Some Cybersecurity Predictions: 2019
So, 2018 has come to a close and now it’s time for all the Cybersecurity experts (like Rudy Giuliani) to share their predictions for the coming year. Not to be outdone, I am sharing mine as well but I have two categories of predictions.
The first is the “No Brainer” in which you’ll find the predictions a blind squirrel could make and be right 100% of the time. The second category is the “On A Limb” branch, where you will find predictions with which almost no one else in the community would publicly agree.
So, first – here’s the no-brainers:
We will see more reported breaches than we saw last year, while the value of the stolen data will be higher than ever.
Financial Services, Legal and Healthcare will lead the breach parade.
GDPR will get very real and assess much higher and many more penalties and fines than last year.
More U.S. states will pass and implement GDPR/NYDFS-look-alike cybersecurity legislation, yet they will provide an inordinate amount of time for businesses to come into compliance.
Undetectable lurking e-mail system spear-phishers will become the norm, increasing the difficulty to depend on trusted relationships, which will in turn critically impact global financial transactions.
Facebook will continue to abuse data privacy laws and fully embrace its role as the most evil social media platform ever, while continuing on its downward spiral toward its final cessation as a business by 2020.
Citizen surveillance in the U.S. will increase dramatically providing Facebook some temporary cover.
Google will avoid social prosecution for similar crimes because, well, we can’t live without it, can we?
We will spend more money here in the U.S. and globally than ever before on cybersecurity defense.
Windows 10 may finally become “secure” as the result of the long-awaited ATP causing enterprises to make a MS decision over RedHat.
Our electrical, transportation, water, or communication infrastructure will experience several probative cyber-attacks.
Researchers will continue to demonstrate that autonomous vehicles can be hacked and explain how operational control can be taken over by attackers.
Autonomous vehicle development will continue, but at a faster pace than last year.
Experts will warn about the risks inherent in our IoT fabric and publish details about specific threats to the industrial manufacturing and energy sectors.
The industrial manufacturing and energy sectors will continue to ignore the warnings.
The RSA Cybersecurity conference will set records in attendance, exhibitors, speakers and keynotes.
Rudy Giuliani will tell us again that he “is this close” to solving the cybersecurity problem.
The U.S. will still not appoint a Cybersecurity Czar.
Congress will continue to misunderstand even the simplest technological issues and legislation will continue to ignore cybersecurity as a National Security Threat.
There will be more cybersecurity technology solutions based in AI and ML than ever before and each one will be the end-all for protecting information assets against cyber-threats.
Voter fraud will continue, and we will not replace our voting system infrastructure.
The economic gap between attacker and defender will widen as exploit kits and hacking-services become more readily available and even cheaper on the dark-web, while companies will spend more on cyber-defense than last year.
The educational dynamic will be underscored as Iran, North Korea, Russia, and China continue to invest in cybersecurity education and training at the high school level while cybersecurity programs in the U.S. University system crawl along at a snail’s pace.
The information chasm will become broader as global attackers become more sophisticated at masquerading their origins while U.S. government agencies continue to hoard intelligence that would make businesses less vulnerable to attack.
The technology differential will continue to widen as the U.S. falls further behind China in the development of Quantum computing and Applied Artificial Intelligence.
The cybersecurity “skills gap” will continue to increase and will continue to be used as excuse number one (right ahead of budget) when breaches occur.
The job descriptions for cybersecurity professionals will continue to exceed anyone’s ability to satisfy the requirements, contributing to the expansion of the “skills gap”.
In spite of toothy regulatory requirements, company boards will continue to ignore their personal and professional liability as well as their fiduciary responsibilities to understand what’s going on from a cybersecurity point of view inside their businesses.
Only the very best CISOs will invest in the necessary communication education and training to prepare them for effective presentations to non-technical audiences, like their corporate boards of directors.
A greater percentage of businesses will fail to implement consistent and repetitive cybersecurity education and awareness training for their employees.
Human error will lead the list of causation for cybersecurity attacks.
The SIEM/SOC market will grow at less than 5% and the vast majority of small and medium sized businesses who are now the most vulnerable to cyber-attacks will implement neither a SIEM nor a SOC in 2019.
Open-source will increasingly expand as an attack target for bad-guys looking to penetrate the software supply-chain as well as legacy applications, causing appsec to finally develop as a “thing”.
Machine Learning will become embedded in SOC tools and finally be available for useful threat hunting, but with a slow growth SOC market, we will be no closer to effective threat hunting than we were last year.
Cryptojacking will replace Ransomware as the hottest attack vector.
Data manipulation will replace data privacy as the leading threat category that concerns most consumers as we will begin to see the results of historic account manipulation at commercial banks and the increased distrust of traditional banking institutions that follows.
Now, let’s go out on that limb.
There will be an increase in cyberattacks on ultra-vulnerable home networks and IoT devices targeting sensitive data in transit which will lead to the largest theft of personal credit card and banking information in history.
The impact of the (alleged) supply chain attack by U.S. agents of the Chinese government (Supermicro) will continue to expand as new revelations are discovered and hard evidence surfaces of the intentional seeding of modifications into the core processors of almost every U.S. computer and server in use at the U.S. Federal government operational level.
U.S. businesses will continue to ignore third-party, supply-chain and basic cybersecurity hygiene threats resulting in a historic level of preventable cybersecurity attacks and corporate data breaches.
Continued “trade negotiations” with China will result in an unattributable demonstration of China’s technological superiority through a minor but serious attack on one of our critical infrastructure sectors.
Russia and Iran will join in separate demonstrations and the U.S. response will result in massive global destabilization and a recessionary and rapid decline of global financial markets amplified by algorithmic trading.
International equity markets will not re-open for historically significant extended periods.
Twice as many of the biggest and most trusted brands will fall victim to cyber-attacks in 2019 increasing the number of - Amazon and Facebook (and Facebook, and Facebook, and Facebook), Macy’s and Kmart, Delta Airlines and Cathay Pacific, Adidas and Under-Armour - celebrity casualties of 2018 to 16 brands next year.
An attack on our commercial air transportation system will expose the coordination vulnerabilities in our current resiliency planning. This cyber-attack will target pilot flight planning software or baggage handling systems and prevent the resumption of normal airport operations resulting in a week’s long disruption of commercial jet travel internationally.
The expanding 5G network will increase the threat landscape in 2019 by providing the ability to back-up and transmit massive volumes of data easily to cloud-based storage, presenting attackers with rich new targets.
I could go on, but this is depressing enough.
Maybe I’m wrong. There is always a chance that business, government and infrastructure providers will accept the reality that data breaches and cyber-attacks are both probable and expensive and that we aren’t doing a very good job of preventing them, detecting them or protecting our assets against them.
There is always that chance.
Then there is always a chance that once having accepted the reality, they will do something rational toward addressing the problem.
There is always that chance as well.
Regardless, let’s all go out and have a great and happy 2019 anyway. I mean, what the hell, right?
Experienced and accomplished Cyber & Information Security Consultant, trainer, fractional CISO and business owner.
5yNice article, if, as you say, a little depressing! Nothing in there that seems unreasonable in terms of prediction IMHO.