Unexpected insights from a review of 2020 cyber security predictions

 Wisdom of crowds

Exasperated at its failure to predict the credit crunch in 2007, conflicts in the Middle East and other important socio-political and economic events, the US Office of the Director of National Intelligence set up in 2011, The Good Judgement Project with a band of forecasters assembled by Philip Tetlock, a world-leading expert in Decision Science to assess whether it could better anticipate world events.

The key finding that explains many failed predictions is that humans do not behave rationally when making decisions that involve uncertainty (e.g. taking a bank loan, buying cyber security or insurance) and that by consciously correcting individual biases and encouraging interaction between forecasters, the wisdom of the crowd came through. Top forecasters in GJP are reportedly 30% better than intelligence officers even without access to classified information.

My aim in reviewing a slew of cyber security predictions for 2020 is to draw out and to present to you the wisdom of the crowd.

Quick review of 2019

Before looking at 2020, lets pick out the key events that happened in 2019 and see which of these events were forecast at the start of the year.

ZDnet published an article in December 2019 that listed 76 of the major breaches of the year, which I’ve summarised in the charts below.

The snapshot

Two things stand out:

• nearly three quarters of all cases, resulted in a confidentiality breach: no wonder that data privacy regulations are multiplying.
• 1-in-3 of the largest breaches took place in the IT sector (companies like Facebook, ASUS, Adobe) of which a third were due to error or misuse by insiders and a further third were a result of external attacks – most likely from the internet.

Verizon’s Data Breach Investigations report (DBIR) which looks across data breaches big and small estimates that as much as 80% of breaches are a result of external threats - largely by organised criminal groups or nation states.

What trends were evident in 2019?

DBIR identifies two trends:

• in the last decade, breaches caused by social engineering have doubled from 17% to 35%; and
• breaches arising from the action of system administrators has risen from <5% to 15%, most often in the form of errors.

The fundamental problem that we do not have sufficient confidence in IT security technology so we adopt complex, 'defence-in-depth' IT security architectures in can easily be mis-configured. Attackers are also increasingly able to exploit the vulnerabilities to which we are exposed when we connect our information systems to the internet. This problem is likely to become more acute as we rush headlong rush to adopt cloud-hosted IT services.

That's what is happening today. Let’s look at these and other themes that cyber security experts predict for 2020, which we should consider in defending our networks.

Analysis of 2020 cyber security predictions

Prediction sources

23 companies were selected, 80% of whom published predictions last year. The sources selected mostly operate global, well-resourced threat intelligence units that use unique and verifiable primary sources. I have weeded out the pseudo-predictions: commentary on current trends, and overly-general; nakedly self-serving; or safe predictions like ‘cyber attackers will identify and exploit new vulnerabilities’.

2020 prediction headlines

• Cloud computing: the challenges of securing cloud services are widely recognised. Third party security risks can be managed by aligning incentives and contract terms. Contract management will be an increasingly important skill for security professionals.
• Deepfakes: all of a sudden, lots of people are talking about deepfake threats. Did they go to the same conference, recently? The threat did not exist last year. Is it so real?
• Governance, Risk and Compliance (GRC): privacy class actions will triple in 2020; US industry will fight back against cyber security compliance controls and the MITRE ATT&CK risk assessment and response framework will be adopted. Could this herald a retreat from compliance and return to risk-based cyber security?
• Attack methods: nothing radical. Attackers will get better at doing what they are already doing.
• Open banking: given that the dawn of open banking, it is a surprise that this is not a focus for industry predictions.
• Ransomware: industry expects new waves of smarter, targeted attacks.
• Prediction types: largely tactical or operational. 8% of predictions relate to new vulnerabilities, 21% to threats; 38% to attack tools, techniques, procedures (TTPs); and the remaining 33% to security solutions. Predictions focus on what attackers will do to us more than on what we will do to defend ourselves. – similar to previous years.
• What's new: deepfakes, physical security and drones are the talk at CISO tea parties these days.
• Best reads: this year, I recommend RSA, Proofpoint and FireEye for their well-written, specific, bold and original predictions.

Common predictions

• Ransomware will be deployed in a targeted manner against specific environments (Checkpoint, Digital Shadows, FireEye, Forcepoint, Kaspersky, Mimecast, Sophos).
• Cloud computing: Vulnerabilities in container components will be top security concerns for DevOps teams (Checkpoint, Gartner, McAfee, RSA, Trend Micro).
• Deepfakes will make a notable impact across all aspects of our lives in 2020 as their realism and potential increases (Experian, Forcepoint, Kaspersky, Splunk, Trend Micro).
• Internet of Things (IoT): cyber criminals will home in on IoT devices for espionage and extortion (Cylance, Mimecast, RSA, Trend Micro).

