.
Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide. Rogue governments will continue to exploit this situation and the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.
–Steve Durbin, managing Director, the Information Security Forum
WikiLeaks will be used to topple key leaders in national governments; #BlameRussia will become trendy on the Internet; a Cyber NATO will be created to implement international cyber policy; and ransomware will eclipse traditional malware as the #1 cyber threat for companies;
– Anup Ghosh, CEO, Invincea
Containerized platforms and cloud environments will become the primary attack surface for cyber attackers in 2017. Also, as many new attack surface areas (e.g., IoT, containerized platforms) lack tools to secure and/or monitor vulnerabilities, organizations will fall back to traditional security practices – especially penetration testing will regain popularity despite its cost implications.
Meanwhile new technology will emerge that empowers organizations to aggregate their otherwise silo-based internal security intelligence, contextualize with external threat information, and then prioritize based on business risk.
– Srinivas Mukkamala, CEO, RiskSense
Security stack complexity will continue to increase even more rapidly than attack surfaces, greatly increasing the tension between doing business (having low-friction systems and processes) and being in business (avoiding major security incidents), making it vital that enterprises have the capability to conduct rapid, accurate investigations into security incidents. Security teams will be increasingly inundated by incidents requiring investigation. The only solution is to automate the routine parts of their workflow to help speed up the analysis process.