2019 wasn’t a great year for cyber security. Although the number and scope of solutions available on the market increased, blue teams around the globe have been stymied by the increasing complexity and tactics of threat actors and the sheer volume of data to review. Here are four predictions for the coming storm, based on events in 2019.
Information warfare will be the main story of 2020. It is a presidential election year in the United States, and we’ve seen that advanced persistent threat (APT) groups increase their activity during election years. The overall theme this year will be false-flag operations using compromised corporate infrastructure. By making attribution harder by routing malicious traffic through U.S.-based companies and compromised U.S.-based identities, threat actors will delay incident responders. Some parts of the U.S. electorate are still arguing about the attribution of the incidents observed during the 2016 election cycle, and so an increased focus in false flag operations will only support the goals of threat actors seeking to decrease confidence in elections and to create chaos.
Manufacturing in China will become a board-level concern. China’s best-of-breed Comac C919 airplane should serve as a cautionary tale to those companies using Chinese manufacturing capabilities. Forced technology transfer, bribes supporting insider threats, and intentional data exfiltration of intellectual property via advanced persistent threats have allowed China to develop a very nice airplane on an accelerated schedule. The risk to companies with manufacturing capabilities in China is that components of products manufactured there will end up in competing, less expensive, but functionally equivalent products to be sold globally.
Bespoke ransomware campaigns will globally target schools, hospitals, and municipalities. In 2018 and 2019, multiple organizations were forced to pay the ransom to threat actors to provide patient care, to start the school year on time, and to provide basic government services. These attacks largely were based on U.S.- and U.K.-based targets. In 2020, threat actors will broaden the number of countries attacked. These attacks are effective as schools, hospitals, and municipalities often are under-funded in cyber defenses apart from cyber insurance, a classic transference of risk. Threat actors may have found a repeatable and profitable sales model.
Cyber insurance carriers will exit the market. Although we have effective maths for life, health, fire, flood, automobile, D&O, E&O, and many other types of insurance, it’s because the insurance industry truly has seen everything. There are no new ways to wreck cars, so insurance rates are relatively stable. Unfortunately, threat actors continue to find new and innovative ways to work around regulatory requirements and technical controls implemented by organizations. Insurance is based on a shared risk model, and threat actors can develop campaigns and cyber weapons that can affect all plan participants at once. As a way of limiting their risk, more carriers will claim that attribution to a state-sponsored APT is equivalent to an act of war and deny coverage (Mondelez vs. Zurich is an example). However, other carriers may consider the market as being too volatile to decrease their own risks, and exit the market entirely. This may have the related effect of raising everyone else’s premiums in 2020.
However, not all is lost. Organizations can achieve reasonable security and decrease their risks by adopting and implementing a formal cyber security framework, such as NIST or CSC. The effects of these predictions can be mitigated by the investment of time, money, and good people working together against a common adversary