Public-sector cybersecurity experts predict that threats will not change dramatically in 2014 but will seek new platforms, including bring your own cloud, the Internet of Things and wearable computing.
January ushers in a new year, but the cybersecurity threats that come with it will for the most part look an awful lot like the ones agency IT managers already know. They will continue to morph, evolve and multiply to keep admins on their toes.
The research and analysis company Ovum predicts that 2014 will bring “more of the same,” just at higher volumes. The greater complexity of software, hardware and systems are putting a premium on automation — and on the need to protect data rather than systems, which are too dynamic to quickly defend. All of this puts a focus on the need for government to reform IT acquisition to enable a more flexible response to rapidly evolving threats.
The expanding need for threat intelligence and analytics to defend complex systems makes security as a service an increasingly attractive option. The recent award of a $6 billion blanket purchase agreement to 17 companies for security monitoring tools under the Homeland Security Department’s Continuous Diagnostics and Mitigation program is a step in this direction. But it has been hampered by uncertainty in the federal budget. “It’s critical that the program continue to move forward in a constructive way, and without budget interference,” said FireMon president Jody Brazil.
Here are some of the trends, issues and things to consider in in the coming year, most of them familiar, but with one wild card.
Bring your own cloud: Threat from the perimeter
One thing that most observers agree on is that the convergence of mobile and cloud computing will present a new and unintended hybrid: bring your own cloud. End users with mobile devices will knowingly or unknowingly use consumer cloud services to store and access work data, moving it outside of the enterprise’s immediate control.
Jerry Irvine, CIO of Prescient Solutions, calls the convergence, “an issue that is bringing in security risks.” As consumer cloud services move data out of the enterprise, mobile devices also provide new routes into the enterprise.
This is another example of the disappearing perimeter, says Paul Christman, Dell Software’s VP for the public sector. He calls the convergence a profound shift that will require greater attention to the security and management of mobile devices in the workplace, whether government-issued or BYOD.
“It represents another vector by which valuable government data can be lost or stolen,” said Paul Royal, associate director of the Georgia Institute of Technology’s Information Security Center.
That vector also puts an emphasis on managing devices and protecting the data itself, no matter where it is stored. “The cost of doing this is coming down,” Christman said, but the technology is not fully mature. Manoj Nair, general manager of RSA, said open and extensible security features for mobile devices are needed and called for Apple to open its iPhone 5s biometric to developers.
Information sharing: Even more problematic
To make the most of information in enhancing situational awareness it should be shared, but this proves surprisingly difficult. It is not so much a technical problem as a people problem, and a lot of people have been disturbed by recent revelations about National Security Agency’s freewheeling digital information gathering.
Bit9 CSO Nick Levay says that cooperation between the public and private sectors was strong in 2013 but that reports that NSA has been tapping fiber-optic cables as well as gathering data directly from carriers could sour relationships. Major online players have been embarrassed by news that makes it seem that they either are in bed with the NSA or are not doing enough to protect their networks and data.
Customers will demand greater transparency from their technology providers, says former White House advisor Howard Schmidt, now executive director of SAFECode. “Companies, individuals and governments reeling from the surveillance disclosures will increase and expand their use of encrypted products, keys and data flows to try to get a better handle on controlling their information.”
This is good security, but protection may well take a back seat to cooperation in the coming year.
Security on the Internet of Things: An afterthought?
The Internet of Things is more than a buzzword; it is becoming a reality.
“More and more devices will be connected to the Internet,” said Georgia Tech’s Paul Royal. Increasingly, they will be communicating with each other without going through their users or administrators. “We need to have a thoughtful understanding of what the security implications might be.”
As these interacting systems become more diverse and complex, the focus of security will have to shift from the systems to the data they house and use. Royal said he is afraid that security will be a secondary consideration in the process of wiring (and unwiring) the world, and will not be taken seriously until there is a crisis. “Same old, same old, I’m afraid.”
Critical infrastructure: An increasingly visible target
Threats to the critical infrastructure are closely related to the Internet of Things. The nation’s power grids, financial systems and utilities all are becoming networked, often linking control system software that was never intended to be exposed to the Internet. Research on vulnerabilities will lead to increased exploits of this critical infrastructure, says Schmidt.
Although malicious exploits so far have been few, breaches and compromises in critical systems have been reported. The financial services sector, which is heavily regulated, has the most mature security posture, but “all areas need to awaken to the problem,” says Bit9’s Levay.
The National Institute of Standards and Technology is developing a cybersecurity framework for critical infrastructure under a presidential policy directive, but compliance will be voluntary. Control system software and device firmware need the same level of scrutiny as higher level software, Schmidt says.
The wild card: Wearable computers
The idea of wearable computers has been around for a while, but it is now moving from fiction to production. Samsung has its Galaxy Gear smart watch and Microsoft is prototyping its own smart watch, while Google is beta testing its Google Glass.
The concept is not yet fully baked, said Prescient’s Irvine. But half-baked or not, it looks as if it is here. “I am a new owner of Google Glass,” he said.
So far, attention to security in these devices appears to be minimal and the introduction of wearable technology can make the mere presence of an individual a cybersecurity risk. “This is not a risk that can be addressed by automation,” Irvine said. “It requires policy.”
RSA’s Nair predicts that “2014 looks to be the year when the wearable trend goes mainstream for government,” and other markets. “Vendors should be looking to build security into their wearable devices and applications now — and not view security as an afterthought. Otherwise, a trend for 2015 could be the stories of personal information being leaked from these devices.”