NTSC Blog

Top 2018 Cybersecurity Predictions for CISOs

When the usual yearly prediction articles emerge about cybersecurity trends, they usually appear in a flurry from December to January and end abruptly—forgotten about until the next year. However, seeing as it’s part of our mission to stay on top of cybersecurity trends that impact CISOs, we became curious about what these articles actually predicted for 2018, if there were any consistent predictions across all articles, and if the major trends correlated to any national cybersecurity policy issues that we track.

Not surprisingly, most of the CISO-oriented cybersecurity predictions addressed the most aggressive cyberattack threats they will face this year. A few predictions did touch on regulations and indirectly touched on issues related to national cybersecurity policy (such as data breaches). Let’s look at the top 10 predictions across 19 prediction articles geared toward the CISO and senior technology executives.

1. The General Data Protection Regulation (GDPR) deadline arrives and impacts nearly all organizations.

An anomaly in the top 10, GDPR emerges as a key prediction in 2018 because this EU regulation will inevitably impact CISOs once it goes into effect on May 25, 2018. CSO Online says that “many, if not most, U.S. companies will not meet GDPR compliance by deadline” and “GDPR regulators will quickly make an example of an organization.” This regulation has companies scrambling and worried about heavy fines and penalties. Trend Micro “found that the majority of C-level executives (in 57 percent of businesses) shun the responsibility of complying with GDPR, with some unaware of what constitutes personally identifiable information (PII) and even unbothered by potential monetary penalties.” SecurityIntelligence even mentions a possible GDPR consultant shortage as the deadline draws near.

As we noted in our National CISO Policy Conference recap, “Because the US does not have an equivalent data protection standard, we are at a disadvantage compared to countries with more stringent laws. Our mentality is also different. The EU is very focused on protecting the rights of individuals and demands informed consent from them. […[ [CISOs] need to understand their data—what it is, where it’s stored, how it’s structured, how it’s classified, how it’s segregated, etc. to adhere to GDPR. Data portability and the right to erasure are huge issues that may trip up companies.”

2. IoT security issues increase.

With IoT devices growing from about 8.4 billion in 2017 to a projected 11.2 billion in 2018, the security issues related to this rapidly increasing attack surface only continues to grow. It’s the kind of security problem that can drive a CISO insane as the number of devices needing security multiplies so quickly. According to Trend Micro: “…aside from performing DDoS attacks, cybercriminals will turn to IoT devices for creating proxies to obfuscate their location and web traffic, considering that law enforcement usually refers to IP addresses and logs for criminal investigation and post-infection forensics.”

We have not seen a lot of traction from the private or public sector toward regulating the security of IoT devices and the data they transmit. Last year, Senator Mark Warner (D-VA) and Cory Gardner (R-CO) introduced the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2017 that would require devices purchased by the federal government to adhere to a specific set of security recommendations.

CIO notes the pressures on CISOs: “On the enterprise side, it will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices like smartphones and smart TVs. When data breaches do occur, or transparency violations are revealed, organizations are likely to be held liable by regulators and customers.” Significantly for the NTSC, Infosecurity Magazine notes that the impact of IoT will be felt in legislation. According to Gary Hayslip, chief information security officer of Webroot (and NTSC Advisory Board member), “The Internet of Things (IoT) may be the most affected sector by the Meltdown and Spectre bugs, but it’s the legislation that many determine will be the biggest game changer. Legislation will require IoT manufacturers to be responsible for producing products without known defects.”

3. AI and machine learning evolve for both security practitioners and attackers.

At our NTSC National CISO Policy Conference in October, Rami Rahim talked to our group and “pointed out that while the mainstream media stokes fears about AI exhibiting human intelligence, the more practical areas of AI right now are narrow AI and machine learning. These AI applications could lead to machines that, for example, understand the nuances of a ransomware attack better than current software.” While hyped over the past few years, machine learning is predicted to make modest advances this year when helping CISOs with cybersecurity—and CISOs will be forced to adopt some kind of machine learning because cyberattackers are using it.

