This idea is in collaboration with Ratan Jyoti, CISA,CISSP,DCPP who is an award-winning and accomplished CISO with extensive experience helping organizations in digital innovation. Currently, he works at Ujjivan Small Finance Bank Limited and ensures they are safe and prepared to take on any threat to their data. He also writes extensively on issues concerning Cybersecurity.
Written by: Ratan Jyoti Edited by: Reuben Dreiblatt
The features and techniques of Cybersecurity are continuously improving and becoming more complex as white-hat hackers try to keep up with black-hat hackers and vice versa. The power of the internet is changing the Cybersecurity landscape and we will start to see the effects of that rapid acceleration this decade. Here are some guiding questions and predictions to consider.
5 Guiding Questions
1.How will Cybersecurity be impacted by emerging and evolving technologies like AI, Blockchain, Machine Language, Quantum computing, 5G, IOT, and the Cloud?
2. Will next-gen ransomware wash out the balance sheet of more companies?
3. Will data protection dominate cyberspace?
4. Will we witness global cyber-war or global cyber-collaboration?
5. Will enterprise companies build a cyber-first culture?
1. AI will be huge in 2020! Organizations will use AI more than ever before because of the increased availability of AI based solutions, improved accuracy, and efficiency. AI bias and AI transparency will be a challenge largely due to underlying data quality and insufficient training at this initial phase of technological development. How much AI impacts cybersecurity and decision-making remains to be seen, but AI powered cyberattacks will certainly rise as AI will be within the reach of attackers too.
2. Behavior based DevSecOPS (integrating security practices in security system development) will be on the rise to support the ‘Security as Code’ culture. Agility will drive a focus on cyber-risks and DevSecOps. We can see the beginning of next-gen DevSecOps with security threat modeling like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) and automation.
3. 2020 will be the year of Protocols Adoption! We can expect to see retirement of old protocol like SSL, TLS1.0, and TLS 1.2. Look for a migration to TLS1.3. The enhanced encryption will not only support security but also privacy. To resolve the underlying issues like protocol ossification in HTTP/2, the HTTP/3 which is based around QUIC (Quick UDP Interaction Connections) will see increased use in 2020. The HTTP/3 and QUIC protocols will boost APIs and Internet of Things (IOT). IPV6 and DNSSec will get more focus than before as these protocols will be the foundation for other protocols ensuring security.
4. Be aware of dangerous voice Phishing and even more dangerous Deepfakes! Deep fakes will impact both the corporate landscape and private individuals. Enterprise companies will rush for quality protection from the Deepfakes leading to economic windfall for security companies.
5. 2020 will be the year of bots! We can expect to see many breaches of Robotic Process Automation (RPA) as security of RPA has not evolved in a while and bots are only as secure as we make them.
6. Ransomware and Advanced Persistent Threats (APTs) will confuse protection tools. We have seen ransomware actively modified to evade detection in 2019. This trend will continue in 2020 and new traits will be added to ransomware in attempt to beat the detection tool.
7. Machine Learning Models will be targeted in this next decade. Machine Learning Models and algorithms are evolving and so is detection and prevention capabilities. We will see Data Poisoning attacks in an attempt to skew the ML models. These attacks will utilize antagonistic data that is fed to the ML classifier to make a model behave like the attacker’s model. Enterprise will have to rely on layered security methods to stay safe.
8. 5G means more capabilities and more attacks. 5G will be a game changer in 2020, but will open up the floodgates for cyber-attackers and will put many enterprises at risk. This is due to a growing attack surface with an inclusion of newer networks and billions of IoT devices that are directly connected to massive cellular networks. Ultra-high bandwidth will enable attackers to launch DDoS at ease. Mobile leeching attacks to harvest the data and resources may increase due to more readily available tools open to attackers.
9. Quantum Computing will help predict cyberattacks faster than ever before. Security solutions will have to focus on crypto-agility to keep up. With Quantum Computing in place some of the widely used cryptographic algorithms like RSA (Rivest–Shamir–Adleman) and AES (Advanced Encryption Standard) may start to fade from relevance.
10. Expect to see more cloud breaches. The Cloud is synonymous with ease and convenience, but technical errors are still very possible. The Cloud is flexible, but with less visibility and potential errors (like misconfigurations) cyber-attackers will have a gateway for attacks. Data stored on the Cloud will be at an increased risk unless suitable strategies including security by design, defense in depth, and context-based controls are in place. Cloud jacking may see a rise too, so be sure to configure automated security for a successful and safe Cloud experience.
Conclusion: With many challenges approaching enterprise companies must use innovative ways to counter cyberthreats before real harm is done. Organizations should understand that they are only as strong as their weakest links. As a result, there will be more investment in Cybersecurity and possibly more in cyber-human capital.
Well said Ratan! I enjoyed your piece on the changing landscape of Cybersecurity. Here are some wrap-up thoughts by me on what you wrote and a few further ideas to ponder.
It seems to me that to understand the intricacies of Cybersecurity you must be up-to-date with the latest changes in security technology and the adoption timelines that various companies have. The companies that are proactive and not reactive are the ones who will be successful in this coming decade and stand to have longevity in the space. There does not seem to be a catch-all solution. There is no singular way to protect yourself outside of perhaps paying another company to provide full protection for your company. That is costly and not an efficient approach. As Ratan hinted at in his guiding questions, cyber-first culture will be imperative if companies expect to stay relevant and avoid attacks. Your employees must understand how the company data is protected and what they can do to keep it that way. The old-guard security professionals will have to diversify and learn new tools to keep up with those seeking to do harm.
I’m wary about the new age of Cybersecurity. I don’t want to see a corporate surveillance state in America the likes of 1984 (the dystopian George Orwell novel), but at the same time I understand the need for enterprises to instill a culture of watchful protection, as attacks are increasingly concealed. Companies will have to find their own way and instill a positive culture that their employees can get behind and engage with, while at the same time keeping their private data safe.
It’s worth noting that this is far more relevant to a corporation than a private individual. The notion of personal privacy seems to be fading in American culture as citizen’s post more on social media and embrace the podium it facilitates. As everyone vies for a bigger audience we find ourselves willing to expose more, thought-to-be, “private” data for likes, comments, and shares. We need to correct for this kind of behavior while at the same time working within the increasingly popular social media system. Or maybe we don’t need to correct for it. If private citizens don’t care about their data being taken and sold that’s on them. I bet they will care when their bank account is hacked and their identity is stolen though. I’m no fan of scare tactics, but sometimes it’s what it takes for people to realize how unprotected they really are. We must stay vigilant in protecting our data or we stand to face dire consequences.