RSA President on Security in 2014: 'Best of Times, Worst of Times'
Looking Ahead to 2015 So what does Coviello expect to take place in 2015? His thoughts: --"Nation-state cyber-attacks will continue to evolve and accelerate, but the damage will be increasingly borne by the private sector. In 2014, nation states around the world increasingly pushed the boundaries of acceptable cyber assault to control their own populaces and spy on other nation states. With no one actively working on the development of acceptable norms of digital behavior—a digital Hague or Geneva Convention, if you will—we can expect this covert digital warfare to continue. Increasingly, however, companies in the private sector will be drawn into this war—either as the intended victim or as the unwitting pawn in an attack on other companies." --"The privacy debate will mature. We're beginning to see a softening of the current polarized environment in the U.S. and Europe as people recognize that privacy is under attack from and being defended by a more varied and complex set of actors than the current debates would lead you to believe. It is increasingly recognized that privacy is not a monolithic concept and that it cannot survive apart from security. A more pragmatic, balanced debate about how to secure our privacy will ensue in 2015 and the prospects for responsible privacy policies and intelligence sharing legislation that would better protect our privacy may improve. One test of this prediction will be the outcome of the EU General Data Protection Regulation, which may reach a final form in 2015."--On the Internet Identity of Things: "Despite the publicity that software and system vulnerabilities receive, they are becoming less lucrative for criminals than social engineering and other more easily executed 'trust exploits.' I saw a tweet this year along the lines of 'Who needs zero days when you've got stupid.' The increase of machine-to-human and machine-to-machine interaction will only exacerbate this situation. As such, the authentication and identity management and governance of who, and with the Internet of things (IoT), what is accessing our networks and data will be an increasingly critical element of security in 2015. Get ready for the botnet of things. When you consider this trend, the strong growth of IoT in the health care sector, and my PHI prediction, the ramifications are truly scary." Coviello said that he is not hopeful for a lot of change in the prospects for U.S. cyber-security legislation in 2015, despite a change in the leadership of the U.S. Senate. "Though the subject is of critical importance for the future of all countries, it is complex and progress is difficult in the current geopolitical climate," he said. "In the absence of comprehensive legislation, industry regulators will step in to fill the void, creating a patchwork of new, potentially incompatible compliance requirements." New Standards Must Be Pushed Through Thus, new standards will become more important than ever—and those projects move at the speed of glaciers. Hackers do not. With all of the above to consider, Coviello nonetheless said that he's "cautiously optimistic about the prospects for collaboration and collective progress in the private sector, as companies and industries are recognizing that in the digital world, no one is an island. "We're more like an archipelago and we're starting to build bridges. The recent growth of industry groups and Information Sharing and Analysis Centers (ISACs) is the proverbial rising tide that lifts all boats," he said. The next step is to go beyond information-sharing and band together—even across industries—to advocate for and lead the development of strong, global cyber policies, Coviello said. "If we have learned anything over the past couple of years, it's that if anyone is going to get us out of this mess, it's going to have to be us. May we all continue to make progress together in building a trusted digital world in 2015," he concluded.
--"Retail is an ongoing target, and personal health information is next. As a result of the numerous retail and financial services breaches in 2014, organizations who handle payment card data are strengthening their defenses and shortening the window of opportunity for cyber-criminals, making them a less lucrative target. Unfortunately, the retail sector is massive and worldwide and will continue to be a target-rich environment. In 2015, however, well-organized cyber-criminals will increasingly turn their attention to stealing another type of data that is not as well-secured, is very lucrative to monetize in the cyber-crime economy, and is largely held by organizations without the means to defend against sophisticated attacks: personal information held by health care providers. Unfortunately, we are likely to see another series of very public breaches before many providers improve their security to effectively deal with these threats."