With cybersecurity a top concern at the annual World Economic Forum meeting in Davos, Switzerland, Yahoo Finance asked experts: What is the topic or topics that business and government leaders should be focusing on when it comes to cybersecurity and policy in 2018?
Jason Glassberg, co-founder of Casaba Security, responded that currently the most pressing topics are “cryptocurrency ecosystems, election security, ‘DevSecOps’ (this may sound dull, but think: IoT, cars, airline computer systems, smart homes, smart cities, Intel chips, Juniper routers, Huawei, the Internet, basically everything digital under the sun), increased regulation, cyber warfare, and attribution.”
Glassberg broke down each of these six issues:
“Cryptocurrency is obviously a major financial story these days. Everybody and their brother is looking into how to capitalize on it. These markets are notoriously murky, however – fraud and scams are rampant, as are the cyber attacks. So how do you make it safe? How do you take a Wild West gunslinging town, and turn it into the suburbs? It’s a tough issue, and I think we’ll have to look at the gambling industry as an example. The key to this is establishing better security within this ecosystem for the real players. The next step is finding a way to guarantee losses due to theft, similar to the FDIC [Federal Deposit Insurance Corporation] or SIPC [Securities Investor Protection Corporation].
Election security needs no introduction. But while everybody has been freaking out about voter suppression via phony Facebook ads, the reality is that the 2016 election interference was just a sample. It was a nation-state gently dipping its toe in the water, but deciding not to go all the way in. If a country wanted to get serious about election attacks, it could go much further. This is what we need to be prepared for.
It would be possible for a serious player to delete or alter voter registration databases, DDoS the servers used to run those database or the actual voting machines; not to mention, hack the voting machines themselves. The latter would definitely cross a red line, if for instance we found out that Russia had re-tabulated voting machines to directly affect the outcome of an election. But what if the attack was a little less black-and-white? For instance, what if the machines were just infected with random malware that didn’t actually do anything, other than make itself known to the IT team? That would send shockwaves through the system and call into question the voting results, even though the votes weren’t actually affected. This is what we need to be thinking about.
DevSecOps is one of those terms that causes people’s eyes to glaze over when they hear it (if they ever do), but it’s actually very relevant to our lives today. What it refers to is incorporating security into the software or hardware development process. This is hugely significant today because as we’re seeing with the Internet of Things devices that are flooding the market, and the connected cars that are rolling out onto our public streets, software security is usually not the first priority of these manufacturers.
But not to just pick on those two markets, the reality is that DevSecOps is a problem for every industry on the planet, even the security field. Businesses aren’t doing enough to bake in rigorous security into the DNA of their products from the very beginning. Too often they are relying on software updates and patches to fix the problem after the fact, and that is never an ideal solution. This will continue to become a bigger issue in the months and years ahead.
Increased regulation is another issue that businesses could face, as governments try to contend with the growing risk of data breaches and attacks on key infrastructure, whether it’s the GDPR [General Data Protection Regulation] in Europe or the Singapore Cybersecurity Bill. In my own opinion, I think that companies that store consumer data (whether it’s credit card numbers or credit reports), as well as private infrastructure entities like telecom and power companies, are probably most at risk of higher costs due to regulation.
Cyber warfare is another pressing issue today, as more countries are investing in offensive cyber operations. This often puts businesses in the crosshairs and it sticks government in a tough position too because there is no easy solution for preventing or responding to these incidents. A key question when it comes to cyber warfare is do we engage in “active defense”?
That is more commonly referred to as hack-back, but it’s a more complex concept than simply tit-for-tat cyber retaliation. Active defense can mean anything from advanced investigative techniques to disabling the servers behind an attack or turning a city’s lights off for 30 minutes in order to send a message to a rival nation. How we deter and respond to cyber warfare tactics will be a key question for policymakers and businesses over the next five to 10 years.
Attribution is another ongoing issue for governments and businesses, and it’s related directly to the cyber warfare question, although it also encompasses cybercrime as well. What’s also key with attribution is that the pressure to solve these cases could lead to encroachments on digital privacy. In fact, I’d be very surprised if that did not happen. Potential targets here include Tor, VPNs, and encryption tools in general.”
Follow Michael B. Kelley on Twitter @MichaelBKelley