The past year has marked a dark time in cybersecurity globally. 2016 started off with @DotGov hackers doxxing thousands of U.S. federal employees; proceeded to the Anonymous breach of the Philippine Commission on Elections exposing personal identification information on every voter in the entire country and progressed to news of massive — and previously unreported — user-information theft from LinkedIn, Yahoo, Dropbox, and Oracle.
Don’t forget Hold Security’s shocking news about email services and Russian crime syndicates. Then there was Gufficer 2.0, the Bangladeshi cyber bank heist; a series of IoT-powered DDoS attacks courtesy of Mirai and their extension to a world-class network service provider; the San Francisco Muni ransomware hack; the controversy about private email servers and national security throughout the U.S. presidential campaign and the accusations from international leaders of state-sponsored cyberwarfare.
Breaches and exploits too numerous to list here regularly populated our news feeds and this year had the highest average cost of several million dollars per major incident.
Sadly, the new year promises more and worse breaches, hacks, ransomware, cybercrime, and official as well as unofficial assaults on citizens’ privacy and security. There will be controversies that draw our attention to important and often-overlooked information security best practices, that generate important research and discussion and hopefully spur real action.
I predict that our sorry cybersecurity situation will start generating some specific responses in 2017:
#1. Email security may start picking up
Email security using Pretty Good Privacy (PGP), S/MIME, or similar authentication and encryption standards may finally see large-scale deployments after decades of inattention. Though criticized for adding complexity and user friction, widespread embrace of standardized email security would be a positive reaction to the recent email-hacking incidents of 2016.
#2. Cloud-service security consolidation?
Large cloud-hosting operators will expand their offered services to handle most security tasks, which are currently left to the purview of individual vendors and service operators. The small and mid-size businesses currently handling these services are challenged to provide a consistent and professional level of security — particularly for IoT services. Cloud behemoths will fill the gap.
#3. You must be this secure to ride the Internet
Due to extensive damage wrought by risky and vulnerable products like video cameras in 2016, legislation will be introduced in Europe and/or the U.S. to mandate a minimal level of security in all devices that connect to the Internet, such as home-routers and IoT products.
#4. More Open Whisper-like deployments
The successful deployment of Open Whisper’s end-to-end security in voice, chat, and Bitcoin applications will start to be emulated in machine-to-machine standards and deployments.
#5. Vendors vs. government
The tussle between the U.S. government and vendors — like Apple — who provide strong device and application security will likely continue with legislative attempts to make it illegal for companies to maintain iPhone-like cryptographic protection in the U.S. I suspect similar government v. corporation v. consumer showdowns cropping up internationally in 2017 and beyond. This is a sticky issue that will not be resolved in one year.
Sufficient information security has always been a moving target and there are armies of smart and thoughtful professionals laboring to hit the mark. But 2016 proved that malefactors are also more than up to the task of finding new ways to exploit our increasingly digitized and connected world. As reliance on IoT and big data continue to transform our personal habits, businesses, and governments, perhaps the only upside of the bad cybersecurity news is that it may motivate us all to pay more attention and expend more effort in safeguarding both our information and the legitimate systems that make use of it.
The author is the Principal Security Engineer at Greenwave Systems Inc., a leading international IoT software provider and services integrator partnering with Verizon, NXP, IBM, E.On, and others. Mark is a highly regarded IoT security engineer having created and patented multiple technologies that played a major role in driving a smart connected future, and is a published thought leader and well-respected speaker at industry events, such as CES, IEEE Conferences, and ACM International Conferences.