Increasingly, the story of technology is a story about security. Whatever promising conceptual leap or paradigm shift captures the headlines, the news soon focuses on security. Nothing is immune to attack. Dante or Milton would understand the binary nature of today’s security struggle, if not its context: light versus dark; safety versus danger; mine versus yours.
Nobody is looking to sterilize the Internet and plow salt into its circuits. But we don’t want to expose our assets and data for the profiteering, exploitation, and destruction of hostile strangers, either. We want to control the vanguard, outthink our adversaries, and anticipate their next move.
Foreseeable in 2019 and beyond
We’ll never see a headline like “Hackers surrender secrets, offer amends, and vow transparent, productive lives.” But the story is not all bleak by any means. In the game of “gotcha” that describes our technology landscape, security challenges spawn employment opportunities, social insights, scientific innovation, and revenue.
Besides, as hackers themselves remind us, without their constant testing, we face the fate of the flightless dodo—optimally adapted to its environment throughout millennia and needing no defenses because predators didn’t exist in its world.
Until they did.
So security is not just avoiding incidental attacks of ransomware, BEC, WannaCry, and their ilk. It’s about anticipating and preparing for what Nassim Nicholas Taleb termed a “black swan”—a massive event that seems too remote and implausible to actually happen and yet, paradoxically, does happen.
As we’re cautioned time and again, the current calculus is not whether you will be attacked: it’s when, by whom, with what, and the damage you will sustain. The mantra in today’s security world is preemption. The worst time to defend oneself from a breach is after it has happened. As Radiohead opines, “No alarms and no surprises, please.”
There is little argument that hackers are in ascendance right now and setting the pace, to the point of brazenly commoditizing their attack infrastructures. There are even low-cost phishing kits and tools, including head-shakers like RaaS (Ransomware as a Service) and “ransomworms”—self-replicating ransomware, with individual components available for sale. Botnets are rentable, and application exploits are going for bargain rates.
Verizon’s 2018 Data Breach Investigations Report reveals that 50 percent of breaches are the work of organized criminal groups, while about 12 percent are nation-state or affiliated threat actors. This cast of characters populates the following scenarios—not science fiction scripts, but environments that we may someday have to survive in.
In its Global Risks Report 2018, the World Economic Forum foresaw a flock of oncoming black swans from which we drew those that particularly relate to the technology arena. We also relied on a thoughtful CIO Magazine analysis of the cyberthreats facing us over the next couple of years. Much of that article is based on the nonprofit Information Security Forum (ISF) report, Threat Horizon 2019: Disruption. Distortion. Deterioration. Given the chance that we may encounter some of these in the near future, we’re also including defenses suggested to preempt, manage, or mitigate the damage.
Following are ten cyberthreats—among others—that fit the category of your basic nightmare.
Artificial intelligence weeds proliferate and choke the Internet
The Global Risks Report foresaw out-of-control AI as a potential major threat on the horizon. As AI grows more sophisticated and we rely on code to write code, we can lose the ability to track and control it. The CIO analysis brings up the risks of AI automating increasingly complex decisions and learning from wrong or incomplete information, leading to inaccurate conclusions. Farther down in the spiral of darkness, threat actors might weaponize AI “weeds,” crippling service delivery and the Internet of Things (IoT), and causing governments to wall off Internet terrain in defense. Humans can be crowded off the Internet, with bizarre consequences.
Oversee decisions taken by the AI system; ensure the system can be manually shut down if a serious incident occurs. Recruit talent who understand and can manage AI. Collaborate with industry peers and academic bodies to develop best practices for AI deployment. A robust regulatory framework of norms and structured AI governance is vital.
Nation-state cyberattacks escalate out of control
A fear on everybody’s radar, the World Economic Forum raises the spectre of deficient governance, in which aggression outruns our ability to deal with hostile incidents, triggering retaliations that compromise critical infrastructure. The consequences can include disruption of essential services as new actors join a widening conflict and cyberweapons spread.
Agreed-upon norms and protocols help prevent conflict erupting by mistake. Transparency, proportionality and non-proliferation should be codified, and some classes of cyberweapons prohibited as biological and chemical weapons have been.
Regulations, cybersecurity, and protectionism fragment the Internet
Another malignant scenario envisioned by the World Economic Forum is government-driven breakup of the Internet via national or regional firewalls. This might be triggered by economic protectionism, regulatory disagreements, censorship, and political repression. The consequences include slower or even barred flow of content and transactions, hampering technology development and commerce.
Cybersecurity governance can reduce the disruption and theft that trigger ‘superfirewall’ implementation. Dialogue among governments and technology companies can ensure that Internet-based resources develop amid shared values and responsibilities.
Dependence on fragile connectivity invites disruption
The CIO article brings up, among its many other concerns, that of organizations relying on fast, uninterrupted connectivity growing vulnerable to attacks on core Internet infrastructure, devices, and employees with access to mission-critical information. Viewing the Internet as a commodity or utility that will always “be there,” like the sun, makes for insufficient backup and inadequate ability to respond to attack or disruption.
