2012 was an interesting year in security – lots of publicity around breaches, leading to greater awareness than we’ve seen in years. This new attention is now encouraging many in the Federal sector to look into our corner of IT. Inside the beltway, all things Cyber were hot items – even in times of shrinking budgets, it’s hard to eliminate spending on security when we can see mounting evidence that:
1. Nation state actors (ourselves included) are turning to cyber weaponry for “diplomacy by other means”
2. Our own defenses are seriously weak – I’ve written previously about the drum-beat of reporting on breach after successful breach
It makes for an interesting setup for 2013. In the current context, any prognostication depends on one key question: who will work most effectively on defensive readiness – the Federal government, or the private sector?
For many business people, the question almost sounds farcical – it’s an article of faith that government can never be more effective than private enterprise. But people who really internalize what “risk management” means can see there’s a problem here. A CEO of a business has to ask “what level of risk is acceptable?” We can no longer flippantly assume all IT risks can be eliminated; failures of defenses at major and well-funded corporations show what we’re up against. Putting the “acceptable risk” question in terms of shareholder value, and quarter-by-quarter pressure to perform, makes it clear that we expect our CEOs to think like racing drivers. No team wants their driver to crash, but the driver who minimizes risk loses races. The pressure is on to take as MUCH risk as you can tolerate, because reducing risk costs money. If your competitors spend less than you, and we all make it through the year, then they will have done better, and frankly put, your peer CEO’s will make more money than you do. What’s a CEO to do?
Many business questions can be interesting, but don’t really have to be answered – we can let the market sort it all out (or so the theory goes). But in our environment, some of our most critical infrastructure is run under this “racing driver” pressure. Energy company CEO’s and heads of Wall Street firms are just as vulnerable to the tradeoff, where maximum personal income comes from spending as LITTLE on security as you can get away with.
This is why the question of Federal regulation is so essential as we look at security events of 2012 and try to look forward into 2013. The government attempted to answer this question last year, with the failed Cybersecurity Act of 2012.
So what will happen in 2013?
1. No New Legislation
Leading off, I do NOT think we will see a successful attempt to pass a new Cybersecurity Act, or an executive order to the same effect. (Presidential Policy Directive 20 already got into this space, although more from an offensive or policing aspect than a defensive one.) As the dust settles from the 2012 US elections, it doesn’t seem there’s legislative will, or sufficient numbers, to push the issue through.
2. The Year of Continuous Monitoring
Having started with a negative prediction – no new law – I want to make clear that I don’t think this does anything to derail the train that’s already moving at speed down the tracks. It goes by the name continuous monitoring, and like a good steam train, there’s more than enough momentum there to cause changes throughout the year. Today, continuous monitoring is primarily a US, and specifically Federal, set of requirements for how to make sure all the money we’ve spent on defensive technologies is actually doing something. It’s not just a good idea; it’s the law – specifically, FISMA, an act from 2002. Hey, I said the Federal government was highly significant in this arena, not that they are quick. Ten years on, we’ve seen mountains of paperwork, producing little benefit. Continuous monitoring is the battle cry of those leading the charge to turn FISMA into a successful program of actual defensive gains, and they are winning hearts and minds.
3. FISMA Beyond the Beltway
Continuous monitoring isn’t just a theme of the New Year for Federal workers. During 2013, the mandates will increasingly be applied to those who do business with the US Federal government – which, in the US, is very roughly everybody. Indeed, I’m willing to suggest that during 2013, commercial security teams will voluntarily pick up continuous monitoring as a way to defend their budget and drive some much-needed change in the risk assessment used in “racing car driver” organizations
4. Cross-over Weaponry
So far, I’ve emphasized deliberate interactions between private and public security efforts. However, it seems likely that when we summarize 2013 next December, we’ll look back on some unwelcome public/private crossovers, specifically in the form of malware re-use. During 2012, a succession of attacks with the hallmarks of nation state actors or national spy networks took place. These attacks got a lot of press when they are “zero day” (indeed, the hype curve around zero day exploits still won’t peek during 2013, but I expect it’ll be close and audience fatigue won’t be far off). But there’s abundant evidence that you don’t need “zero day” attacks to hit most commercial enterprises – good, old-fashioned time-worn attacks work just fine, and are much cheaper.
So let’s assume I’m right about prediction three – that companies will (voluntarily or otherwise) get better at defense. Now what’s the next step up for attackers? Build their own malware? Of course not – that’s far too much effort. Far easier to pick up and re-use the code from sophisticated attacks. Today, there’s a degree of difference between the tools used by nation states and criminals, but during 2013, I predict that will erode – we’ll see the rise of cross-over weaponry. After all, it’s not hard to copy an effective executable, as we’ve seen for years in this business. The trick, as we move into 2013, is the increasingly public behavior of a new kind of supplier – nation state intelligence “factories,” whose weapons are a lot easier to clone than kinetic domain armaments.
So those are my predictions for 2013. Do I sound pessimistic? I hope not. I do expect some spectacular breach reports, and highly news-worthy breaches. But for all that, I believe that in this arms race, the defenders are making great strides, adopting automation, and identifying and fixing weaknesses faster than ever. Defensive success is a lot less news-worthy, but done right, it does quietly build careers and lead to both greater attack readiness and greater demonstrability of solid controls.
Related Reading: Naughty or Nice: Continuous Monitoring for Year-Round Coal Avoidance
Related Reading: 'Tis The Season For Security Resolutions, Not Predictions