In today’s crazy world, where hackers can take down entire companies, cancel projects, and ruin movie night for millions, I have to believe we’ve hit some sort of tipping point. I mean, someone who doesn't like your company shouldn’t be allowed to kill it.
I’m not talking about Sony alone. Hackers have been putting companies out of business for years. In the past it’s been smaller firms, but now damages in the hundreds of millions of dollars -- or in Sony’s case, probably half a billion over the long term -- are commonplace. Remember that few of these attacks required sophisticated hacking techniques; it's generally a matter of poor defenses. Almost any company could be Sony.
The security state has become so bad, it has to get better. In fact, I see four areas of light in the endless fight against malicious hackers and malware:
1. Better training to fight social engineering
Most companies that got pwned this year were hit by skilled practitioners of social engineering.
The phishing emails you need to worry about aren’t the ones with typos coming from strange people asking you to get involved in something you’ve never heard of. No, today’s spear phishing emails arrive from someone you know and work with on a regular basis, refer to a project you’ve both been working on for a long time, and ask you to do something that seems highly plausible given the other shared facts and knowledge contained within the request.
The only defense against such sophisticated attacks is better training. We have to educate our users about the most common types of attacks and what those attackers will try to get you to do -- such as log on to a website (to steal your corporate credentials) or run a program (usually a Trojan).
I'm sure you've seen the stale boilerplate instructions most companies use, such as telling people not to open suspicious file attachments or to avoid "untrusted" websites. In 2015, I think companies will finally update that advice to meet the challenge of today's more sophisticated threats.
2. More privacy by default
Over the last year-plus, thanks to Edward Snowden, everyone has learned they had no privacy.
The revelation that most governments are reading our emails and tracking our cellphone calls created a backlash that won't die. Most cloud services have already enabled default encryption in their products or are creating the functionality and plan to release it in 2015. I think by 2016 you’ll be hard-pressed to find a product, cloud or otherwise, that doesn’t include default encryption, where the only person who can access the keys is the owner. That will be a great development.
I’m not fazed by the fearmongers who argue default encryption will cause the world to be overrun by terrorists and child pornographers. Sorry, guys, you’ll have to go back and do hard police work -- or at least get a warrant. I'll never be willing to give up my right to personal privacy, along with that of billions of others, to catch a few hundred or thousand bad guys.
More and more companies are hiring privacy advocates, including Chief Privacy Officers. Guaranteeing a customer or employee’s data protection and privacy has hit the mainstream. There’s no going back. This horrible period of vicious, Orwellian privacy invasion will finally come to an end.
3. More crowdsourced defenses
Crowdsourcing has worked for everything from funding inventions to giving to good causes to organizing protests. Crowdsourcing can work for computer security, too.
Most of the bad guys carry out their plans with many people at the same time. Spammers send out tens to hundreds of millions of copies of the same email. APT groups usually invade hundreds or even thousands of companies at the same time. Each victim has valuable, detailed information to share about these misdeeds.
Why we haven’t shared such collective intelligence with each other more often, not to mention more quickly, has always perplexed me. But in 2014 I came across more organizations that existed solely to share their experiences of being hacked, either among a selected group of business partners or within entire industries. The results were productive.
Hackers have long shared different hacking methods and successes with each other. Why shouldn’t the victims do the same?
In 2015, more organizations for sharing information will emerge -- as well as more tools that use information learned from the majority. Information readily shared today among antivirus partners will begin to be shared in open forums and feeds. Crowdsourcing of computer security defenses will make it harder for hackers to hide.
4. More international cooperation
Internet criminals commit crime because they know their chances of getting caught are slim.
In today’s Internet, much like in the Wild West, malicious hackers need only slip across the border to avoid prosecution. We know the identities of many hackers who cause damage, but their home countries will not recognize our warrants or arrest them even if we have a great deal of direct evidence.
The Wild West was replaced by a safer civilization because communities (look up Tombstone City) decided that law and order had to prevail in order for humanity to succeed. Today, even countries where rogue operators have been allowed to flourish are seeing the light, if only for self-interest. For example, many U.S. companies now block Internet traffic from entire countries due of the actions of a few bad seeds. That can't be good for those countries' economies.
In the past, many of these safe-harbor countries have cynically turned a blind eye so long as the hackers focused on foreign victims. Eventually, these thieves couldn’t help themselves and began hitting easy domestic targets, too. Governments that used to tolerate attacks against foreigners are discovering what happens when the chickens come home to roost.
Eventually, a border will become less of a jurisdictional blocker than it has proven in the past. I think you’ll see more international cyber criminals rounded up and put in jail. You’ll always have some states, such as Russia, where bribes go a long way to maintaining local protection. But even the old guard will tested as more public evidence comes to light.
Real change? Maybe so
My default Grinch attitude won't allow me to believe computer security will improve radically in 2015, but I see glimmers of hope. Heck, I’ll be overjoyed if only one of these predictions came true; even a single success will give us more ammunition to fight cyber crime than we've had before.
I have high hopes because something has to change. We can’t let someone who doesn’t agree with a movie take out a company and interrupt the social lives of nearly everyone. That’s way too Wild West.