Every few years I put together a talk about technology expected to develop or become prominent in the New Year. As I contemplated such a talk for 2015, my thoughts were stuck on cyber-security. While 2014 Silicon Valley IPOs in storage and in health-care are astounding, my thoughts are still on the vast discrepancy between the sophistication of malware attacks and the woeful inadequacy of corporate defenses. Various estimates of cyber-theft losses run into the hundreds of billions of dollars. These losses are hard to quantify. Even a kiddie virus that “only” disrupts a local network can cost millions of dollars in repairs and lost revenue. Never quantified by the courts, how do you put a numerical value on opportunity cost? How does one value the careers of the Target CEO and CIO who lost their jobs? Imagine the settlement if these two people alone could sue the perpetrators of the November 2013 Target breach in US court!
It is disheartening to contemplate that both the November 2013 Target breach and the recent Sony breach were preceded by successful, but smaller, earlier breaches. They of course were also preceded by other breaches into other companies. Will 2015 be the year that people wake up? Yes and no.
Let’s first consider the retail industry. We’ve had breaches at Target, Home Depot, Neiman Marcus, Sally Beauty, Kmart, Dairy Queen, Michaels Stores, P.G. Chang’s, Heartland Payment Systems, Goodwill, Supervalu, Staples, Jimmy John’s, Bebe Stores, Sheplers (western wear), Chick-Fil-A, OneStopParking (Krebs claims same attackers as Target’s), and probably many others in the retail industry that I haven’t studied. If this isn’t enough to motivate CEOs of retail companies, consider the very public breaches outside retail: Google (exposed Chinese Gmail accounts), Epsilon, Sony (Playstation), Sony Entertainment (Movies), US Dept of Veterans in 2009, Global Payments 2014, AOL, eBay, JPMorgan Chase, Adobe, United Parcel Service (UPS) Stores, Sands, etc.
No longer can the CEO of even a modestly large retail outlet assume it will be the “other guy” whose credit card database gets attacked. The board room topic of how much to increase the IT budget to address security will come up. The answer will be something like 10%. This is so wrong for many reasons. What most IT departments need is a total cultural change: new people, new expertise, new software, new security products, new processes, and new influence that will affect the entire company. This doesn’t even count the pain that Microsoft is forcing companies to suffer by shutting down support for older Windows products, notably XT and Server 2003. My guess is that the correct board room answer should be 100-200% (and even higher in capital costs for things like pin and chip support) and not a paltry increase such as 10%. If those triple digit percentage increases are even floated, they will get shouted down as not affordable.
Affordability here isn’t a technology topic, it is a topic for the Harvard Business Review: Restructuring the Retail Industry. I’ve seen hints of this. Authors scratch the surface on topics like “Who Pays?” for a breach? “How much should one spend of security?” where authors look at the probability and severity of a loss for a retail company and come up with some low recommendation. Bruce Schneier has in 2014 given a couple insightful talks which I cynically interpret as saying “Look, for all the reasons that I’ve just explained to you, you’re going to get hacked, so put your money on Incident Response. Namely, invest in recovering from the inevitable attack.” Bruce’s company Co3 Systems sells incident response products and services. To be fair, Bruce doesn’t say not to invest in malware defense, but rather, don’t fail to invest in incident response.
My first 2015 predictions: Large retail companies will not restructure, but they will wrestle with this affordability problem. Security product and consulting companies will do very well as a result. Incident response companies should also do well. Malware defense products will improve; however, retail companies will continue to be hacked. The attacks will escalate and increase in sophistication. Damage will continue to rise. The recent Sony Entertainment attack shows that retail won’t be the only target (no pun intended.)
OK, what really scares me? It isn’t retail! If we admonish retail and related companies for ignoring early warning signs of malware attacks, aren’t we blissfully ignorant of the warning signs for infrastructure attacks? We are. In fact, most of the cyber-security articles that I read also ignore this.
My second 2015 predictions: The United States will suffer a cyber-attack on some infrastructure site in 2015. The technology of Stuxnet and its predecessors and follow-ons Duqu, Flame, Gauss, Wiper, Mahdi, Shamoon, sKyWIper, Miniduke, Teamspy, etc. provide a roadmap for even the smallest nation-states to follow for such infrastructure attacks. In fact, if you take Ralph Langner’s excellent paper “Stuxnet’s Evil Twin” and substitute “centrifuge” for your favorite industrial mechanism, the result isn’t a bad outline for how to proceed with such an attack. An actual attack, say of our electrical grid, would have to modify multiple SCADA systems and multiple flow control and transmission devices. Lot’s of code needs to be modified from the Stuxnet code, but a small nation state could do it. (North Korea is reported to have 1800 skilled software engineers engaging in cyber-espionage. Such a large team and their contractors could do it.) Perhaps a smaller team of educated terrorists could carry out a more focused attack, say of a single industrial site.
We are not without early warnings beyond Stuxnet itself. SiliconANGLE’s May 2014 article on Iran and Syria attempted attacks on US Energy firms is such a warning. Certainly the attacks on Iran’s and Saudi Arabia’s oil infrastructure are warnings. A gcn article on an attack on Iran is here. A cnet article on a Quatari LNG attack and a Saudi Aramco oil company attack is here. This cnet article outlines multiple variants of the malware potentially used in these attacks. The February 2014 RSA Conference had multiple, more technical, talks on this topic. I expect even more for the 2015 conferences in the US and in Asia Pacific & Japan.
What totally surprises and scares me is that the U.S. has not yet had a serious infrastructure cyber-attack, while mid-eastern countries have had such attacks. Advancing past Stuxnet, the attack software is becoming more sophisticated and powerful. The U.S. is due…