Cyber Security – Can we predict the future from the past?
28/09/2016 - 12.31
Tony Proctor - Principal Lectuer, Consultant and Information Security Researcher
Tony, Principal Lecturer, Consultant and Information Security Researcher at the University of Wolverhampton, has 30 years of experience in the IT Industry covering varied sectors and roles with large organisations. For the past 10 years he has specialised in the field of Cyber Security.
Here, he speculates where future threats may come from.
Where do the future cyber threats lie? If we could answer that, the cyber security world would not be playing the seemingly unavoidable game of catch up; waiting for the latest “innovation” from the dark side before implementing the technological, procedural and sometimes (hastily enacted) legislation necessary in an attempt to reduce future problems.
Looking backwards at the past can sometimes provide historical lessons to suggest future actions. But whether we can predict the future cyber world based on current / past events seems to me as uncertain as the future itself.
We could look at some of the popular topics that seem to be discussed as potential or future issues amongst the cyber security fraternity, along with considering the current cyber threats and how these might evolve. We know that technology will continue to grow at a pace. The internet is the “fourth utility” and the demand for bandwidth grows annually at an exponential rate. In recent years we have experienced the consumerisation of tech. and the consequence in the workplace (BYOD). Mysticism about “the cloud” is fast disappearing and the internet of things (IoT) is upon us. The future environment will present a requirement for an increase in both the quantitative and qualitative nature of cyber security; we will need a greater range of security products and they will need to work in a more intuitive manner.
If we look at current cyber threats, the vast majority have the purpose of committing fraud for financial gain (a good example being the prevalence of Ransomware). There is no reason why this should change. Most criminal activity is based on making money. The other current threats are to intellectual property and from hacktivism, espionage and cyber warfare.
So where might future threats lie? One of the biggest discussions centres on cyber warfare. The concern here is that the tools and techniques to develop advanced threats may fall into the hands of failed nations. A disagreement between two small nations in a distant part of the world could result in an act of cyber warfare.
Cyber terrorism is another topic that is frequently discussed. A recurring theme is the suggestion that terrorists do not have a current capability. It is clear that development of complex malware like Stuxnet and Duqu is a highly complex task.
But should we assume that cyber terrorism will take the form of a complex attack on the control system of a power station? Is a denial of service against a much less well-protected entity (but one who’s loss will has significant impact) more likely? It would be wise to assume that terrorist do have or will acquire some cyber warfare capabilities.
Applications need to be better protected. There is a requirement for further development of secure coding initiatives. There will be a greater emphasis on encryption. We may see “hybrid” attacks in which physical devices are stolen and individuals forced to disclose encryption keys. Criminals will continue to use the social spaces on the internet as a source to assist in their activity. Throughout modern history, technology has been deployed to eavesdrop on a nation’s communications and activity. There is no reason why this will not continue to escalate. The point is that equilibrium will prevail as the best exponents will have similar capabilities to each other, a knowledge of the activities of one another and guaranteed mutual destruction should they choose to launch their cyber offensive arsenals.
Complexity and complacency are the enemies of security. We see a greater complexity in the way in which technology is used and implemented. To avoid complacency, it is important that responsibility is clearly defined. There is also a tendency to “overthink” in cyber security.
Overthinking is counter-productive. As is the culture of secrecy which although sometimes necessary is unhelpful; how can we improve the awareness that is needed if we fail to discuss it? There needs to be a greater emphasis on information sharing so that awareness can be increased and there needs to be a risk based approach applied to all cyber activity in order that resources are used effectively and economically.