2017 was a spectacular year for cyberattacks, including some previous ones only recently and reluctantly disclosed by embarrassed victims. They include a veritable who’s who of government, business and technology, including some of the world’s most technically sophisticated organizations.
Their misfortune raises a critical question: Is anything really safe? Do the security recommendations of experts actually matter? Or do we simply wait for our turn to be victimized, possibly by an attack so massive that it shuts down the entire data-driven infrastructure at the heart of 21st century life?
The answer is that there’s both good and bad news. First, the bad news.
Data breaches are likely to grow in 2018, aggravated both by the Internet of Things and security weaknesses in company supply chains. So, major disruptive attacks are indeed possible.
In addition, expect “Crime-as-a-Service” (CaaS) will develop as cybercriminal organizations continue to become more sophisticated. And new regulations, such as the European Union’s General Data Protection Regulation (GDPR), will add another layer of complexity to the issue of critical information asset management that many organizations are already struggling with. These are all among the top global security threats I predict businesses will face in 2018.
But there’s also good news. As managing director of an organization dedicated to cybersecurity, my view is that these challenges are not insurmountable. A future in which we can enjoy the benefits of cybertechnology in relative safety is within reach — but it will require us to recognize and apply the same dynamics that have tamed other disruptive technologies in the past.
Consider the case of motor cars. It’s been more than a century since automobiles began crowding America’s streets. At the time, it was seen by many as a deeply disrupting technology, aggravated by reckless driving and an enormous rate of carnage. But by 2016, that death rate had declined by 95 percent. In between, what began as a disruptive toy for the well-to-do had evolved into an integral part of daily life. That transition involved a combination of technical advances, government regulations and shifts in public attitude — a potent combination of factors. That same trifecta can also apply to other transformative creations, including cybertechnology:
• Technical advances. It may seem surprising, but further advances in technology may be the least important of the forces taming cybercrime. Of course, progress in the fields of encryption and related security measures will continue. However, technological advances tend to be a cat-and-mouse game, with hackers in close pursuit of security workers. And security workers themselves can sometimes be drawn over to the dark side. That said, even modest security technology can slow the pace of malicious hacking. By making it more time-consuming for someone to hack into a digital device, an attacker is less likely to try.
• Law of cyberspace. Although the internet’s greatest strength is its global reach, there is no worldwide cyber law. Cyber is only about 20 years old and it takes time for a body of law to evolve, as it did with maritime law. While maritime conventions are not perfect, they are largely effective. At the moment, though, cyber is still the Wild West. Essentially anything goes; you are pretty much on your own.
But there are steps that regulatory bodies can take to reduce the risks. One, which was recently adopted by New York state’s Department of Financial Services, requires all financial organizations there to institute risk-assessment protocols that examine more than a dozen areas where intrusions are possible and then take steps to fix any problems.
• Cyber culture. In December 2013, the British Bankers’ Association reported that “traditional” strong-arm bank robberies had dropped by 90 percent since 2003. Instead, larcenous acts are committed with just a few keystrokes — often from thousands of miles away. So to adolescents, the slope leading from cyber mischief into cybercrime is both gradual and hard to discern.
That’s because malice isn’t typically what motivates young people to become hackers. A big part of it is just having fun. But even hacking behavior, if properly directed, can have value. At Northeastern University, an informal group of hackers use their skills to win bug-bounty contests held by major organizations, including the Pentagon, to find and fix weaknesses in their defenses. But they’re the exception.
The Wild West brought on by the motor car was eventually absorbed into the mainstream of commerce and culture. But it required a trifecta of improved technology for both vehicles and infrastructure, comprehensive laws coupled with better law enforcement, and a gradual shift in driving culture affecting the perceptions and behavior of motorists.
Imaginative forms of education to enhance cyber culture and support appropriate uses of the technology — including some now underway in school classrooms — will help to shape public expectations and inform responsible behavior for the next generation of cyber citizens.
• Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments.
Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.