2021 Cybersecurity Predictions

Making predictions after 2020 feels like a fool’s errand. That said, the signs were all there for anybody who looked: Laurie Garrett’s astonishingly prescient 1994 book The Coming Plague, Bill Gate’s 2015 TED talk, even the movie Contagion. We all knew what a global pandemic might look like, we just didn’t expect it to be 2020.

In the same spirit, we can look at what happened in cybersecurity in 2020 and make some reasonable predictions of what might happen in 2021. Specifically:

1. SolarWinds: the other shoe drops. Microsoft or Linux have a supply-chain breach.
2. Zero-trust networking becomes zero-trust everything.
3. Cyber-liability legislation and regulatory changes are enacted.
4. The cybersecurity industry consolidates further.

Let’s explore these in a bit more depth.

Supply-Chain Hack of Microsoft or Linux

While the COVID-19 pandemic was without question the most significant global event of 2020, the recent SolarWinds supply-chain hack was undoubtedly the most significant cybersecurity event of the past year. The scope, audaciousness, level of control, duration and number of organizations impacted has few precedents. It is perhaps on par with the Melissa virus of 1999, which infected an estimated 20% of the world’s computers and really put cybersecurity on the global IT agenda.

In a similar fashion, the SolarWinds attack has been a huge wake-up call. What is really remarkable is that not a single traditional cybersecurity technology spotted the attack, even though it was active for more than nine months in over 18,000 organizations. That is a stunning indictment of the ineffectiveness of traditional cybersecurity tools.

Moreover, it’s prudent to assume this is just the beginning. We have yet to uncover all of the damage done in the attack. Microsoft itself, for example, has admitted to being impacted by the SolarWinds attack: see https://www.nytimes.com/2020/12/31/technology/microsoft-russia-hack.html How far did the attackers get into Microsoft? What other backdoors were left? As of this writing, Microsoft has not published any further details on the impact, but think of it this way: if you were a malevolent hacker and had access to Microsoft, what would you do? It’s not a stretch to think that significant resources would be thrown at exploiting the breach.

Of course, it’s not only the SolarWinds attack itself. Other hackers have undoubtedly been emboldened by its success. Technologically, the attack was very straightforward—well within the abilities of countless hackers. With means and motivation, we can expect to see more.

The open-source community and Linux ecosystem in particular is worth calling out as a copycat target. One of the strengths of open source is the publicly visible source code. Many crucial components of the Linux ecosystem literally have thousands of skilled engineers reviewing that code. While this creates a strong defense against the insertion of obviously malicious back doors, it is still very possible to introduce subtle bugs that could be leveraged in a cyberattack. And more importantly, most organizations consuming open source do so in binary form, thereby negating many of its advantages. Where did those binaries come from? Who built them? How do you know they are safe? This leads to the next prediction: zero-trust everything.

Zero-Trust Networking Becomes Zero-Trust Everything

2020 saw a dramatic rise in the deployment of zero-trust networking solutions. With the coronavirus pandemic and subsequent lockdowns, the business world had to shift literally overnight from office work to home-based work. The traditional assumptions of being safely behind a corporate firewall no longer held. Not surprisingly, this resulted in a massive deployment of zero-trust networking solutions from various companies. These solutions are based on a very simple premise: don’t trust the firewall, it is porous; authenticate everything.

That same philosophy will be broadened in 2021: trust nothing, protect everything. This zero-trust everything approach is a radical, but effective, rethinking of cybersecurity approaches. Traditional cybersecurity is based on the assumption that perfection is possible—if only you have the latest, greatest version of Windows with all the patches installed then life is good. The reality, as we’ve seen with SolarWinds, is that organizations remain extremely vulnerable.

Far more effective are cybersecurity approaches that assume an imperfect world and work regardless. For example, multi-factor authentication essentially creates random, one-time passwords, mitigating against stolen passwords and the like. Much as zero-trust networking assumes porous firewalls, zero-trust software solutions assume that software will have bugs that are exploitable by attackers. Polymorphic defenses—such as those offered by Polyverse—can provide cyber-protection despite this, because the defense works even when systems are buggy or out of date on patches: https://www.dhirubhai.net/pulse/new-era-zero-trust-security-alexander-gounares/. Similarly, new data-protection and encryption technologies such as blockchains can provide publicly auditable and verifiable documents and other forms of data.