For example, Symantec predicts “we will see AI versus AI in a cybersecurity context. Cyber criminals will use AI to attack and explore victims’ networks, which is typically the most labor-intensive part of compromise after an incursion.” Security Intelligence adds that “as AI software becomes more mainstream and/or open source, cybercriminals will adopt AI tools to not only automate and accelerate their current activities, but also to more closely mimic natural behavior for social engineering and phishing purposes.”

We have seen a growing interest on Capitol Hill from lawmakers to understand the cybersecurity implications of AI. While some technologists contend that it is too early to implement AI regulations, the CEO of SpaceX and Tesla, Elon Musk, stressed the importance of policymakers to regulate AI now. At the US National Governors Association’s summer meeting last year, Musk stated, “AI is a fundamental risk to the existence of human civilization.”

Last December, congressional leaders introduced a bipartisan bill in both the House and Senate called the Future of AI Act which would establish an advisory committee to analyze how AI technologies will impact society. In particular, the bill focuses on data sharing and data privacy procedures. With the establishment of the bipartisan AI caucus last year by Rep. John Delaney (D-MD) and Rep. Pete Olson (R-TX), it’s clear that examining the security implications of AI technologies will remain a top cybersecurity policy priority this year.

4. Ransomware and digital extortion grows more sophisticated.

More of this deadly malware in 2018 is not a surprise—it works well as a business model for criminals. But ransomware-as-a-service will make it easier—and many criminals are skipping ransomware entirely to focus on simple extortion. For example, Trend Micro points out that “Cybercriminals could target private data covered by the [GDPR] regulation and ask companies to pay an extortion fee rather than risk punitive fines of up to 4 percent of their annual turnover. Companies will have ransom prices associated with them that cybercriminals can determine by taking publicly available financial details and working out the respective maximum GDPR fines the companies could face.” McAfee notes that “Attackers will adjust to target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses.”

5. Increased security issues with cloud computing.

As organizations continue moving aggressively into the cloud, security is not following at the same pace. Jon Oltsik says: “According to a recently published ESG/ISSA research report, 29 percent of organizations have an acute shortage of cloud security skills. […] [Organizations] are not setting up the right security policies, processes, or controls for the cloud. This will inevitably lead to lots of easily exploitable vulnerabilities, data breaches, and regulatory compliance violations.” While the cloud is more locked down than most on-premise servers, hackers are switching tactics and exploiting weaknesses through social engineering and phishing.

These cloud security issues will affect popular services such as IaaS and SaaS. Symantec notes that IaaS “introduces significant risks, with simple errors that can expose massive amounts of data and take down entire systems. While security controls above the IaaS layer are a customer’s responsibility, traditional controls do not map well to these new cloud-based environments—leading to confusion, errors and design issues with ineffective or inappropriate controls being applied, while new controls are ignored.” Additionally, SaaS’s “rate of change and adoption present many security challenges as access control, data control, user behavior and data encryption vary significantly between SaaS apps.”

6. Malware grows more sophisticated.

While the majority of malware in 2018 will remain traditional, an evolution in fileless malware is being exploited by criminals. According to Symantec, “2016 and 2017 have seen consistent growth in the amount of file-less and file-light malware, with attackers exploiting organizations that lack in preparation against such threats. […] Like the early days of ransomware, where early success by a few cyber criminals triggered a gold-rush like mentality, more cyber criminals are now rushing to use these same techniques. Although file-less and file-light malware will still be smaller by orders-of-magnitude compared to traditional-style malware, they will pose a significant threat and lead to an explosion in 2018.” Hayslip also notes that “Malware campaigns will use AI to make secondary infection decisions based on what they’ve learned from previous campaigns.”

7. More (and worse) data breaches on the horizon.

Cybersecurity experts are pessimistic about data breaches in 2018. No signs exist that frequency will dip or severity will lessen. Tyler Moffitt of Webroot says, “I predict a minimum of 3 separate breaches of at least 100 million accounts each. I’d be willing to bet the data has already been compromised, but the affected organizations won’t learn of the breach until next year. In Info Security Magazine, Viktors Engelbrehts of eSentire said “Politically motivated and espionage cyber-attacks against the critical infrastructure industry will continue to increase. There is also the potential for loss of human life as a result of targeted cyber-attacks, especially in the healthcare sector.”

