2015: Prime time for information security?
2015: Prime time for information security?
In the twelve months ahead we can certainly expect data breaches to continue as well as seeing more zero-day vulnerabilities and attempts to break the darknet. Government surveillance is unlikely to ever stop.
Everything else is less clear: what tools will cyber-criminals be using? How will law enforcement collaborate? What security issues will arise from the Internet of Things (IoT)? Will there be new unthought-of technologies? And how will companies approach the proposed EU General Data Protection Regulation?
SC Magazine asked industry experts on their views of the year ahead:
F-Secure security researcher Mikko Hypponen, a critic of government surveillance since the first Snowden leaks, expects movement around digital privacy. “The reality is that we're waking up to government surveillance and that's partially because of Snowden. It's much clearer than it was two years ago.”Hypponen told SC: “It's remarkable how the notion of privacy has changed on the internet, it's a completely different world.” He says that people are yet to understand the full implications of the leaks, adding that the idea of government-created malware - such as Stuxnet and Flame - would have seemed ‘like a joke' decades ago.
“If the government is going to use these tools then transparency is needed.” Expanding on his talk at Black Hat, where he said that governments create custom malware for law enforcement, industrial and citizen spying and cyber-warfare, he said that if governments are infecting their own citizens with malware, questions need to be asked about how many of these are innocent and laden with broken machines.
Interestingly, the F-Secure security researcher – who boycotted his keynote at RSA 2014 on learning that RSA Security deliberately weakened encryption algorithms at the request of the NSA – says that younger people are mixed regarding how they respond to such problems. “I am seeing two different reactions; a hopelessness at their inaction – they think there's nothing they can do to secure themselves – and then those who choose to do something, and at least make it harder [for government surveillance]. They're using more VPNs, more Tor services, more encryption, and services that run over encryption at all times.” The Finnish security expert says, “I don't really foresee a change in the way government does surveillance, but at least people are aware that it is happening.”
Politically there could be even bigger repercussions, says IOActive futurologist and former CISO David Lacey, who believes that terrorist groups might be tempted to go a step further. “Over the next few years, we'll start to see cyber-terrorism. These groups are certainly gaining the capability to attack, and this will send security into new areas,” said Lacey, adding that efforts are on-going to secure critical infrastructure and the SCADA systems that control water and gas stations.
Privacy lawyer Stewart Room claims that the government surveillance revelations will have another knock-on effect, suggesting: “There will be more pressure groups and litigation around privacy. It's about striking when the iron is hot, because [the opportunity for] law reform is there”. Room – who heads up PwC's legal cyber and data security practice – expects more aggressive data protection enforcement by regulators.
Data protection will continue to take a high-profile and he foresees that there will be more activity around profiling, marketing and advertising. The Right To Be Forgotten in the forthcoming European General Data Protection Regulations could eventually see the light of day in 2015, according to Room, along with its data breach fines of up to €100 million or five percent of global turnover and a breach notification period of 72 hours, with customers able to require companies to delete their data when they leave a service. “The EU General Data Protection Regulation will be adopted next year, with a transitional period during 2016 and 2017. The momentum is with the regulator again.” However, he says, “The potential is there for business to change their ways. We're a long way off the mega fines and I don't think they will be required.”
Principal analyst, MSMD Advisor, Mike Davis agrees saying that he's ‘98 percent' sure the legislation will become law and urges companies – especially those based outside the European Union – to get their houses in order. “It's becoming hard for big companies to back away from it. It may become unstoppable,” said Davis, a former analyst at Butler Group and Ovum. He adds: “The real challenge here is for cloud providers; it isn't rocket science - hold data in EU-based data centres and keep security confidentiality in check. I think there are several companies that are going to get stung.”