Taken together, such zero-trust technologies are dramatically more effective than legacy firewalls, antivirus, and the like. Between the SolarWinds attack and the work from home revolution, we can expect to see a rapid shift to these technologies; the need is just too great.

Cyber-liability Legislation

But there are limits to what can be done in cybersecurity purely from the customer viewpoint (the billions of people and organizations consuming technology). At some point, the core technology infrastructure must be improved dramatically. This will require major technology vendors such as Microsoft, Cisco and many others to make fundamental improvements.

Imagine if every car had unreliable brakes that would randomly fail, lock up, or otherwise misbehave. And further imagine that good brake technology existed, but car owners were the ones responsible for buying, installing, managing and monitoring anti-lock brakes and other safety technology on their cars. As car owners, we’d be furious and demand more from the automobile manufacturers.

Yet this is essentially how today’s technology industry works. One of the curious aspects of the cybersecurity industry is that it even exists. Think about it: if the core operating system, networking, email, and other base platforms were fundamentally secure, the need for aftermarket security solutions would be greatly diminished. It’s just like car-safety technologies: the business of aftermarket anti-lock brakes, airbags, seatbelts and the like is essentially non-existent, because we expect cars to have these capabilities built in.

One of the driving factors behind automotive safety (and many other products) is the legal and regulatory product-liability framework. Auto manufacturers would be sued (and lose) if they knowingly built unsafe cars. That creates both incentive and accountability for automobile manufacturers—and as technology improves so does car safety.

In today’s technology industry, there is little or no liability for cybersecurity failures—in very simple terms, existing product liability is difficult to apply to software vendors. When car manufacturers fail to live up to high standards, they are held accountable (witness Volkswagen’s and other car makers’ diesel-emissions scandals since 2015). When was the last time a major software vendor was similarly held accountable?

This lack of accountability has arguably led to underinvestment in cybersecurity by software vendors. While it is not possible to create completely hack-proof technology (just as it’s not possible to create an invincible, perfectly crash-proof car), time and time again we see technology vendors failing to provide even basic protections. The Mirai attack in 2018 exploited Internet of Things devices that lacked even the most basic protections that had been available for decades. Similarly, how swiftly would Microsoft improve the security of Windows if it could more easily be sued for technologically preventable ransomware attacks?

It’s very easy to look at major tech vendors today and see where they are out of date on cybersecurity technology, sometimes by a decade or more. To fill that gap, there are more than 1,200 cybersecurity companies, according to McAfee. Each offers some form of improvement over what is available from the major platform providers, but often requiring customers to do the integration. A product liability framework could drive more rapid adoption of these technical advances into the core platforms, much as advances in safety technologies are adopted by automobile manufacturers.

However, crafting the right regulatory and legal framework is particularly challenging. Too much regulation and bureaucracy will easily stifle innovation and increase costs (and thus likely to actually be counterproductive in improving cybersecurity). What is needed is a framework that provides strong and enforceable incentives for platform vendors to do a better job on cybersecurity, without slowing down or stifling innovation. Fortunately, there are historical models, like the ‘best available technology’ approach in the Clean Air Act, that can provide helpful lessons learned and best practices for such frameworks.

Industry Consolidation

Zero-trust everything and progress in cyber-liability will drive a wave of industry consolidation in 2021. While much of this will be driven by the major platform vendors out of necessity, there is also a chance that we will see significant independent roll-ups by private-equity firms, much as Digital.AI was formed out of a roll-up by TPG Capital last year. The overall industry logic is simple: the better Microsoft and other platform vendors are at cybersecurity; the fewer independent cybersecurity firms will exist. The more Microsoft and its peers underperform, the greater the number of independent companies that will rush to fill the gap.

Summary

Overall, 2021 promises to be a transformational year for the cybersecurity industry. Working from home and SolarWinds will continue to be the major catalysts. The legacy ways of doing cybersecurity for the past two decades are no longer sufficient, and we’ll see rapid change in the coming year.