By Hugh Thompson & Steve Trilling
In anticipating the major cybersecurity and privacy trends for the coming year, you can find plenty of clues in the events of the past 12 months. Among the now-familiar forms of attack, cyber hacks of major corporate systems and websites continued in 2018 and will inevitably be part of the 2019 cyber security scene. Many well-known organizations around the world suffered significant breaches this year. The single largest potential data leak, affecting marketing and data aggregation firm Exactis, involved the exposure of a database that contained nearly 340 million personal information records.
Beyond all-too-common corporate attacks, 2018 saw accelerated threat activity across a diverse range of targets and victims. In the social networking realm, Facebook estimated that hackers stole user information from nearly 30 million people. A growing assortment of nation-states used cyber probes and attacks to access everything from corporate secrets to sensitive government and infrastructure systems. At the personal level, a breach into Under Armour’s MyFitnessPal health tracker accounts resulted in the theft of private data from an estimated 150 million people.
So, what can we expect on the cybersecurity front in the coming year? Here are some of the trends and activities most likely to affect organizations, governments, and individuals in 2019 and beyond.
Attackers Will Exploit Artificial Intelligence (AI) Systems and Use AI to Aid Assaults
The long-awaited commercial promise of AI has begun to materialize in recent years, with AI-powered systems already in use in many areas of business operations. Even as these systems helpfully automate manual tasks and enhance decision making and other human activities, they also emerge as promising attack targets, as many AI systems are home to massive amounts of data.
In addition, researchers have grown increasingly concerned about the susceptibility of these systems to malicious input that can corrupt their logic and affect their operations. The fragility of some AI technologies will become a growing concern in 2019. In some ways, the emergence of critical AI systems as attack targets will start to mirror the sequence seen 20 years ago with the internet, which rapidly drew the attention of cybercriminals and hackers, especially following the explosion of internet-based eCommerce.
Attackers won’t just target AI systems, they will enlist AI techniques themselves to supercharge their own criminal activities. Automated systems powered by AI could probe networks and systems searching for undiscovered vulnerabilities that could be exploited. AI could also be used to make phishing and other social engineering attacks even more sophisticated by creating extremely realistic video and audio or well-crafted emails designed to fool targeted individuals. AI could also be used to launch realistic disinformation campaigns. For example, imagine a fake AI-created, realistic video of a company CEO announcing a large financial loss, a major security breach, or other major news. Widespread release of such a fake video could have a significant impact on the company before the true facts are understood.
And just as we see attack toolkits available for sale online, making it relatively easy for attackers to generate new threats, we’re certain to eventually see AI-powered attack tools that can give even petty criminals the ability to launch sophisticated targeted attacks. With such tools automating the creation of highly personalized attacks–attacks that have been labor-intensive and costly in the past–such AI-powered toolkits could make the marginal cost of crafting each additional targeted attack essentially be zero.
Defenders Will Depend Increasingly on AI to Counter Attacks and Identify Vulnerabilities
The AI security story also has a bright side. Threat identification systems already use machine learning techniques to identify entirely new threats. And, it isn’t just attackers that can use AI systems to probe for open vulnerabilities; defenders can use AI to better harden their environments from attacks. For example, AI-powered systems could launch a series of simulated attacks on an enterprise network over time in the hope that an attack iteration will stumble across a vulnerability that can be closed before it’s discovered by attackers.
Closer to home, AI and other technologies are also likely to start helping individuals better protect their own digital security and privacy. AI could be embedded into mobile phones to help warn users if certain actions are risky. For example, when you set up a new email account your phone might automatically warn you to set up two-factor authentication. Over time, such security-based AI could also help people better understand the tradeoffs involved when they give up personal information in exchange for the use of an application or other ancillary benefits.
Growing 5G Deployment and Adoption Will Begin to Expand the Attack Surface Area
A number of 5G network infrastructure deployments kicked off this year, and 2019 is shaping up to be a year of accelerating 5G activity. While it will take time for 5G networks and 5G-capable phones and other devices to become broadly deployed, growth will occur rapidly. IDG, for example, calls 2019 “a seminal year” on the 5G front, and predicts that the market for 5G and 5G-related network infrastructure will grow from approximately $528 million in 2018 to $26 billion in 2022, exhibiting a compound annual growth rate of 118 percent.
Although smartphones are the focus of much 5G interest, the number of 5G-capable phones is likely to be limited in the coming year. As a stepping stone to broad deployment of 5G cellular networks, some carriers are offering fixed 5G mobile hotspots and 5G-equipped routers for homes. Given the peak data rate of 5G networks is 10 Gbps, compared to 4G’s 1 Gbps, the shift to 5G will catalyze new operational models, new architectures, and–consequently–new vulnerabilities.
