Every year we collate the predictions of our researchers, scientists and engineers. We anticipate changes in the threat landscape, trends in technology adoption, upcoming regulatory and compliance factors and other influences that will affect you when operating in today’s business environment.
In November 2018 we announced our 2019 Cybersecurity Predictions so at this mid-year point we thought it fitting to review the key issues of the year so far.
The predominant theme of the 2019 Forcepoint Cybersecurity Predictions Report was that of trust. Trust underpins relationships; relationships between employer and employee, business and client, business and investors, and within a supply chain. Cyber-attacks (whether malicious or accidental) can erode trust and result in loss of income, lost market value, loss of reputation, regulatory fines (estimates show figures of 100 GDPR fines and 60,000 breach reports across Europe) and loss of customers. It is no surprise that the World Economic Forum’s Global Risks Perception Survey 2019 listed cyber-attacks in the high-impact, high-likelihood quadrant.
Our 2019 Predictions reflected on the trust we place in people, process and technology. What follows is a summary of the key issues that have marked 2019 so far.
Our Prediction: “Industry-wide ‘security trust ratings’ will emerge as organizations seek assurances that partners and supply chains are trusted partners.”
As consumers we are used to checking our credit score which financial institutions use to determine our suitably for credit cards, loans and mortgages. This allows those institutions to manage risk and predict a desired outcome – in this case that we will pay back the loan. In the cybersecurity realm there are now ways that you can acquire cybersecurity ratings/scores derived from numerous factors to indicate how secure any given organisation is and how likely they are to successfully protect your data. Any breached company would see their score impacted (negatively) after a breach.
2019 has seen adoption of such ratings at a government level. In January 2019 the UK government ranked the cybersecurity measures of UK councils on a RAG scale. In October 2018 the US Chamber of Commerce released the first national cybersecurity assessment called the “Assessment of Business Cybersecurity” (ABC). Both systems aim to identify areas of risk and potential improvement.
In May 2019 Equifax saw their outlook downgraded – the first time that an outlook has been downgraded citing cybersecurity issues as a named factor. Confidence and trust in an organisation’s cybersecurity posture will continue to have significant influence in the stock market.
To help build confidence in the trust you place in cloud providers the Cloud Security Alliance’s STAR Registry is a go-to source to assess your cloud providers. Forcepoint’s entry is here: https://cloudsecurityalliance.org/star/registry/forcepoint-llc/
Our Prediction: “Attackers will disrupt Industrial Internet of Things (IIoT) devices using vulnerabilities in cloud infrastructure and hardware.”
Our prediction arose from an evolution of our previous predictions. In our 2015 Predictions we spoke of attacks against connected devices, in 2018 attacks against communication between devices and for 2019 attacks on the cloud infrastructure underpinning IIoT systems.
In March 2019 US Senators introduced the “IoT Cybersecurity Improvement Act of 2019” to the US Senate and House of Representatives. The stated goal of the Act is to “leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes”. Such initiatives can help promote cybersecurity and encourage manufactures to build in “security-by-design” to better improve systems no matter if implemented in a consumer, industrial or CI environment.
The OWASP Internet of Things (IoT) Project Top 10 for 2018 was released in December 2018, an update from their 2014 list. OWASP provide a consolidated list of risks, threats & vulnerabilities applicable to developers, enterprises and consumers alike. OWASP positioned “weak, guessable or hard-coded passwords” as the top issue affecting IoT systems. Many of the issues listed are applicable to the ICS/IIoT space, especially as existing poorly secured devices are introduced into IIOT environments. #3 of the Top 10 relates most closely to our prediction, with the remaining 9 highlighting the low bar that an attacker must overcome to penetrate such systems.
The first half of 2019 has shown the range of vulnerabilities in cloud systems and government’s desire to improve the situation for IOT specifically.
Our Prediction: “Hackers will game end-user face recognition software, and organizations will respond with behavior-based systems.”
Using biometrics for authentication is not new but has been popularised by phone manufacturers and banks, amongst others. Our prediction stemmed from the onset of using a scan of one’s facial features realising that attackers seek access to, and bypass of, authentication systems in order to access the data behind that gate.
2019 has seen a backlash against facial recognition technologies citing privacy reasons with San Francisco, CA, USA banning the use of facial recognition by government departments while use of the technology by UK law enforcement has been challenged. Nevertheless, with the (unwanted) attention brought to bear on voice recognition systems and national biometric intelligence databases we shall continue to watch this space. Our prediction essentially poses the question “If identification and authentication methods can be abused what do we as defenders have to fall back on?”
Our Prediction: “There is no real AI in cybersecurity, nor any likelihood for it to develop in 2019.”
Our prediction may have raised eyebrows but it stems from our understanding of the adoption of the sub-fields of AI to the cybersecurity domain. *General* AI in its truest sense has yet to be developed within any industry but machine learning (ML) and algorithms supported by human-experts most definitely have. See Stanford’s AI Index to see the global adoption of such technologies.
2019’s acquisitions and IPOs of cybersecurity vendors using AI/ML demonstrate support for the methods employed while other industries are closely looking at the impact that AI will have on their industry; the US-based FDA proposed a regulatory framework for AI-based software as used in medical devices. In other industries we see glitches caused by AI used for software bug remediation and progress in automated generation of whole body images using AI.
Head of Forcepoint X-Labs, Raffael Marty, presented on the topic of this prediction at the recent Ai4Cybersecurity conference. Do you agree with his points of view?
As the year unfolds other issues will rise to the fore. Towards the end of this year we will present a full review of the accuracy of our 2019 Cybersecurity Predictions. At that time we will also release our Cybersecurity Predictions for 2020 so you know what to expect over the next few years; we are already thinking about those.