Unique predictions

• Attribution: attackers will plant false flags in victims’ networks to actively pin the blame on another party (Kaspersky).
• Systemic Cloud risk: the Google Cloud outage in March 2019 will drive organisations to consider hybrid environments comprising both private and public clouds (Checkpoint).
• Spyware: as new vulnerabilities in mobile devices and software are identified in 2020, spyware operators are almost certainly going to be among the first to exploit them to their advantage (Digital Shadows).
• General Counsel: will be more engaged is cyber security policy enforcement, privacy and incident response (FireEye).
• Geopolitics: cyber-attacks will focus on trade routes between Asia and Europe (Kaspersky).

Bold predictions

• Advanced threats: recent developments in AI will enable Law Enforcement to get ahead of cybercrime (Fortinet).
• Blockchain: by 2023, up to 30% of world news and video content will be authenticated as real by blockchain, countering deep fake technology (Gartner).
• Deepfakes: will cost businesses over a quarter of a billion dollars [in 20200 (Forrester).
• Supply chain: third-party data breaches will dominate the threat landscape (Symantec).
• Open source tooling: connecting workloads and data across clouds and on-prem infrastructure in a simple and open manner, will pressure the IT security industry to rally behind open common, open-source tooling (IBM).

Significant predictions

• Cloud computing: serverless platforms will complicate IT security and introduce an attack surface for misconfiguration. This will be exploited by attackers (Palo Alto, Splunk, Symantec, Trend Micro).
• Compliance: exacerbated by the mushrooming regional, national, and transnational regulations, 2020 may become a year when cybersecurity compliance will erode and start its rapid downfall (Symantec).
• Security assurance: there will be more focus on secure development and assurance of third-party products (FireEye).
• IoT: the proliferation of IoT devices is making edge computing an essential component of IT infrastructure (RSA).
• Banking: attacks on financial infrastructure will rise. Criminals will delve deeper into the financial ecosystem, targeting payroll services, interbank networks, Fintechs and Open Banking (BAE Systems).

Eye-catching predictions

• Cyber insurance policy holes lead to legal action: Until recently, cyber security risks have been absent from insurance documents, with some insurers refusing to pay out after a cyber attack under the “acts of war” exemption (BAE Systems, Mimecast).
• Drones: as cities install more free public Wi-Fi systems hackers will take to the skies via the use of readily available drones to steal consumer data from devices connected to unsecure networks on the streets below (Experian).
• External attacks: 25% of all breaches will happen outside the network security perimeter (Watchguard).
• Auto-update malware: cyber criminals will zone in on auto-updates to infect users. Expect high profile applications and operating systems to be targeted (Beyond Trust).
• Steganography, the process of hiding files in a different format, will grow in popularity as online blogs make it possible for threat actors plant malware in networks (Cylance).

Which sources should one trust?

Little information is published about the methods used you make predictions. Whose predictions are most likely to be right?

Most of those offering predictions for 2020 did so for 2019, which gives us the opportunity to see how they performed. Predictions for 2019 were categorised as: true; partially true (eg ‘Organisations will be slow to prepare for GDPR and there will be some example setting’: slow, yes; example setting, no); too early to tell; and not true. The results are shown below.

Analysis of last year's predictions

Compared to 2019:

• Cloud security predictions are largely the same: IT security is complicated and hard to maintain; Cloud services will be attacked.
• surprisingly few AI predictions (2 vs 19 in 2018) which suggests that we have passed the point of 'peak hype' in the adoption of AI for cyber security.
• critical infrastructure protection: few people are talking about which is a surprise given the deteriorating geopolitical climate.
• It is a mystery why there are so few banking-related predictions.

Overall accuracy: 60% of the remarkable predictions (ie all except the common or unremarkable ones) came true.

HP and Sophos can lay claim to be the most accurate forecasters: both made 6 predictions, which all came true. Credit should also go to Digital Shadows, FireEye, McAfee and Mimecast who were not far behind.

Hats off to Digital Shadows, Forrester and Kaspersky who made bold predictions for 2019 that came true. Forrester said that ‘One major brand will lose valuation of more than 25% due to a cyberattack’. Several did – at least for a time.

