Over the past week, I’ve been surfing the Net looking for the top blogs and articles that both recap online security trends from the past year as well as offer new cybersecurity predictions for the coming year. Here’s a summary of what I’ve seen that’s memorable so far:

Vendor Predictions:

Imperva Trends 2013 – “These trends include hackers adopting malware techniques from "state sponsored" attacks, hackers leveraging cloud infrastructure to conduct attacks and hackers targeting less-protected SMBs; underscoring the need for greater security community collaboration.”

Websense – “A top threat projection is that mobile devices will be the new target for cross-platform threats, facilitated by Web-based cross platform exploits. Attacks will also continue to increasingly use social engineering lures to capture user credentials on mobile devices.

…Cybercriminals will use bypass methods to avoid traditional sandbox detection. As more organizations are utilizing virtual machine defenses to test for malware and threats, attackers are taking new steps to avoid detection by recognizing virtual machine environments.”

McAfee – “…The first areas of focus for the report is the emergence and growth of mobile malware. McAfee predicts an increase in ransomware,…. also predicts a new mobile worm will go on a ‘shopping spree,’ as criminals add the app-buying functions of the Android/Marketpay.A Trojan to a mobile worm…, a decline in the influence of the Anonymous hacktivist group…, an increase in both “crimeware” and “hacking as a service,” an increase in large-scale attacks….”

Symantec Top 5 2013 Predictions –

-          “Cyber conflict becomes the norm - In 2013 and beyond, conflicts between nations, organizations, and individuals will play a key role in the cyber world….

-          Ransomware is the new scareware - As fake antivirus begins to fade as a criminal enterprise, a new and harsher model will continue to emerge. Enter ransomware….

-          Madware adds to the insanity - Mobile adware, or “madware,” is a nuisance that disrupts the user experience and can potentially expose location details, contact information, and device identifiers to cybercriminals….

-          Monetization of social networks introduces new dangers - …Symantec anticipates an increase in malware attacks that steal payment credentials in social networks and trick users into providing payment details, and other personal and potentially valuable information, to fake social networks…

-          As users shift to mobile and cloud, so will attackers - Attackers will go where users go, and this continues to be to mobile devices and the cloud….”

Trend Micro – Check out their prediction video:

 The Youtube link for this video is: http://www.youtube.com/watch?v=yupELaC4Plg

Kaspersky Labs Predictions for 2013 and Analysis of 2012 Predictions –

Kaspersky made the following predictions last year:

-          Hacktivist groups, who attack computer systems for political or social reasons, would continue to increase their activities

-          A higher rate of "advanced persistent threat" attacks, or state-sponsored espionage efforts

-          More incidents of cyberwarfare involving customized, state-sponsored malware

-          Attacks on software and game developers such as Adobe, Microsoft, Oracle and Sony

-          More aggressive actions from law-enforcement agencies against cybercriminals

-          An increasing rate in the growth of threats to the Android mobile platform

-          Successful attacks on Apple's Mac OS X computer platform

Overall, I’d say Kaspersky Labs did fairly well in their 2012 predictions. Here’s what they think is coming up in the new year:

“As for 2013, "we expect the next year to be packed with high-profile attacks on consumers, businesses and governments alike, and to see the first signs of notable attacks against the critical industrial infrastructure," Raiu said in a company press release. ‘The most notable trends of 2013 will be new examples of cyberwarfare operations, increasing targeted attacks on businesses and new, sophisticated mobile threats.’" 

Here’s a Brief Summary of Technorati.com Top 5 Predictions –

-          More mobile malware than ever before, targeting mostly Android devices. [Android leadership] should continue through 2013 with Google estimating that there are over 1 million new devices, be it smartphones or tablets activated daily.

-          More aggressive mobile adware invading user privacy. …Your information (including email, device ID, location, browsing habits and even phone number) is what's being exchanged for that flashlight, calculator, or nifty new game instead. This trend will… raise the conversation about privacy to new levels. 

-          Online fraud will remain rampant in 2013. …Ransomware is set to skyrocket. Ransomware, which combines malicious code with human panic, basically holds systems hostage by restricting access and demanding a ransom be paid to remove the restrictions….

