The Year in Cybersecurity: The Story So Far
Industry tackles an array of cyber challenges.
With the arrival of June, we’re at the halfway point of an already busy year for the cybersecurity industry. With each passing year, our sector continues to demonstrate its evolving approach to fighting cyber threats, as cyber crime itself continues to evolve.
As both business and government move forward with digital transformation initiatives to improve processes and efficiency, the overall security attack surface continues to expand with more potential points of access for criminals to exploit. However, our industry is tackling these challenges head-on, with numerous innovative solutions continuing to come to market.
So, what have been the key trends of 2018 thus far? From attending trade shows, to speaking to customers, partners, analysts and the media, several examples have come to the forefront.
Nation-state sponsored attacks continue to be a significant threat.
The Russian-based attacks on critical infrastructure in the United Kingdom, United States and Australia in April were a stern reminder that the threat of nation-sponsored cyber attacks cannot be ignored. These attacks saw millions of machines compromised—everything from consumer routers to critical infrastructure, including energy grids and Internet service providers. Recent news of the FBI battling a malware and botnet ring run by the Russian "Sofacy" or "Fancy Bear" group, linked to hacking campaigns on behalf of the Russian government, also shows these attacks are an attack on U.S. national security.
In the case of critical infrastructure, the software can often be years (if not decades!) out of date, highlighting the need to secure legacy operation technology, such as industrial control systems and supervisory control and data acquisition systems. The convergence of information technology and operational technology is creating another path for attacks. Many of these were developed and installed without the modern IT network in mind, creating a path of least resistance that may disrupt operations in manufacturing and with critical infrastructure in both public and private operations. Not only do the perimeters and pathways of these networks need securing, but we also need to ensure all the data generated and accessed by these systems is secure as well.
AI and machine learning.
The twin buzz words of artificial intelligence (AI) and machine learning continue to crop up in almost every discussion, and you don’t have to go far to find companies leveraging them for security applications. But where should AI fit into the overall security stack?
Overall, the potential for AI and machine learning to improve current cybersecurity solutions looks positive, particularly in light of the growing cybersecurity skills shortage. Most are looking at using automation and machine learning algorithms in analytics or to speed through repetitive tasks, saving time and resources. However, there is debate as to whether AI can be touted as a security product itself or as merely a feature. The other side of the argument is that the technology is not just exclusively for white hat security practitioners. While the merits of the technology are promising, it’s wise to remember AI is being used by threat actors to aid cyberattacks, adding another layer of complexity to the cybersecurity puzzle.
All Things Blockchain.
In business, blockchain is the new black, and cybersecurity is no different. But there was some skepticism and cynicism around the distributed ledger technology. MIT professor and cryptographer Ron Rivest remarked on a panel of cryptography “all stars” at April’s RSA Conference that “Blockchains are often viewed as security pixie dust. If you add them to your application, they magically make it better.”
Given blockchain’s reliance on public key infrastructure crypto, it will be worth monitoring how they tackle upcoming quantum computing attacks to which public key infrastructure will be particularly vulnerable. Distributed ledger technology may not be pixie dust, but the consensus among the speakers at RSA was that blockchain is no magic bullet. Rather, as Marta Piekarska of the Linux Foundation noted in another panel, blockchain is more like a “very advanced screwdriver.”
The Age of GDPR.
It’s likely you’ve just finished clearing your inbox of all those polite emails from companies asking permission to keep in touch. Yes, we are in the Age of GDPR. But despite the sweeping impact it could have on businesses across the globe, it has not been as popular a subject as you might think.
Why? Well, according several analysts, we should have talked about GDPR a lot more last year. What’s happening now is that everybody is talking about the impact of GDPR moving forward, while many are in a “wait and see” mode, with no apparent urgency to meet the requirements. Only time will tell if this is a wise strategy. It will be interesting to watch this topic over the next few months and see when the first big enforcement story will hit the news.
Diversity is still an issue.
The recent RSA Conference was chided for not having enough diversity in the keynote panels, particularly when it comes to women. While more women are attending and otherwise taking part in the event, the numbers are still low, especially compared to other tech industries.
As I noted in a post in SC Magazine last year from a Security Innovation Network (SINET) event, while women do represent a minority of those attending the SINET events, the trends are positive, with attendance by women moving from 13 percent in 2007 to nearly 20 percent last year. Because of the public challenge in the media and social media, RSA Conference organizers even acknowledged the diversity issue in a blog post response. We should note that gender isn’t a concern to cyber criminals, so why not welcome all voices?
The cloud continues to be a key theme, as every company seems to have some sort of cloud security solution. Business decisions need to be made beyond just capital expenditures and operational expenditures when plotting digital transformation efforts. Encryption and data security in the cloud and in transit are essential, but there are other things to consider, including how to manage encryption and key management with hybrid networks as well as on-premises servers. This brings a whole new discussion to the table on how businesses handle key management, the idea of “bring your own keys” for cloud storage, and the overall versatility and control gained by an appliance approach vs. cloud.
The Cloud Security Alliance released its State of Cloud Security 2018 report a few months back, exploring how security requirements should be met, how to best work with regulators, the evolving threat landscape and more. Some key takeaways? Work collaboratively and swiftly as an industry in responding to attacks, leveraging a staged approach when migrating sensitive data and critical applications to the cloud, and practice strong security fundamentals to demonstrate compliance rather than using compliance to drive security requirements.
The Quantum Threat.
We’ve had many conversations around this topic, and many people have been interested in learning more about quantum resilience, as well as the potential of quantum key distribution communications. As a quantum cybersecurity company, we’d like to highlight that while mature quantum key distribution and quantum-resistant algorithms are still in development, there is plenty that organizations can start to do to prepare, starting with implementing true random number generation alongside robust key management and symmetric key wrapping.
This has been an exciting and stimulating year thus far, and I’m sure more trends will emerge to take us into 2019 and beyond. However, as noted above regarding GDPR, could it be that next year’s major trend is right under our noses? Are we perhaps moving too slowly? Only time will tell, but from what this year has offered up so far, I’m confident that our industry can tackle head-on all the challenges and threats thrown at it in the months and years to come.
Jane Melia is vice president of strategic business development at QuintessenceLabs, a provider of quantum cybersecurity solutions and maker of quantum random number generators.