Of the commonest predictions that has failed to come true, those expecting CPU level attacks to become the de facto method for spreading malware in 2019, are most likely to be surprised. (Why bother when software-based attacks work, nicely?)

Conclusions to be drawn from this year’s predictions

Are we failing to see the forest for the trees?

Looking at these predictions in the round, several things are striking:

1. 72% of the 2019 predictions came true or partially true, which is better than chance and may reflect to some degree the wisdom of the cyber security forecasting crowd.
2. The lack of optimism or hope pervading through all but one of the 150 predictions (Fortinet predicts that recent developments in AI will enable Law Enforcement to get ahead of cybercrime).
3. Innovation is largely on the side of the attacker. As defenders, we are on the back foot.
4. They are technical, tactical or operational nature – not surprising from the cohort of technology vendors that have made them. We are missing a strategic perspective which would allow us to see the forest for the trees.

It does not feel like we are winning the cyber security war

Gartner states that worldwide security spending will increase another 9 percent in 2019 to reach $124B: equivalent to 0.14% of global GDP or ~10% of the annual growth rate of the G7 economies! And yet, it does not feel like we are winning the cyber security war.

Reflecting on the challenges of cyberspace, former US Secretary of State, Henry Kissinger says, “It is difficult to assess national capabilities, vulnerabilities are multiplying, and there is no clear distinction between war and peace…We live in an age where “information has triumphed over knowledge and wisdom.” It is the most digitally advanced nations that are most vulnerable to cyber-attacks, so how can we defend ourselves more wisely?

We need radical cyber security innovation

We should not accept that being hacked is inevitable and although ultimately, we need to fundamentally rethink how we architect the Internet, we can help ourselves in the meantime, by recognising that our businesses are today facing the same threat as governments. We should therefore look to protect ourselves in the same way.

We need to learn from the nation state

Nation states have been spying on each other ever since the internet was invented nearly 40 years ago and during this time, they have also committed a lot of resources to protecting the security of their information assets. 40 years ago, the threat was quite different. Businesses worried about employees leaving computers on trains and occasional attacks by hackers operating from unventilated bedrooms. Today, business face the same threats from nation states and organised criminal groups with nation state capability, so we should be looking to defend ourselves in the same way, using for example Hardsec, a technology which emerged from the UK national security sector.

Hardsec for protecting internet-connected networks

The fundamental principle of Hardsec is that vulnerable and complex software-based security shouldn’t be used to try and protect similarly complex, vulnerable software services. Hardsec offers fundamentally more secure approach to IT security than many of the software-based technologies on which without much assurance, we rely. If you want to know more about Hardsec, read the original Hardsec paper at www.hardsec.org. business-level description of the technology is provided on the World Economic Forum’s website.

The last word…

When I embarked on this analysis of cyber security predictions - as I have done for several years past (see 2019, 2018, 2017) - I was hoping that the wisdom of crowds would reveal insights that would help us protect ourselves in the Digital Age. It is ironic that it has taken until 2020, for my myopic vision to clear: the deepest insights have come from the themes on which the crowd is silent.

Sources consulted

To learn more about the major strategic trends of 2019 that will certainly feature in 2020, read Robyn Oldham’s short and excellent summary.

Each year, Dan Lohrmann who publishes in the Government Technology journal produces a very good review of cyber security predictions, based on a prosaic review of a wider trawl of predictions than mine.

If you want to learn more about why humans are bad at making risk decisions and the steps that can be taken to correct for biases, my blog summarises the work of a variety of scientists and experts: How the world's best risk decision makers decide.

Thanks once again to the companies that invested time and effort in producing these predictions. This blog salutes the forecasters: BAE Systems, BeyondTrust, Check Point, Cylance, Digital Shadows, Experian, FireEye, Forcepoint, Forrester, Fortinet, Gartner, IBM, Kaspersky, McAfee, Mimecast, Palo Alto, Proofpoint, RSA, Sophos, Splunk, Symantec, Trend Micro and Watchguard.

Happy New Year!

#BAESystems #BeyondTrust #CheckPoint #Cylance #DigitalShadows #Experian #FireEye #Forcepoint #Forrester #Fortinet #Gartner #IBM, Kaspersky #McAfee #Mimecast #PaloAlto #Proofpoint #RSA #Sophos #Splunk #Symantec #TrendMicro #Watchguard