Chapter 8: The future of cybersecurity

There’s no doubt that the world will continue to get smaller as we embrace innovation and become more connected. Remember the idea that we’re only six degrees of separation way from each other (or Kevin Bacon)? It is the notion that anyone may be connected to another person via just five intermediaries. It sounds cool that you and I are possibly linked to celebrities or historical figures without even knowing it. But once you remember that you can now build a content marketing platform made up of blogs, videos, and podcasts to build a multi-million-dollar business, send a message to a favorite celebrity on Twitter who will share it with their gazillion other fans, or upload a dancing video of yourself quitting your job on YouTube that will be captured by BBC, CNN, Fox & Friends, and a variety of other networks, the degrees of separation are closer to four or even three.

The truth of the matter is that many of us are over-connected and things are going to get worse. We can avert some of the impending challenges by taking action now to defend ourselves and our organizations by implementing some basic cyber hygiene.

These are my top three suggestions that you can start doing today

For Companies:

1. Fix the basics before spending money on the shiny new widgets. Use the Cyber Essentials guide to assess whether you have the basics in place and then implement what’s missing. https://www.cyberessentials.ncsc.gov.uk/advice/

2. Carry out risk assessments that identify the real risks and vulnerabilities in your system, and ensure that you understand what needs protecting and what doesn’t need protecting.

3. Invite cybersecurity experts as non-executive directors, or the equivalent, to sit on the board and provide guidance on cyber-related issues.

For Consumers:

1. Take responsibility for protecting your own data, and do not rely on others to do it for you. (See Chapter 4 for best practices.) Find more details at https://www.getsafeonline. org/protecting-yourself

2. Insist that organizations and governments become accountable for the security of the data they hold on your behalf.

3. Think about what privacy means for you and what you want to share with everyone in the virtual space. Remember, privacy is a personal choice. Where possible request to view and delete personal data.

For Governments:

1. Be a role model and implement best practices in securing the nation’s infrastructure so that companies will follow suit and protect themselves.

2. Invest in training and education for everyone.

3. Regulating our way to security is not working. In our experience this has translated to a focus on compliance and in our work, compliance does not equal security. A more radical approach is required.

Last words, career advice

There is a unique opportunity for Cybersecurity professionals who want to be on the right side of history and in a critical and flourishing industry that faces unique opportunities. The time is ripe for those who want to take advantage of the interconnectedness, get paid well, and have fun along the way.

To get ahead I recommend the following:

1. You must be able to communicate with business leaders in terms they understand. You must understand the differences between business risks and tactical risks.

2. Acquire the attributes discussed in this book—the technical skills and soft skills—and be sensitive to the changing environments. Remember to listen, communicate, stay cool under pressure, manage expectations, and have a good sense of humor.

To get you started, here are some of the latest trends and technologies that will drive more cybercrime in a virtual world because everything is hackable and anyone could be your enemy.

Trends

Let’s start with consumer trends—those areas where we all tend to want things to get faster, bigger, and better.

The Internet of Things (IoT): We’re way beyond protecting home routers and into protecting home appliances—cars, thermostats, DVRs, or other internet-connected devices—in increasingly connected homes. Many of us now have internet connected security cameras in our homes to monitor our children, our home, or a babysitter’s activities while we’re away. But what happens if someone locks you out of your devices or your home? Or injects malware, such as the Marai botnet, to control your home router, your Netflix account, or even your toaster?

Driverless Cars: Autonomous driving has made it possible for cars to drop riders off at a specified location and pick them up later from the same spot. This new technology is loaded with communication risks—from interruptions between the car and the satellite that directs the vehicle, data leaks about personal information on the driver(s), or denial-of-service attacks—that can prevent the vehicle from operating properly. This means that a hacker can potentially stop a car and demand a ransom to get it back up and running, or if the car’s 3G/4G connection isn’t properly secured, interrupt communications and infect its network. But damage to the car’s engine or navigational system is insignificant— just imagine the lasting and disastrous impact to the driver’s life.

“In-Home” Delivery: Amazon has exceeded any of its inventors’ expectations of delivering consumer goods by introducing Amazon Key—an in-home delivery service that unlocks your smart door lock, drops the package inside your house, and then relocks your door while an in-home wireless camera records the entire process. What if the technology records activities in your home or your conversations long after the delivery? Or what if it disables your Wi-Fi and camera to allow the delivery person to re-enter the home after delivery? When these concerns and other flaws were raised about the new service, Amazon issued a statement saying that such events were unlikely. If any did occur, they would be a result of WiFi tampering and not Amazon software issues. Amazon promised to upgrade their software so that doors wouldn’t be unlocked if the Wi-Fi or the camera was offline. Time will tell if other unexpected glitches come up.

