2015: When Things Get Serious
Let’s start looking at the future of the IT Security landscape by reviewing the past. I made some predictions last year for InfoSec Institute. The article started off with a clever disclaimer that all subjects in the IT Security world are new and are still pioneering in their fields, so that anything can happen within a year.
Looking back, though, most of my predictions happened as expected. The ongoing politics around cyberwar and privacy, the increase in organized cybercrime, the increase in the use of encryption and biometrics: it was all there in 2014. What many did not expect last year, however, is how fast the developments would actually take place. This is not only promising for the acceptance of cyber risks and the need to control them; unfortunately, it also shows how vulnerable we have actually become to relatively simple attacks.
In IT security, the buzzword of 2014 has been certainly been “cyberwar“. It’s not a new word, but it was previously mostly used in movies and science fiction books. But now, it has been picked up by the press, senior politicians and even by the general public. There are almost too many examples to mention. The debate is still ongoing about the Sony breaches, which the US claims were organized by North Korea. The digital long-range shots between the US and China seem to be intensifying in the meantime. The Russians are also weighing in with their bid. More and more news on this topic is hitting the mainstream media. Where does this stop? Probably never: This is the future.
We will see more and more news on this topic. The coming year will be a continuation of this cyber warfare escalation, which seems to be an area in which governments can spy on and attack each other (within certain constraints) without the need to deal with serious consequences. Last year, I discussed the NSA / Snowden case. Even though there are still ongoing revelations, the public seems to have lost interest and seems to have mostly accepted the fact that they and their governments are continuously monitored by the US government. The latest revelations describing the NSA’s capabilities of cracking encryption methods such as AES, which were previously regarded as safe, barely raised any eyebrows.
There seems to be too much information to keep catching the public’s eye. People have a very short attention span when it comes to news. Who even knows what happened with Angela Merkel’s tough words she spoke after finding out the US government had digitally spied on her? Try to Google any useful news article on this topic written in the last 6 months. Good luck finding one. The bar has been raised significantly to catch the public’s attention now, and something much more serious will need to be leaked to be noticed in 2015.
This basically means governments can and will get more intrusive in our digital lives in the future. We will simply slowly get used to it.
Even though we more and more accept government intrusion in our digital private lives, we are also looking at more and more ways to keep our privacy alive. If protests, media attention and other public outcries are not effective, people will turn to technology to help them. Well, that is the general opinion anyway. Will this really be an important issue for the average Internet user to feel it’s worth spending their time on?
From the Snowden files, we know that even the NSA still had some serious issues with Tor last year. That seems unlikely to change anywhere soon. Despite the privacy benefits, I only expect a small increase in the use of the Tor network in 2015 (Malware excepted).
More and more IT-aware people will pick up the use of Tor. It has become quite easy to install and use the Tor browser, which will help with its spread. It might still take years though for the non-tech-savvy computer users to adopt Tor, because we all know they tend to stick to their pre-installed Internet Explorer.
And what about corporate networks? It seems unlikely system administration or IT security staff will ever allow the use of Tor and accept its enormous security risks. What about mobile phones and tablets? How many iPad users would really switch to the Tor browser to check their Facebook page? That last sentence alone says enough about our views on privacy. The sheer variety and complexity in Internet usage will mean the adoption of Tor will be very slow. It might even stall at some stage and remain the shady space where a business that cannot bear to see the daylight is done.
The same goes for the new mobile communication apps. The NSA has been collecting encrypted Skype video and voice calls for years now. Although unconfirmed, weaknesses in WhatsApp, which now counts 450 million users, have left the mobile app open for breaking encryption and sniffing the traffic. Who knows which government agencies can listen in on these communications? This might not be an issue if you live in New York and use Facebook all day, but it could be a matter of life and death if you live in a country where freedom of speech does not include criticizing the government.
It is hard to say what new communication methods will become popular this year. For an IT security insider, it may seem an ongoing arms race between governments and individuals who for some reason would like to protect their privacy. Unfortunately, the reality is that the majority of users of mobile apps like WhatsApp will just not care enough to bother finding and learning alternative apps and convincing their relations to move across to them as well.
The last year has seen some large breaches with serious impacts on corporate networks. Of course, the Sony hack really struck the company hard and stirred up the media. Everyone seems to know about it. But what about the JP Morgan Chase breach? Hackers compromised the accounts of 76 million households and seven million small businesses. What about the eBay hack in 2014, where an estimated 145 million accounts were compromised? Does anyone not interested in IT security even know about these? They are far less interesting than the Sony hack, where there is a series of leaked movies and leaked e-mails about celebrities, and where the president of the US and a North Korean dictator are in a public argument; it really has it all. In contrast to that, no one seems to worry about the risks which for example cloud-based medical records offered by private providers could bring. A breach there could have a much further-reaching impact on their customers. Unfortunately, many would think that is simply too complicated to read.
What 2015 will hopefully bring, without the need for many more high-profile breaches, is more awareness of security risks by the mainstream media. The public might be more interested in how safe their private information is. That might lead in turn to increased expenditure in IT security infrastructure, monitoring and management by corporations and governments alike. As long as that money is targeted the right way, that can only be a good thing.
The rapid movement of organized crime into the IT domain will continue to grow over the next years. Shady online auction sites such as Silk Road, their competitors and their successors, will continue to pop up. Bitcoin and other digital currencies are providing a huge incentive for this digital trade of credit card information, drug deals and even hit contracts. Law enforcement will probably not be able to keep up because of the incredibly complex legal issues around jurisdiction and technical barriers such as encryption and VPN tunneling.
Like the last few years, we will see news on arrests and trials of a few big online criminals, but the growth of this sector will be faster than those people can be brought down. This will lead to increased risks to the general public and corporations in the shape of extortions or fraud. In the coming months we will find out more about the background of the recent high-profile cases, which might show just how professional this digital crime sector has become. There will be many more new cases as well, and they will not get any smaller either.
This year will be another year where we, in the IT security sector, will ask ourselves… Are we keeping up? Where is this going? Does a secure network even exist? Unless some dramatic changes are made in government and corporate funding in the IT security sector and some legal cooperation between governments really takes shape, we will be asking ourselves the same questions next year. What can we in the IT security sector do? Raise awareness, study hard and be vigilant.