Because of the increasing frequency and damage from data breaches, CISOs need to focus on securing their organizations. However, as we stated in an op-ed on The Hill last year, “In addition to securing consumer data from continual cyberattacks, CISOs are also responsible for the regulatory compliance that accompanies the business. Unfortunately, the regulations from the federal government, along with the regulatory patchwork instituted by all 50 states, the District of Columbia, and the U.S. Territories, does little to protect consumers. The current regulatory requirements throughout the country represent financial investments in administrative costs unrelated to cybersecurity. Instead of focusing on the latest technologies to safeguard against a cyberattack, the emphasis is misplaced on trying to meet the standards set forth in the regulation. Simply stated, CISOs are more often forced to focus on regulatory compliance and not necessarily cybersecurity.” In 2018, this situation needs to change through a national data breach notification law.

8. Biometric-related cyberattacks will emerge.

Many cybersecurity experts predict that we will see biometric-related breaches and cyberattacks increase in 2018 as biometrics become more widely used and available. FICO notes “the more menacing problem is that as leveraged for security applications, biometrics are nothing more than the stored digital interpretation of a biological feature, which is then associated with your account credentials. Those digital files can be spoofed, stolen or simply rearranged to point to a digital identity other than your own.” Eric Klonowski of Webroot adds “We will see the first biometric-access-based exploits using facial recognition or fingerprint access.”

9. Blockchain helps with security and tempts criminals.

By its nature, blockchain offers unprecedented information security in an autonomous, decentralized fashion—threatening to disrupt many traditional aspects of information security (especially in the financial services industry). Forrester (quoted in TechRepublic) “predicts blockchain will become a foundational technology for: 1) certificate issuance and authentication; 2) IDV; 3) malware and ransomware protection via binary reputation checks; and 4) document authenticity and integrity verification.”

Obviously, hackers have significant trouble getting around blockchain’s security. Symantec notes that “instead of attacking Blockchain technology itself, cyber criminals will focus on compromising coin-exchanges and users’ coin-wallets since these are the easiest targets, and provide high returns. Victims will also be tricked into installing coin-miners on their computers and mobile devices, handing their CPU and electricity over to cyber criminals.”

10. Government-issued IDs erode.

During many NTSC roundtable discussions last year, the CISOs on our Board noted that too many weaknesses exist with government-issued IDs (such as social security numbers) to make them sustainable over the long-term. Inevitably, something will need to change. Forrester notes that “The Equifax breach demonstrated that no single entity—including any government—can safeguard identity data and provide trusted and reliable identity verification for a large number of consumers, especially as customers increasingly engage with businesses through digital channels. Forrester predicts that in 2018, we will see an expansion of identity verification services to large banks such as Bank of America, Capital One, Citi, and Wells Fargo.”

In an interview conducted as part of a FireEye report, Kevin Mandia said, “The idea that you can get someone’s date of birth, and their Social Security number or state ID number, and steal their identity and do fraudulent tax refunds, or try to get a loan or credit card – that has to change. Now, you’re seeing a lot of modern nations and sovereign nations start doing digital identification. This has to happen.”

---

We’ve included a list of the more disparate predictions only seen referenced once or twice across all articles. At the end of the year, we’ll revisit this article to see how our industry’s predictions turned out.

  • A rise of high-end security services (e.g. EDR, managed threat hunting, malware analysis, continuous penetration testing, threat intelligence analysis, MSSP)
  • More security automation
  • More state-sponsored attacks
  • The CISO role becoming more prominent and important
  • Increasing mobile security issues
  • More cyberpropaganda and election interference
  • More supply chain attacks
  • A need for better incident response
  • Continuing issues with social media security
  • Prioritization of security technology integration
  • A decline of passwords
  • Lack of trust impacting business
  • Protecting employees more
  • Consumer pressure on government to regulate
  • Ascent of cryptocurrency
  • More BEC losses
  • Enterprise security issues
  • More financial trojans
  • Serverless app security issues
  • Increased demand for cybersecurity talent
  • Big data security issues
  • Boards will continue to understand the implications of cybersecurity
  • C-Level buy-in of cybersecurity will increase
  • Increased importance of enterprise cyber score and security ratings
  • Near-ubiquity of two-factor authentication
  • Increased threats to critical infrastructure
  • Increased government vulnerability to attack

Sources