Predicting the future of technology is notoriously difficult. But that doesn’t stop us. No matter how many times our soothsayers are wrong, I predict that we will be reading a good number of “Top 10 [fill in the blank] to expect in 2017.” Predicting prediction is a pretty safe bet.
But all joking aside, some predictions are worth making. After all, forward thinking and preparatory analysis are valuable exercises for many matters. No where is this more true than Computer Security.
Now that we’re a third of the way through the year, it seems like a reasonable time to check in on a few of the computer security predictions made about this year. Both Wired magazine and CNBC had their own set of predictions of the worst security threats in 2016:
Extortion Hacks (Wired): An extortion hack is similar to the recently reported rise in ransomware attacks. But while ransomware simply locks up a victim’s files and demands payment to release them, extortion steals data and threatens to release it unless the attacker gets paid.
More Backdoors (Wired): It has been revealed that backdoors were planted in critical network infrastructure components sold around the world. Wired believes that we’ll see more of those now, not because more are inserted, but because companies will be searching for them and finding them.
Jailbreaking the Cloud (CNBC): One of the best ways to keep malware from destroying a computer is to run software in a virtual machine. If the virtual machine, which is a simulated computer, is infected, it can be shut down and restarted from a “clean” state. But there is software out there that attempts to determine if it is running in a virtual machine and, if so, break out of it. CNBC expects this type of attack to increase.
Evasive Hacks (CNBC): Malware will be smarter about erasing its tracks (ghostware) or obliterating the machine it was infecting (blastware). In either case, forensic reconstruction of how the Malware infected the machine and what damage it did will be next to impossible.
Infected IoT/Headless Devices (Both): The one area that both lists agreed on was that “headless” devices, such as Internet connected watches, toys, CCTV cameras, and even cars, will be hacked and abused by the bad guys. To the uninitiated in computer security, it may come as a surprise that the goal is often not to take control of the hacked system. Instead, the bad guys can use these compromised devices to launch attacks against other systems.
How many of these have we seen so far in 2016? It’s hard to know because many of these are not necessarily going to grab press attention. A company being extorted is probably going to pay the money and keep quiet. A hardware manufacturer that finds an inserted backdoor may shy away from a public announcement, Juniper’s example notwithstanding.
But whether they’re accurate or not, a more subtle theme jumped out at me during my review. It caught me off guard at first, and I had to go back and re-read both articles. Neither one said it explicitly, yet it underpinned the “top issues” identified by both:
Prevention is Dead. Mitigation is Next.
Take a closer look. Both articles assume that you simply cannot prevent the bad guys from getting onto a system. It’s a foregone conclusion. Notice that CNBC’s predictions about ghostware and breaking the virtual machine explicitly require that the bad guy is already on the system. In both cases, they are predicting mitigation will be the “defense” attacked.
Or look at what Wired had to say about the IoT/Headless issue:
Unlike a desktop computer or laptop, it can be harder to know when your connected toaster has been [hacked].
Did you catch that? They didn’t say “harder to protect”, they said, “harder to know when it’s compromised.”
But these are just magazine predictions, right? Magazines sometimes exaggerate in order to sell subscriptions, don’t they?
Well, what about a VP of Information Security at a computer security company? What if he said two years ago that Anti-Virus (a preventative measure) is dead? What if at the same time, a wide range of companies began beefing up their mitigation technologies? This Wall-Street Journal article, in describing these events in 2014, paints a very similar picture. In fact, it flat out says it:
Rather than fighting to keep the bad guys out, new technologies from an array of companies assume hackers get in so aim to spot them and minimize the damage.
The really disturbing part of this is that everyone seems to be admitting that we’ve lost. Much like the Roman’s of the late fourth century, the new approach seems to suggest that we should learn to live with the barbarians rather than evicting them from our territory. Truly, although nobody is using exactly these words, it sounds like saying that we need to accept compromised systems as the “new normal”.
Personally, I do not believe that a compromised Internet has a future. The barbarians at our gates… within our gates, will never rest and never be satisfied with cohabitation. If we failed to defend, what makes us believe we can succeed at drawing a line anywhere else?
No, such an arrangement is just not stable and will never last. We must find a way to create secure systems that are largely successful at blocking out the attackers. Otherwise, I fear that what is considered one of the worst technology predictions of all time, will become one of the most prescient (only off by twenty years or so):
1995: “I predict the Internet will soon go spectacularly supernova and in 1996 catastrophically collapse.” — Robert Metcalfe, founder of 3Com.