This has been another busy year for hackers. In 2019 they successfully attacked major cities, governments, businesses, hospitals, and schools around the world. In the past few weeks alone, the city of Johannesburg, Africa was mulling over whether or not to pay $30,000 in Bitcoin – four coins – to hackers. In the end, the city did not pay, despite the hackers’ threat to release citizens’ private data.
Let’s take a look back at some other big security events this year:
An attack in January was detected which involved two different types of malware – Vidar and Grandcrab – in conjunction with an information-stealing trojan. In this scenario the attacker is usually able to reap some cash, unfortunately.
Then in March, a new strain of ransomware, LockerGoga, infected one of the world’s largest aluminum producers, Norsk Hydro. The impact was severe, effectively shutting automation down for days and forcing them to go on manual operation. This led the company to buy hundreds of new computers. In April, the company said it would cost at least $52 million to pay for the damage caused by the attack.
In May, the city of Baltimore was attacked by hackers who froze thousands of city computers and demanded $76,000 in bitcoin as ransom. The city did not pay the ransom. The attack cost the city $18 million and impacted many of their critical systems, including disrupting employees’ email service, halting water billing, and even suspending real estate transactions. In addition, in early October, the city signed up for a $20M cyber insurance policy.
During the summer, the state of Texas was significantly impacted by a wave of ransomware attacks that targeted 23 local government entities. The state refused to pay attackers for the August attack, but the entire event still ended up costing at least $12 million.
In early October, it was revealed that numerous hospitals across the state of Arkansas were hit by a massive attack. The attack encrypted files and restricted access to computer systems at DCH Health Systems Regional Medical Center, Northport Medical Center, and Fayette Medical Center. Medical staff was forced to shift to manual mode and rely on paper copies instead of digital records while the IT system was being repaired.
As a result of all this activity and more, the U.S. Department of Defense recently released a highly-anticipated new draft of cybersecurity standards, which tightens the rules that government contractors must abide by for fending off hacks. The DOD is expected to issue its final framework for cybersecurity standards in January, according to FedScoop.
As for what we can expect in 2020, only time will tell. In the meantime, we’ve asked some of GlobalSign’s brightest minds to share their thoughts below.
Lila Kee, GlobalSign General Manager, Americas
#Prediction2020: Increase in private PKI communities of trust
While enterprises and closed communities of interest increase their reliance on PKI for strong authentication of users and devices, expect to see an increase in privately hosted PKIs. Browsers and public root store programs will continue to serve as the foundation for public trust for external facing eCommerce sites (SSL/TLS), executables associated with external applications (code signing), and secure email (S/MIME), where identities are validated through popular email clients, browsers, and operating systems. There will, however, be a swelling requirement for private trust to support traditional and emerging uses around:
- Remote access user authentication
- Device (IoT, mobile, machine) authentication
- DevOps – both SSL and code signing
- Digital signatures associated with consortiums, industries, and governments
The trend toward cloud everything will drive these private PKIs to be hosted by cloud CA providers to provide the security expertise, certificate agility, low investment barrier, and performance needs of these organizations and private communities.
Lancen LaChance, Vice President, IoT Solutions
#Prediction2020: The quantum computing threat is not yet a real risk, so ignore the hype
Companies are increasingly talking about quantum computing, including Google. But the reality is this, while quantum is going to have an impact on our industry, it certainly won’t be in 2020, nor will it be for at least a decade. There are still many questions to be answered, such as: What is the best algorithm for quantum resistance? Nobody has that answer and until there is an industry consensus, you’re not going to see any quantum solutions in place.
This doesn’t mean we’re not thinking about quantum computing and what it could mean down the road –we certainly are. But in the meantime, crypto-agility is what we’ll be focused on, as it is a much more likely issue in the security industry.
Ted Hebert, Vice President, Marketing
#Prediction2020: A global smart device hack is imminent
There are nearly 30 billion active IoT devices in the world. That’s 127 new devices being brought online every second. Expand that to the 2025 prediction of 75 billion active IoT devices, and the question is not CAN they be hacked but WHEN. That’s just too much temptation for the dark lords of the dark web to resist.
Want to hear something else scary? In 2019 Amazon reported 100 million Alexa smart devices had been sold. Just about the same as Google Home. What – not scary enough? Check out these fast facts: It took 13 years for televisions to reach the 50 million mark in the U.S. alone, versus two for smart speakers. It took four years for internet access to reach 50 million, and two years for Facebook.
The numbers bare it out: The world is moving on quickly. Smart devices and social media are intertwined, leaving users, homes, healthcare, financial, manufacturing and other industries vulnerable, hackable and ripe to be taken down and/or held for ransom. While I wish it were not so, the numbers are getting too large to ignore, and the steps manufacturers, companies, and consumers are taking to secure us all are too slow and too few.
Many of these companies are themselves suffering from cybersecurity budget cuts along with cybersecurity staff shortages. GlobalSign has begun working one-on-one with customers to develop not only a PKI plan but IoT plans as well, to help shore up these deficiencies – including an IoT Developer Portal that encourages experimentation, development, and collaboration between developers/DevOps and crypto experts to bring to market the next generation of more secure smart devices, cobots (collaborative robots), and the like.
Nisarg Desai, Director, IoT Solutions
#Prediction2020: IoT is gaining success, but lack of security continues to be problematic
IoT is successful, but quite a few deployments are delayed due to lack of security. In 2020, cloud service providers will be providing or partnering with security companies to provide secure device provisioning and management, as well as a general secure IoT ecosystem, for their customers.
