Industry Observations

Nation State Activity – The continuing story for 2018

Cyber Security PredictionsWell, I called it at the end of 2016. 2017 was a slurry of accusations as well as actual proof found of Russian meddling in U.S. politics via both state infrastructure systems and with regards to online propaganda on social media.

Even more specifically, I also correctly called the meddling of the Russian propaganda machine into the E.U. nation state social media and other avenues – France saw it, although narrowly avoided falling prey to it. German political parties, lacking the open enmity and polarization created in the U.S., seemed to have promised not to hack one another for dirt. The Twitterbots pushing messages of anti-immigration and anti-EU sentiment found little resonance in Germany. Kudos to them.

Cleverly, the Russian attackers seem to have gone more after systems of voter registration/authentication rather than trying to alter the votes themselves. (Why do a big hack when you can do an equally-useful little hack of annoyance and demographic skew?)

Additionally, we now all know there are tens of thousands of false troll personalities active on Facebook and Twitter and other social media, including LinkedIn, who fall upon anti-GOP sentiment with a flurry of personal attacks and harassment. This, I fear, will be the new normal until the social media platform giants learn how to winnow trolls from truth, and refuse the advertising dollars from non-US businesses.

Let’s talk China, though. Although Obama got the government to promise not to meddle with U.S. commercial interests by also committing that the U.S. would not meddle with Chinese commerce, there has appeared a wrench in the works. Or rather, a Twitter hammer from the oval office. One speculates that if that Twitter account attacks U.S. businesses directly, China will start to feel that the gloves are off if too many jabs attack them?

In tech, I think cyberwarfare is in full swing. We have two cyber events which have me bemused, the first being the creation of U.S. Cyber Command to defend Department of Defense (DoD) networks, which is still under the National Security Agency (NSA) though we’re not sure for how long. In August 2017, the DoD communicated it would initiate the process to elevate U.S. Cyber Command to Unified Combatant Command, which is commonly perceived that the U.S. is announcing to the world that it’s ready to attack. Whether this escalation of cyber arms is a good idea or not will be unveiled through 2018.

2017 also saw attacks coming in against websites directly for high-profile cases, rather than just via network traffic and payloads. 2016 introduced major Samas.A ransomware hitting healthcare and in 2017 Abuse of Functionality attacks like WannaCry and Petya have been spreading, and we’ll see more of these types of proliferating attacks as hackers are finding that perimeters are secure, but websites are still not coded with security and safety in mind.

Tied to this, the security skills shortage surveys are now actually calling out Application Security as a separate and important discipline. And everyone is talking about Education again – and realizing that they need to train and educate their own employees instead of just trying to hire an expert.

2017 saw more security vendors starting to play ball together, which makes me happy. API security and API functionality are no longer topics to make IT Security people blush and go get more drinks at the party. Sharing security meta data via APIs between technology will be key to making multiple technologies function as a unified machine to secure the digital ecosystem. Tools developers, aka the folks who can script connections between applications, or between services and platforms and security devices, are the unsung heroes of the world and I hope that in 2018 they’re training more of them at the Universities. Let’s face it – APIs are the backbones of the IoT, so let’s keep a healthy backbone out there.

Further, I find additional hope in the New York Dept. of Finance Cyber Security regulations, because they called out application security as a line item. There still seems to be a gap in the current legislation when it comes to understanding that an asset is more than a box, but also includes the programs and applications on that box – but there are cases where progress is being made. GDPR is coming, and I predict there will be a flood of interesting and high-profile cases made against U.S. companies who have played fast and loose with customer data in the past – including and especially their marketing departments. Google Analytics has already updated this page on the topic of compliance, and SalesForce ran multiple sessions on the topic at Dreamforce.

All said, in 2018 I expect the following to happen:

  • Continued nation-state activity….
  • It will be revealed that the U.S. has been a more aggressive cyberwarfare participant on the world stage
  • With the incorporation of GDPR, there will be a flood of interesting and high-profile cases made against U.S. companies who have played fast and loose with customer data in the past