Each year’s ending is replete with predictions of what the year ahead portends. In this practice, the security sector is no stranger. If only our lives were simple enough that the February prognostications of a groundhog would answer it all. Yet, they are not.
When it comes to predicting the future, the philosopher Santayana warned: “Those who cannot remember the past are condemned to repeat it.” Recent events provide sobering examples of that truth. The Apple-FBI dispute was one of the more painful examples we witnessed – a debate the Australians continued. Both instances were advanced with considerable hand-wringing, which might have been avoided if parties involved had let the past inform their efforts.
Digital Rights advocates, including tech giants, share concerns about privacy and the potential impact of “new” powers requested by organizations fighting terrorism and other threats. In 1994, I worked for the FBI when similar laws (Voice-Over-IP) were proposed. Law enforcement and the intelligence community expressed concern that it would undercut their ability to battle threats. Congress, the private sector and the intelligence community came together, creating a solution with no small consternation – that if the legislation were enacted, dire consequences would follow – “Dogs and cats living together!” Nonetheless, we passed the Communications Assistance for Law Enforcement Act, and those terrible things did not happen. Looking ahead, there are admittedly novelties about which the past may be challenged when it comes to informing operational interests.
Terrorist Use of Crimeware as a Service
While terrorists have been tormenting us for years, we anticipate more potentially destructive attacks in 2019. Adversaries will leverage new tools to conduct harmful assaults on targeted entities, including attacks on data integrity, essentially killing computers to the point of requiring mandatory hardware replacements, and attacks leveraging new technology for physical assaults such as the recent drone attack in Venezuela. Attack surfaces are growing, which enemies will leverage to their advantage. Organizations must take inventory of their attack landscape, identifying and mitigating potential threats before they are exploited.
Leveraging AI-Based Technology to Distinguish Sensitive from Non-Sensitive Data
Currently, parsing through data is a manual process. In 2019, AI-based technology will gain the ability to learn what’s sensitive and automatically classify it. This development will require greater consideration of how to manage and control data.
Companies are also adopting automated penetration testing, allowing pen testers to work on more unique or advanced red teams/pentests. These automated processes allow for control validation, which lowers costs and provides a higher degree of assurance. Companies will need to accommodate automation by further developing their solutions or seeking integrations with automation-focused industry vendors.
A Buyers Revolt Spurred by the Rising Cost of Security Controls
As the industry grows, the cost of security controls and the number of breaches grow with it. As this endless cycle continues, the security industry will be assailed by its customers for a growing cost burden that’s not productive. Organizations who do not understand this will face waves of backlash.
Increasing Privacy Penalties and Risk Spurred by Biometrics
While some organizations are adopting end-user behavioral analytics, the technologies can be costly and increase privacy risks. Collecting data and processing it on the endpoint leaves it susceptible to attack. In 2019, organizations must adopt continuous authentication to protect crucial identifying information. With this technology, end users’ biometric footprints will determine identity without incurring privacy penalties, risks and costs that traditional biometrics or central-based behavioral analytics face. Yet, AI can be a two-edged sword. Thus, careful and considerate reflection in its deployment, informed by lessons from the past, is – as it has always been – the order of the day.