Smart Grid Attacks: As cities adopt digitization and automation of their electrical services, malicious hackers or social hacktivists can now infiltrate a power grid that serves tens of thousands of residents and businesses to shut it down or send the wrong signals to an entire control system architecture. If you live in the US, you may remember the Northeast blackout of 2003 that affected about 65 million people in Canada and the US, and many didn’t get power back for weeks. That was a software bug. A full-on cyberattack would cause much more damage, and if you think it’s just a matter of time until that happens, you’d be wrong; the US Department of Homeland Security has already accused Russia of targeting a power grid that serves sectors such as water, energy, and nuclear facilities.

Other trends that will present opportunities for cybercriminals to exploit include identity theft, wire fraud, organized crime, doxing (publishing another’s private information online without their permission), child pornography, and cyber bulling.

While certain trends will play an important role in the future of cybersecurity, the key reasons this field is a growing one will remain. The growing data problem means that more of everyone’s information will end up stored in the cloud and be highly attractive to cybercriminals. Consumers want products and services faster, cheaper, and better, signaling marketers to rush to upgrade and deploy new technology—sometimes with glitches—that will need future improvements. Because we don’t value our privacy as much as we should, we leave ourselves open to malicious attacks. As long as our shared experiences remain interconnected and we rely on IoT-connected gadgets and devices, virtual assistants, complex systems, and connected infrastructures to conduct daily tasks, the attack surface will continue to expand in size and complexity.

In all the above examples, manufacturers will need help creating enhanced security controls, authentication, and encryption for their devices to keep hackers from accessing and communicating with them, as well as experts to analyze and report on the devices’ performance.

Technologies

Cloud Technology: As more businesses and government agencies use cloud technology to store their data, more hackers will follow them right to their corporate cloud in hopes of accessing company information, source codes, and consumer data. This spells a growing need for virtualized systems security expertise to minimize nation-state attacks, malware injections, spear phishing, denial-of-service, and human error to name a few.

Ransomware: There are now significantly more phones in the world than there are laptops, and my prediction is that hackers will soon start locking up phones. Why? It’s easy, and can be highly profitable. If someone broke into your phone and asked for $1 to unlock it, you’d probably comply because you already spent $600 to $1,000 on it. A one-trick-pony hacker can make a killing, since most of us own at least one cell phone.

Hardware Authentication: Because we are so connected at work and in business, we will need more secure ways to access networks. Hackers know that individuals often use weak passwords and need to access multiple platforms, increasing the need for more secure user authentication methods, especially in IoT setups where multiple devices share a network.

Artificial Intelligence (AI): Independent, autonomous technology that performs in the absence of human interaction is already here. It’s smarter and faster than computers or humans, upgrades constantly, and flags threats faster than a patch can be deployed. But it’s not perfect. Although most attacks happen without AI, humans will still need to work with AI to develop better and smarter security solutions.

Last words, concluding thoughts By now, you have a good grasp of what it takes to enter this rewarding field, so if you’re serious about pursuing it, make sure to review Chapter 6 for the next steps. You also have a better understanding of the issues surrounding privacy and online security, and that the current mechanisms just aren’t protecting us. I don’t know if the internet will ever be a safe place. But I know that in its current state, we all need to take more responsibility in educating and protecting our identities and everything we use online.

So, where does this leave you? I’ll say it one last time: people, businesses, and governments continue to act negligently toward their own data and privacy. With some planning, you can become part of the ranks of those who help individuals and organizations of all types get it right—whether it’s helping to educate them in preventing hacks, or investigating breaches and helping them recover. Although this is the end of the book, I hope this isn’t the end of our time together. If you need to talk about the industry, feel free to contact me at the address below, and I’ll try my best to answer your questions and help you make sense of things.

Finally I sincerely thank you for taking the time to learn more about cybersecurity. It’s now time for you to take the reins and strategize on how to pursue this field, and I hope you do. While there’s certainly an opportunity to be on the dark side of things, wreak some havoc, and make money we on the “white hat” side need all the help we can get. I hope to see you on the other side.

Bill Hau