Organizations need to rethink and harden business continuity and disaster recovery plans. Plans relying on remote employees won't withstand
attacks that destroy connectivity or target key individuals. ISF recommends that revised plans cover threats to physical safety as well as periods of operational downtime caused by attacks on infrastructure, devices, or people.
Premeditated Internet outages depress commerce
As global conflicts intensify, ISF predicts that within the next two years, nation-states and other groups will try to cause widespread disruption and harm trade by triggering Internet outages at local or regional levels. Commercial, industrial, and government organizations and utilities are at massive risk. Physical destruction of cables, distributed denial of service (DDoS) attacks, harnessing of massive botnets, or manipulation of Internet addresses can prevent traffic from arriving.
Containing this type of onslaught requires coordination by central governments through national critical infrastructure programs. Individual organizations must also plan to address the risk of recurrent attacks. Companies should create alternative supply chain models for critical systems and services, as well as alternative methods of communication. Governments, communications providers, competitors, and industry forums must cooperate on contingency plans for failed Internet communications.
Ransomware hijacks the Internet of Things (IoT)
CIO article author Thor Olavsrud raises the issue that cybercriminals will focus ransomware efforts on smart devices connected to the Internet of Things (IoT). They may go beyond mere attacks and use their targeted victims as gateways to install ransomware on other devices and across organizations. In healthcare, lifesaving solutions can become useless; transportation resources such as railroads and airliners are at risk. Driverless cars rely heavily on embedded smart devices. We are unquestionably tardy in addressing this risk.
Manufacturers and marketers of smart devices must address security vulnerabilities and continuity planning, as well as develop impact assessment and fallback strategies for ransomware attacks. Devices need comprehensive security features, minimum standards, and frequent upgrades, so as not to become “low-hanging fruit” for hackers. Manufacturers and customers must collaborate on gathering threat intelligence.
Employees are blackmailed, bribed, fooled, or intimidated
Over the coming years, global criminals will continue to stalk and threaten insiders to get their hands on mission-critical financial details, intellectual property, and strategic plans. Look for increased targeting of insiders via phishing-delivered Business Email Compromise (BEC) and other imposter fraud.
Identify mission-critical information assets, and learn who owns and accesses them. Ensure that individuals with privileged access are protected and educated on social engineering exposure and fraud. Use screening and contracts to protect against insider threats, with a trust-but-verify approach to privileged insiders. Monitor system access.
Chatbots warp trust by distorting information
Advanced AI posing as chatbots can mimic humans nearly perfectly. Attackers can spread misinformation targeting commercial organizations without even breaching an organization's digital boundary. By deploying hundreds of chatbots per attacker, hackers can spread malicious information and rumors over social media and news sites to manipulate a company's share price or gain other competitive or financial advantages.
Organizations must proactively address misinformation by monitoring what others say about the organization online and tracking any changes made to internal information. Recognize threats and plan incident responses via training scenarios to address the damage. Monitor social media before and after big organizational announcements. Lobby governments to prosecute fake news and misinformation. Encourage employees to spread legitimate news and report suspicious posts.
Falsified information compromises performance
The increasing reliance of organizations on data to drive decision-making opens opportunities for criminals to attack the data itself. CIO’s article warns that three types of attack on information integrity will soon become commonplace: distorting big data sets used by analytics systems; manipulating financial records and reports; and leaking of false information. This could affect industries such as pharma, which relies on big data analytics for modeling and trialing new therapies.
Commit deeply to validate and maintain the integrity of key databases, assess the risks of compromised information, and dedicate qualified people to gauging business impact. Share intelligence with peers about attacks on information integrity. Consult legal professionals before making information public to counter false claims.
Subverted blockchain systems diminish trust
Blockchain technology promises to ensure transaction integrity without requiring a trusted third party. But blockchains themselves are vulnerable to compromise due to weak encryption, hashing, and key management, as well as poorly written programs, incorrect permissions, and inadequate business rules. A compromised blockchain could lead to unauthorized transactions or data breaches, diversion of funds, fraud, and even validation of fraudulent transactions.
Build security into the design, implementation, and operational phases of blockchain-based applications. Motivate close collaboration among business managers, developers, and information security professionals. Certify employees on secure usage and detection of suspicious activity.
Business and security leaders must prepare for these threats through risk assessments, negotiations with communications providers, legal understandings of new regulations, and a workforce trained and ready to adopt and employ advanced technology.
Security Challenges Beckon with Workforce Opportunities
We have seen how even a few criminals or nation-state threat actors can damage ingenious initiatives that benefit millions. More than ever, we need dedicated IT professionals who can think proactively and outmaneuver those who would harm us.
If any message comes through in these thoughtful analyses, it’s that preempting disaster calls for a coordinated sense of mission from executive management and government, across geographies and technologies—and to the people who implement these advances and keep them operational.
For more on cybersecurity challenges, visit the cybersecurity/security site at our Learning@Cisco library and browse our in-depth white papers.
Cisco also offers hands-on security training and insights in our CCNA Security webinars.