-          Mobile & online shopping will continue to rise, but not without increased risk. …Relying on built-in security measures alone won't protect most consumers, which is why having a mobile security product will become even more important than ever over the next 12 months.

-          More advanced persistent threats (APT) will be discovered. …The expectation is that we will hear more about APT's in 2013, either new ones or strains of already known ones.

What was probably the most surprising blog? CIO Magazine blogger Constantine von Hoffman offered his list of 2013 cybersecurity predictions that he described as “all the painfully-obvious and self-serving 2013 cybersecurity-threat-prediction lists on the Web into a single tasty nugget.” Respectfully, I think he fell into his own trap. While he offers an good list, I certainly would not make it the only list you need to review. His top ten threats facing us for 2013 are worth reading. Here are the first five of his ten threats listed:

-          “The Cloud – Lots of vulnerabilities out there.

-          BYOD/Mobile malware – It’s a problem dealing with all these devices.

-          Opportunistic Attacks/Social Engineering – Someone is going to try to get malware on your systems using targeted attacks.

-          DDoS Attacks – You might be the target.

-          Big Data – Again, lots of vulnerabilities.”

And finally, Maria Deutscher, offers these comments from John Casaretto on noteworthy cybersecurity events in 2012:

“Casaretto … mentions the $60,000 prize that Google recently awarded a hacker for discovering a Chrome exploit. His take is that this approach to crowdsourcing can prove to be a very valuable strategy in increasingly complex technological environments where a problem may be discovered eventually, but not before hackers use it to their advantage.

The second big topic Casaretto chooses to focus on is the Megaupload shutdown, in context of Kim Dotcom’s upcoming venture. The internet entrepreneur plans to launch a new file sharing site in 2013 that, based on early descriptions, will be rather accommodative of illegal content uploads. Authorities will have to bypass many legal and technological barriers to take down the provocative new service, but not before tackling all the existing issues.

My Predictions –

Last year, I took at stab at a few predictions over at CSO Magazine – with specific trends regarding Privacy, Piracy and Parental Controls. I think I was fairly accurate, if not very bold. The major social media sites, websites and mobile apps assume that you want to share your personal information widely as the default.  

In state and local governments, we saw the several of the largest breaches in the nation in our corner for the first time. Sadly, I suspect that we will see more of that to come.  

Moving forward, I don’t know how I can disagree with any of the major vendor predictions – except to say that the big new prediction that I see all over the place seems to be the coming rise of ransomware (see above). The other predictions about the rise of mobile malware and cloud computing threats are fairly obvious trends that have been building over the years.

What’s missing regarding predictions? No one seems ready to say that this will be the “The Year of the Big One” in which we see a “Cyber 9/11” or a “Cyber Pearl Harbor” that disrupts infrastructure in some major way. Yes, many groups are calling for more major company breaches, but that is really a given. I’m not ready to make that prediction either. However, I do think it will happen within 3-5 years. That event will bring about major changes in the way we secure our data, our corporate and personally-owned technology as well as our critical infrastructure in America.

The bottom line for 2013 is that the bad guys will follow the crowds, and the crowds are going to cloud computing, smartphones and tablet PCs. Get ready...

Happy New Year everyone!

Our nation has developed a fairly long list of doctrines that have historically provided statements of what we believe and the principles by which we’re going to base our future actions. Two examples that come to mind are the Monroe Doctrine and the Reagan Doctrine, but there have been many others.  In addition, military doctrine has long provided a guide to national defense actions.

Do we need such a national doctrine on cybersecurity? If so, what needs to be included? How will the rest of the world view this doctrine? Can a cyberdoctrine help guide our actions?

Earlier this week, I was contacted by Sarah Rich from Government Technology Magazine and asked to comment on recent efforts to develop a national doctrine on cybersecurity. Sarah wrote this article entitled: Should the U.S. Develop a National Cyberdoctrine? Here’s an excerpt:

“Earlier this month, the Potomac Institute Press released a new book #CyberDoc: No Borders – No Boundaries, which addresses the rising concern of cyber-related disasters and the growing need for such a doctrine.

‘The book is a call to action,’ said Tim Sample, vice president and sector manager of special programs at Battelle and co-editor of #CyberDoc.”