I am also expecting that regulatory frameworks for IoT manufacturing and deployments will continue to be primarily led by the EU, though we will see an increase here in the U.S. as well. In addition, IoT attacks, compromises, and hacks will continue, unfortunately. Add to that, security standards will not be met, nor will we even be close to a higher percentage of devices being secure. Why? Original equipment manufacturers (OEMs) are still not willing to either pay the costs involved or pass them on to consumers, for fear of losing out on sales.
#Prediction2020: Better web applications will lead to higher adoption of DevOps tools
As more capable web applications give rise to more complex service infrastructure, we will see the overall adoption of DevOps tools and practices rise at a strong pace in 2020. This will also open up more threat vectors and we will see more high-profile hacks, vulnerabilities, and compromises in 2020. Security will become an increasing concern for enterprises and some of these will start investing more heavily in a holistic security approach including, but not limited to, the encryption of all internal and external data in motion and at rest. Data security, compliance, and governance will be big themes, and solution adoption in this space will increase.
Diane Vautier, IoT Marketing Manager
#Prediction2020: Healthcare will continue to be a prime target for cyberattacks
The introduction of IoT connected healthcare devices, and the high value of private electronic medical record (EMR) information, creates a unique and attractive attack surface which makes it absolutely irresistible to hackers. Namely, it’s growing and it’s lucrative. Researchers and forecasters agree that the healthcare-related IoT will continue to experience rapid growth.
But more devices may lead way to more attacks. According to Health IT Security magazine, “The majority of healthcare organizations, IoT manufacturers, and other organizations that leverage IoT devices have faced a cyberattack focused on IoT within the last 12 months.” That includes businesses in Germany, the UK, the U.S., Japan, and China.
These attacks and their costs have everyone on high alert. Medical device manufacturers and health delivery organizations (HDOs) will be looking for ways to reduce the attack surface. They will find relief through traditional PKI-based identity platforms which provide unique device identities to authenticate users, devices, networks, and gateways. By building a network of identity and trust, manufacturers can then enable secure and connected communication.
Patrick Nohe, Senior Product Marketing Manager
#Prediction2020: The internet-wide deprecation of TLS 1.0 and TLS 1.1 will not go as smoothly as hoped
Hopefully this prediction ends up being more along the lines of sounding the alarm bell than a prescient look into the future, but last Spring in a rather unprecedented joint announcement, some of the largest companies leading the internet – Google, Mozilla, Microsoft and Apple – announced they would deprecate support for the now outmoded TLS protocol versions 1.0 and 1.1. Unfortunately, SSL news doesn’t really stay around in the headlines long, and there hasn’t been a great deal of conversation around the upcoming deprecation since then.
As of the beginning of 2019, around one quarter of the Alexa Top 100,000 didn’t support TLS 1.2 yet. But it’s a lot bigger than that – web and mobile applications also use SSL/TLS. So, when the deprecation date arrives it’s a not a huge leap to assume there will be thousands of broken websites and apps on both desktops and phones. The decision to deprecate older protocol versions is a good one. But as an industry, there seems to be a consistent lack of discussion around upcoming technology shifts and how to make these types of transitions in a smooth and user-friendly way. Hopefully this won’t be yet another example of that.
#Prediction2020: More attacks and RSA exploits will be discovered and presented
At this point, the only good argument for continuing to use RSA key exchange with SSL/TLS is interoperability. The ubiquity of the RSA cryptosystem makes it difficult to deprecate. But from a purely best practice standpoint we should all be using an elliptic curve-based approach, meaning ECDHE and ECDSA. The most recent TLS version, TLS 1.3, took the decision out of our hands by eliminating RSA key exchange all together. That’s for good reason, too. The cryptosystem is on its last legs. Last year several new attacks against RSA were presented at various security conferences. That comes on top of a fairly extensive list of previous exploits that have already been addressed but may still be exploitable with a little finesse.
On top of that, RSA key sizes make computation expensive and as they scale upwards in size, the increase in security isn’t commensurate to the increase in resources used to encrypt and decrypt with them. And perhaps no cryptosystem is more threatened by the (eventual) arrival of quantum computing down the road. If you want to have a discussion about crypto-agility, save the quantum-cryptography stuff for after you’ve moved away from RSA.
Lea Toms, Marketing Manager, EMEA'
#Prediction2020: Expect to see more biometric data hacks
While hacks involving unencrypted passwords and personal data are devastating news for the people involved, they are fixable, to an extent. In the future, we will hear more news about exposed biometric data and the consequences it has for businesses and people. Once biometric data has been exposed, there is no way to change it. You can update your password, but not your fingerprint. You can replace your email address, but not your iris. Businesses will have to get ahead of the game and do more to protect the most valuable and personal information there is – biometrics! I expect to see huge record fines for businesses that suffer data exposure of biometric information, and more and more horror stories of people affected by such hacks. It will be increasingly important to protect data with a combination of two or more types of information; with a changeable password or pin in addition to forever biometric information.
As you can see, our predictions span a wide range of topics within cybersecurity, but now we’d love to hear from you. What’s on the top of your mind as we enter 2020? Did we miss any major vulnerabilities or risks? Breakthrough technological developments? Add your predictions to the comments, or tweet us @globalsign #Prediction2020.