Can we expect a cyberwar resurgence?
Neohapsis security experts predict that next year there will be a cyberwar resurgence, the cloud will begin to show its hidden costs, and privacy will continue to lose in the US legislature.
1. We’ll see a cyberwar redux: Details on nation-state cyber capabilities and activities of countries other than the known big players will begin to be revealed.
Geopolitics has many fronts, and it’s to your advantage to play in every event. So, it’s fair to assume there are players as yet unknown – whether smaller countries or larger ones that haven’t been exposed yet.
In addition to political battles over the internet’s fate [see prediction 4 below], countries will continue to covertly gain advantage over each other via the internet. We will begin to see more details on the activities of countries other than the USA (and allies), China, Russia or Iran. While you can probably guess the obvious players, those that come to mind as likely undertaking cyber activity under the public’s radar include: India, Indonesia, Brazil, Pakistan, Japan, Mexico, Germany, France, Italy, and South Africa. And that’s only going through the top 25 countries by population!
2. The cloud will begin to show its unseen costs: We will see an increasing number of breaches of customer-specific cloud assets. This won’t be due to weaknesses in the cloud service or its technology but on the integration, configuration, and operation of it by the customer.
The burden of good cloud system management comes at a cost, but this cost is often downplayed in marketing or overlooked in business decisions. While the cloud can offer massive efficiency and cost gains, it’s easy to see only the sticker price, and not the real costs. Cloud services can offer huge efficiency and cost advantages, however they can add operational security burden if not carefully (and knowledgably) deployed and integrated with the organization’s existing systems. Just because something can be highly secure doesn’t mean that it necessarily is in the way you’re using it.
Likely scenarios include the leakage of organization IP from poorly access-controlled cloud systems, attack pivoting via cloud services (where the customer has internal systems attacked via the cloud system’s network link), and unauthorized access resulting from cloud-system accounts which are not synchronized with the central identity store.
3. Privacy will continue to lose out to opposing parties in US Legislature: In response to public awareness and outcry, we will see a failed attempt to pass electronic privacy protection regulation in the USA, attempting to follow the lead of countries such as Germany. This will target private companies under the guide of protecting teenagers, and will exclude government programs. However, irrespective of voter support, market forces and lobbying by interested parties will quash this.
4. The Internet governance battle will continue: There will be yet another showdown between the US and the rest of the world on control and regulation of the internet.
In recent years, questions and concerns have been raised about US dominance in the Internet’s governance. These concerns have been raised in international bodies (e.g. IETF, ICANN, the United Nations), and some parties have pushed for changes to limited success so far. Nevertheless, these concerns have resulted in some countries attempting to reduce their reliance on US benevolence by either strict internet controls (as in China) or through a “parallel internet” (as Iran has discussed).
The USA has generally stood on the side of online freedom – except where copyright is concerned – but those pushing for change are largely seeking to restrict freedom of communication or information. Any change away from online freedom is concerning. Whether IETF, ICANN, or the United Nations, the internet will continue to be a space for political forces to battle. However, US adversaries will begin to form a more coherent opposition.
5. DDoS will get sneaky: DDoS attackers will accelerate a move from simple volumetric attacks to attacks which take advantage of a site’s specific performance.
DDoS attacks that intelligently target bottlenecks in performance, such as pages with a high server load (e.g. database writes) or specific network bottlenecks (e.g. login/session management), can magnify impact over attacks which are volume-based or naively request the homepage of a site.
Whether naive guessing, timing analysis, or adaptive statistical analysis during the attack, these attacks will require targets to deal with the specific part of their site that is causing problems rather than dealing with it at a purely network level. We will begin to see the spread of tools which profile specific targets and attack based upon certain weaknesses in configuration or implementation. Attackers will begin to use adaptive and intelligent DoS techniques, and as a result, we will begin to see performance impacts disproportionate with traditional DDoS, and the need for more nuanced defense strategies than many are using currently.
6. Encryption technologies will undergo increased scrutiny: In the wake of revelations about the ability of governments to intercept and decrypt data that was thought to be secure, encryption technologies will be reexamined to look for weaknesses both intentional and accidental. Look for particular attention to be paid to cryptographic block modes like CBC and OFB as well as authenticated modes like EAX, CCM and GCM. In addition to the encryption methods themselves, look for critical thought around key management and forward security. While it’s not likely that much will come of these explorations, the simple fact that vast quantities of data previously considered inviolate was in fact exposed will make the more paranoid AND the academic minded among us pay closer attention to encryption as a whole.
7. A foreign power or organized cybercrime group will have breached a mid-sized or municipal utility breached by for a long period: The last few years saw a great deal of attention paid to the security of utilities as a result of Smart Meter roll-outs and highly-publicized SCADA vulnerabilities. Now that the hype has died down, attacks will be stepped up, but in a more cautious fashion. It is widely expected that a number of utilities have been breached over the last decade, however now that they are being held to account by more and more government regulation, the compromised utilities will be found and the facts will leak to the public. Mid-sized and municipal utilities tend to be chronically understaffed and under resourced in IT departments. Without the resources available, corners are cut on both internal and external security. This leaves high value targets like water, electrical, natural gas, and wastewater open to easy compromise.
8. Legacy problems will escalate: Whether it’s the use of substandard security, or simply systems that were designed in a different age, legacy systems will ever-increasingly fall prey to attack.
Even when companies adopt good security and development practices old systems often linger with their past security problems exposed to the world – securing new things is an easier sell then securing systems due for sunset shortly.
Legacy systems will become even more vulnerable as connectivity increases, and even more attractive as targets. These systems include everything from abandoned parts of websites to critical national infrastructure and they will haunt us for decades to come.