I won’t reiterate my comments to Sarah here, except to emphasize that I support the overall call to action in the book for a national discussion on key cyber issues. Nevertheless, I also think that getting a meaningful national consensus on the answers to key questions will be very difficult. (See Sarah’s article in the gray box for some of the key questions, beginning with ten questions that are foundational.)

Further Analysis

But I am highlighting this topic again for another reason. I urge readers of my cybersecurity blog to take 15-20 minutes and ponder the transcript of the Potomac Institute for Policy Studies event on cybersecurity held in early December.

This transcript for the event covers many excellent topics of discussion and provides a wealth of information regarding why a doctrine for dealing with cybersecurity is important. It also discusses many relevant topics that should guide our thinking on dealing with the new cyber environment moving forward.

Here is a brief sample of intriguing statements from the panel discussion:

-          “…Nobody thinks that the government can provide cybersecurity. We don't want to turn it over to the government; it doesn't do that well. We must recognize that cybersecurity costs money and that somebody has to do it.

-          I think one of the things that came out of the conference is that there clearly needs to be someone in charge.

-          Somewhere along the line in the last four or five, six, seven years, this thing has changed from essentially "isn't this cute," to "gosh, this is useful," to a public utility. And the question becomes, how does a government deal with that?

-          So what do you need to know? Well, you need to know what are you trying to deter. You need to know who are you trying to deter. And you need to know how.

-          If somebody attacks you and you notice that and people die and buildings come crashing down, it's a pretty obvious thing. But what if they don't attack you? What if all they do is put in place the ability inside all your infrastructure to take it down if they wanted to at some point in the future? It's all benign, nothing's happening, nothing's being taken down; it's just sitting there.”

I also found this article written by well know cybersecurity policy expert and author, Dan Verton, to be very helpful. Here’s an excerpt from that piece:

“President Barack Obama’s signing last month of Presidential Policy Directive 20 (PPD 20), a classified directive that establishes guidelines by which the federal government can operate beyond the confines of federal networks to respond to serious cyber attacks, may have finally laid the foundation upon which a national doctrine governing cybersecurity can be built….

“The issue here is that the status quo is no longer acceptable,” said Rear Admiral Jamie Barnett (USNR-Ret.). “We’re no longer going to simply defend the networks and continue to take the attacks and intrusions. We’re not going to be in a corner with our boxing gloves over our face. We’re going out and we’re going to swing at people who are attacking us.”

One more things on this topic: There are several additional classic questions that are particularly useful when setting forth a doctrine. These were sent to me by Andris Ozols, who is an excellent researcher and adviser on our Michigan CIO’s staff.

-          What is it that we don’t know (regarding cybersecurity)? This question is not a logical impossibility, but an ongoing open inquiry.

-          What happens if we under or overreact (to cyberattacks)? Risks in both – how to choose.

-          What is plan B, C and so on? No plan in effect is a plan, but can it ever be a good plan? Perhaps better than some plans.

 All of this is thought-provoking stuff that makes for important dialogue as we consider the future direction of cybersecurity in America and around the world. I agree with the sentiment that we can’t keep doing the same things and expect different results. We all know that we need to be taking new actions to protect critical infrastructure as a nation, as states, as local governments and as private companies.

Now if we can just agree on the right questions (and the same answers.) Perhaps an open process of building a cybersecurity doctrine can help.

What are your thoughts?

What were the top government data breaches in the USA in 2012 (so far)? It appears that this year will be remembered more for state and local breach headlines than for federal government breaches.

I’m starting off this blog with highlights from one of those “scary headline” articles that government technology leaders want their organizations to avoid. And yet, there is an ominous sense across the nation right now amongst security professionals. Most Chief Information Security Officers (CISOs) understand that there are more breaches to come in 2013. To some extent, the sentiment is: “I could be next.”

A shout-out goes to Rock Rakowski, one of our Michigan cybersecurity managers, who sent me an excellent article which addressed this question and even listed ‘lessons learned’ from each breach. The article was written by Ericka Chickowski  for Dark Reading. Here’s the abbreviated first five on the list, but I urge you to read her entire piece, including the recommendations:

1)      South Carolina – 3.3 million unencrypted bank account numbers and 3.8 million tax returns...

