As 2019 commences, computer security starts off the new year at pretty much where it left off in 2018 – the talk about the need for improved security in industrial control systems, the supply chain, risks of insider threats, state espionage, increasing cyber crime, and the expanded attack surface that the Internet of Things provides
Internet governance, cyber norms of state behavior, and state involvement in election meddling continue to cast a long shadow over cyber security, and if statistics provide a barometer of where we’re at, fairly straight forward security considerations such as better passwords, patch management, user education and security awareness (spear phishing, anyone?) remain a challenge. Complicating matters, a review of some organization’s predictions for 2019 have many overlapping projections as to what the computer security community will face: artificial intelligence, 5G network deployment, privacy concerns, security budgets, and e-mail fraud are just some that have found themselves on several of these projection lists.
One of cyber security’s lingering questions can best be characterized as “the chicken or the egg” syndrome. Where does the real problem (and thereby by extension, the solution) lie – in improving cyber security at all levels or the state and nonstate conducting nefarious activity and exploiting security holes? Recently, in an article about cybersecurity in civilian aviation, the author suggested that risk in aviation is less about the airplane and more about lack of consequences for actor conducing attacks on aviation. This is a logical conclusion, simply for the fact that if bad guys don’t commit bad acts, there would not be any need to have robust security mechanisms in place. Yet, while logical, it is hardly practical, and it would be unrealistic to expect all public and private sector organizations to stop trying to secure their systems and wait for the international community to draft, agree, implement, and adhere to a treaty establishing cyber norms. That process has continued to stall in international fora, the latest miss occurring in 2017 when the Group of Government Experts in the Field of Information and Telecommunications in the Context of International Security (GGE) failed to make any progress in advancing the discussion.
Absent any breakthrough in this area, as cyber threats continue to increase in sophistication, volume, and innovation, one thing seems certain: the outlook for 2019 for members of the computer security community looks to be fraught with long days and nights. The United States finds itself continually spinning in the hamster wheel that is cyber security. Some notable statistics regarding this include:
- Two 2018 Government Accountability Office (GAO) reports revealed that the federal government still demonstrated poor cybersecurity. GAO-18-645T four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them. Of the 3,000 recommendations made by the GAO, the report found that 1,000 000 had not been implemented as of the July 2018 publication date. In December 2018, GAO-19-105 found that federal agencies needed to improve implementation of securing their systems. Per the report, 23 civilian agencies covered by the had not effectively implemented the federal government’s approach and strategy for securing information systems.
- Per 2017 statistics, the United States ranked third in the world in losses incurred by cybercrime.
- Between 2015 and 2017, the United States was the country most affected by targeted cyber attacks with 303 known large-scale attacks.
- The United States is expected to account for half of breached data by 2023.
Fortunately, there is some light at the end of the cyber security tunnel. Artificial Intelligence (AI) advances have demonstrated how this technology can be used to help defenders in defending against cyber attacks. Machine-learning has improved defender capability to identify phishing attacks. Automated systems can help identify the presence of vulnerabilities and implement the patches to fix them. Such technology can assist the financial sector, augmenting fraud detection systems with AI enhancements. Unfortunately, such technology also provides hostile actors new technology that can be used against defenders as well. Improving speed, efficiency, and achieving maximum impact offers hostile actors that include cyber criminals and state actors a more robust attack mechanism to support their operations.
Additionally, cyber legislation appears to be making headway in Congress. Two bills have advanced with language designed to strengthen the Department of Homeland Security’s cyber defenses, as well as the “Hack DHS Act” and the Public-Private Cybersecurity Cooperation Act. This is promising as traditionally such legislation has stalled in Congress risking making the measures detailed therein outdated if not enacted.
It is necessary to aggressively put cyber security at the top of the priority list, and to start tracking progress in regulation, policy implementation, and improved security mechanisms in both private and public infrastructure stakeholders. That means setting goals and ensuring that key milestones are met. It is difficult to ascribe responsibility to the government for ensuring that industries are cyber secure, particularly when federal agencies have their own unique set of challenges. While the government can set regulatory guidance, it is incumbent on the industries to police their own, which means being willing to be transparent to partners within their own verticals about threat sharing, as well as best practices, to make their sector robust and resilient. 2019 is a new year and new years’ always bring hope for positive change. There is much to be positive about as long as we don’t fall into much of the same.
About the Author
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter