Each year at this time, RSA Security Executive Chairman and longtime industry expert Art Coviello comes out with a “state of the union”-type overview and performance summary. It’s always a cogent, thoughtful and realistic inside look at what’s going on in the business from the vendor community point of view.
Because vendors rely directly on what customers want, it’s also a good—albeit indirect—look at customer perspectives.
In his media advisory sent to eWEEK Dec. 2, Coviello compared the current security landscape to terms made famous by Charles Dickens: “As I reflect on the year that has passed and think forward to the year that is to come, Dickens’ timeless words come to mind, ‘It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness … ‘ “
“Can you imagine a more apt description of the times in which we are living and the dichotomy between all of the technology innovation we enjoy and the oppressive cyber-threat under which we live?” Coviello asked.
The Best of Times: Benefits of IT Are Wondrous
There’s no question that mobile and cloud technologies continue to make our lives more efficient, more productive and generally better. “Mobile is rapidly catching up to PCs as the preferred means of interacting with the digital world—mobile Internet traffic is predicted to account for more than 30 percent of total Internet traffic by the end of the year, which represents a doubling of mobile traffic over the past 18 months. If you eliminate passive Internet traffic like streaming, mobile’s rising dominance is hard to dispute,” he said.
But as pervasive as mobile computing has become, “it is nothing in comparison to the cloud,” he said. “Upwards of 90 percent of organizations and 90 percent of Internet users are now relying on the cloud for easy, inexpensive, and ubiquitous access to storage and services. The Internet has evolved from being the connection to storage and services to being the location of storage and services.”
The Worst of Times: Intrusions Never Stop
Despite technology’s advances, however, the risk of our increasingly digital existence was brutally apparent during yet another “Year of the Breach,” Coviello said. Many retailers (such as Target, Home Depot, and Michael’s), financial services and health care organizations experienced damaging breaches in 2014, despite having in place what were considered strong security programs, he said.
“The fact that our pool of adversaries extends beyond criminals and hacktivists was further driven home by the growing sophistication and sheer number of nation-state cyber-attacks,” Coviello said. “For the first time, those dubious nation-state cyber activities began to create real-world diplomatic crises [such as the escalating tensions between the U.S. and China].”
In other public sector news in 2014, Coviello said, the U.S. National Institute of Standards and Technology’s work with industry resulted in the launch of the Cybersecurity Framework, which was a positive step forward in providing a common foundation for intelligently approaching today’s cyber-security challenges.
“But little other real progress was made by the world’s governments. The [Edward] Snowden revelations of 2013 continued to polarize the privacy debate and stymie the critical information-sharing legislation we need to collectively secure our companies, industry and economy,” Coviello said.
RSA President on Security in 2014: ‘Best of Times, Worst of Times’
Looking Ahead to 2015
So what does Coviello expect to take place in 2015? His thoughts:
—“Nation-state cyber-attacks will continue to evolve and accelerate, but the damage will be increasingly borne by the private sector. In 2014, nation states around the world increasingly pushed the boundaries of acceptable cyber assault to control their own populaces and spy on other nation states. With no one actively working on the development of acceptable norms of digital behavior—a digital Hague or Geneva Convention, if you will—we can expect this covert digital warfare to continue. Increasingly, however, companies in the private sector will be drawn into this war—either as the intended victim or as the unwitting pawn in an attack on other companies.”
—“The privacy debate will mature. We’re beginning to see a softening of the current polarized environment in the U.S. and Europe as people recognize that privacy is under attack from and being defended by a more varied and complex set of actors than the current debates would lead you to believe. It is increasingly recognized that privacy is not a monolithic concept and that it cannot survive apart from security. A more pragmatic, balanced debate about how to secure our privacy will ensue in 2015 and the prospects for responsible privacy policies and intelligence sharing legislation that would better protect our privacy may improve. One test of this prediction will be the outcome of the EU General Data Protection Regulation, which may reach a final form in 2015.”
—“Retail is an ongoing target, and personal health information is next. As a result of the numerous retail and financial services breaches in 2014, organizations who handle payment card data are strengthening their defenses and shortening the window of opportunity for cyber-criminals, making them a less lucrative target. Unfortunately, the retail sector is massive and worldwide and will continue to be a target-rich environment. In 2015, however, well-organized cyber-criminals will increasingly turn their attention to stealing another type of data that is not as well-secured, is very lucrative to monetize in the cyber-crime economy, and is largely held by organizations without the means to defend against sophisticated attacks: personal information held by health care providers. Unfortunately, we are likely to see another series of very public breaches before many providers improve their security to effectively deal with these threats.”
—On the Internet Identity of Things: “Despite the publicity that software and system vulnerabilities receive, they are becoming less lucrative for criminals than social engineering and other more easily executed ‘trust exploits.’ I saw a tweet this year along the lines of ‘Who needs zero days when you’ve got stupid.’ The increase of machine-to-human and machine-to-machine interaction will only exacerbate this situation. As such, the authentication and identity management and governance of who, and with the Internet of things (IoT), what is accessing our networks and data will be an increasingly critical element of security in 2015. Get ready for the botnet of things. When you consider this trend, the strong growth of IoT in the health care sector, and my PHI prediction, the ramifications are truly scary.”
Coviello said that he is not hopeful for a lot of change in the prospects for U.S. cyber-security legislation in 2015, despite a change in the leadership of the U.S. Senate.
“Though the subject is of critical importance for the future of all countries, it is complex and progress is difficult in the current geopolitical climate,” he said. “In the absence of comprehensive legislation, industry regulators will step in to fill the void, creating a patchwork of new, potentially incompatible compliance requirements.”
New Standards Must Be Pushed Through
Thus, new standards will become more important than ever—and those projects move at the speed of glaciers. Hackers do not.
With all of the above to consider, Coviello nonetheless said that he’s “cautiously optimistic about the prospects for collaboration and collective progress in the private sector, as companies and industries are recognizing that in the digital world, no one is an island.
“We’re more like an archipelago and we’re starting to build bridges. The recent growth of industry groups and Information Sharing and Analysis Centers (ISACs) is the proverbial rising tide that lifts all boats,” he said.
The next step is to go beyond information-sharing and band together—even across industries—to advocate for and lead the development of strong, global cyber policies, Coviello said.
“If we have learned anything over the past couple of years, it’s that if anyone is going to get us out of this mess, it’s going to have to be us. May we all continue to make progress together in building a trusted digital world in 2015,” he concluded.