2)      California Department of Social Services - Sensitive payroll information about approximately 700,000 individuals…

3)      Utah Department of Health - The health information and PII of more than 780,000 Utah citizens...

4)      California Department of Child Support Services - lost more than 800,000 sensitive health and financial records…

5)      United States Bureau of Justice Statistics - Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data…

Global Trends

More sobering news came from “across the pond” back in August, with the announcement that United Kingdom (UK) data breaches are up 1000% in five years.   Here’s an excerpt:

“According to the data, local government data breaches have increased by 1609%, with the next largest increases coming from other public sector organizations (1380%) and the private sector (1159%). Data breaches in the NHS have increased by 935%, and central government breaches are up by 132%. The average increase across all eight recorded sectors since 2007 is 1014%.”

Not to be left out, private sector breaches in America are equally as daunting. Fishnet Security initially reported the following expectations at the beginning of 2012:

“Data Breaches Expected to Rise - The majority of respondents (97%) stated that the number of data breaches will increase; only 3 percent stated that the number of breaches would decrease.

Top Three Threat Sources - Executives and security practitioners believe that the top three computing sources that present the greatest threats to information security today are Mobile Computing (35%), Social Networks (27%) and Cloud Computing Platforms (18%).

Cloud Computing Moving Up the Risk Ladder - While 31 percent of respondents believe Mobile Computing will remain the top threat area for the next two years, 28 percent believe that over this same two-year period Cloud Computing will replace Social Networks as the second-riskiest computing environment.

Mobile Computing is a Growing Concern in Data Breaches - Nearly a third of respondents (30%) expect Mobile Computing to increase the most among all data breach sources this year. Organized Cybercriminal Hackers (25%) came in second, while Accidental Exposure of Data (19%) came in third.”

So What Other USA Breaches Have We Seen This Year?

This Network World slide show listed the top breaches through June 2012. Naming 13.73 million records within 189 major breaches, while the government breaches are mentioned, the top two breaches named were:

1)      “New York State Electric & Gas Co. - Number of records exposed: 1.8 million files that contained customer Social Security numbers, dates of birth and bank account number, due to unauthorized access by a contractor.

2)      Global Payments, Inc. - Atlanta, Ga. - No. of records exposed: 1.5 million payment-card numbers, plus in June the company disclosed its investigation is also turning up potentially hacked servers with names of merchant applicants.”

A Plot Against the Internet?

One story that does seem to be getting quite a bit of year-end attention is what Politico calls “The plot against the Internet.” No, this is not some new malware or distributed denial of service (DDOS) attack, but a possible change of Internet governance. Here’s an interesting excerpt:

“The hype is a perfect storm for Matt Drudge: The U.N. will take over the Internet — unless you act fast…. What’s more likely — almost certain to happen, really — is that the World Conference on International Telecommunications will fail to change much of anything about the way the Web works or who cashes in during the two weeks of meetings that start Monday in this Middle Eastern enclave....

Conservative commentators have taken up the case. Wall Street Journal columnist Gordon Crovitz this week wrote a piece with the headline ‘The U.N.'s Internet Sneak Attack,’ arguing that ‘having the Internet rewired by bureaucrats would be like handing a Stradivarius to a gorilla….’”

Meanwhile, Google also posted a message on their front search page about supporting a free and open Internet with a link to this page, which discusses options for getting involved. Their page headline is "a free and open world depends on a free and open web."

Wrap-Up

In conclusion, 2012 (minus December) has already been one of the top years for data breaches, and certainly the most significant year for government data breaches at the state and local level. The breach trends do not look good going into 2013.

Of course, the presidential election news in 2012 and the current fiscal cliff headlines continue to move cybersecurity stories and breach headlines into a lower priority category for citizen engagement. True, these breach stories get some front-page attention, but the news-talk radio focus is simply not there yet.

However, I believe that sooner or later these issues will be seen as a national crisis that needs to be addressed with an additional level of focus. The country is also ready for a change in the way we communicate credit card, social security, health records and other sensitive information. Passing this data around openly plastic cards, telephones and unencrypted emails is simply too 20^th century.

We’ll get there, but we just need to work through our “hot” topics one at a time.

What are your thoughts on the data breaches we’ve seen in 2012? Where are we headed in 2013?