Over time, more 5G IoT devices will connect directly to the 5G network rather than via a Wi-Fi router. This trend will make those devices more vulnerable to direct attack. For home users, it will also make it more difficult to monitor all IoT devices since they bypass a central router. More broadly, the ability to back-up or transmit massive volumes of data easily to cloud-based storage will give attackers rich new targets to breach.
IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous Forms of Attack
In recent years, massive botnet-powered distributed denial of service (DDoS) attacks have exploited tens of thousands of infected IoT devices to send crippling volumes of traffic to victims’ websites. Such attacks haven’t received much media attention of late, but they continue to occur and will remain threats in coming years. At the same time, we can expect to see poorly secured IoT devices targeted for other harmful purposes. Among the most troubling will be attacks against IoT devices that bridge the digital and physical worlds. Some of these IoT enabled objects are kinetic, such as cars and other vehicles, while others control critical systems. We expect to see growing numbers of attacks against IoT devices that control critical infrastructures such as power distribution and communications networks. And as home-based IoT devices become more ubiquitous, there will likely be future attempts to weaponize them–say, by one nation shutting down home thermostats in an enemy state during a harsh winter.
Attackers Will Increasingly Capture Data in Transit
We’re likely to see attackers exploit home-based Wi-Fi routers and other poorly secured consumer IoT devices in new ways. One exploit already occurring is marshalling IoT devices to launch massive crypto jacking efforts to mine cryptocurrencies.
In 2019 and beyond, we can expect increasing attempts to gain access to home routers and other IoT hubs to capture some of the data passing through them. Malware inserted into such a router could, for example, steal banking credentials, capture credit card numbers, or display spoofed, malicious web pages to the user to compromise confidential information. Such sensitive data tends to be better secured when it is at rest today. For example, eCommerce merchants do not store credit card CVV numbers, making it more difficult for attackers to steal credit cards from eCommerce databases. Attackers will undoubtedly continue to evolve their techniques to steal consumer data when it is in transit.
On the enterprise side, there were numerous examples of data-in-transit compromises in 2018. The attack group Magecart stole credit card numbers and other sensitive consumer information on eCommerce sites by embedding malicious scripts either directly on targeted websites or by compromising third-party suppliers used by the site. Such “from jacking” attacks have recently impacted the websites of numerous global companies. In another attack targeting enterprise data in transit, the VPNFilter malware also infected a range of routers and network-attached storage devices, allowing it to steal credentials, alter network traffic, decrypt data, and serve a launch point for other malicious activities inside targeted organizations.
We expect that attackers will continue to focus on network-based enterprise attacks in 2019, as they provide unique visibility into a victim’s operations and infrastructure.
Attacks that Exploit the Supply Chain Will Grow in Frequency and Impact
An increasingly common target of attackers is the software supply chain, with attackers implanting malware into otherwise legitimate software packages at its usual distribution location. Such attacks could occur during production at the software vendor or at a third-party supplier. The typical attack scenario involves the attacker replacing a legitimate software update with a malicious version in order to distribute it quickly and surreptitiously to intended targets. Any user receiving the software update will automatically have their computer infected, giving the attacker a foothold in their environment.
These types of attacks are increasing in volume and sophistication and we could see attempts to infect the hardware supply chain in the future. For example, an attacker could compromise or alter a chip or add source code to the firmware of the UEFI/BIOS before such components are shipped out to millions of computers. Such threats would be very difficult to remove, likely persisting even after an impacted computer is rebooted or the hard disk is reformatted.
The bottom line is that attackers will continue to search for new and more sophisticated opportunities to infiltrate the supply chain of organizations they are targeting.
Growing Security and Privacy Concerns Will Drive Increased Legislative and Regulatory Activity
The European Union’s mid-2018 implementation of the General Data Protection Regulation (GDPR) will likely prove to be just a precursor to various security and privacy initiatives in countries outside the European Union. Canada has already enforced GDPR-like legislation, and Brazil recently passed new privacy legislation similar to GDPR, due to enter into force in 2020. Australia and Singapore have enacted a 72-hour breach notice inspired by the GDPR, and India is considering GDPR-inspired legislation. Multiple other countries across the globe have adequacy or are negotiating GDPR adequacy. In the U.S., soon after GDPR arrived, California passed a privacy law considered to be the toughest in the United States to date. We anticipate the full impact of GDPR to become more clear across the globe during the coming year.
At the U.S. federal level, Congress is already wading deeper into security and privacy waters. Such legislation is likely to gain more traction and may materialize in the coming year. Inevitably, there will be a continued and increased focus on election system security as the U.S. 2020 presidential campaign gets underway.
While we’re almost certain to see upticks in legislative and regulatory actions to address security and privacy needs, there is a potential for some requirements to prove more counterproductive than helpful. For example, overly broad regulations might prohibit security companies from sharing even generic information in their efforts to identify and counter attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities even as they close others.