Nobody could predict some of the wildcards that 2020 threw us (I’m looking at you, murder hornets). Even still, we’re feeling hopeful that 2021 will bring better times, so we asked Bugcrowd’s Founder, Chairman, and CTO, Casey Ellis, to share some of his predictions for the new year’s security landscape.
Click on the infographic for a quick overview, and keep reading below for more detailed explanations.
Let’s dive a bit deeper into these predictions, shall we?
Ethical hackers will play a key role in securing and building confidence in future elections
In 2021 and beyond, all organizations with a stake in the voting process will collaborate with ethical hackers to ensure the integrity of voting systems and processes, therefore assuring the general public that the election process is as secure and trustworthy as possible. The reality is that security researchers can test voting systems just as an adversary would to uncover exploitable vulnerabilities, and then relay that feedback to the appropriate personnel for remediation on a prioritized basis.
Previously, voting equipment manufacturers looked down upon security researchers that would proactively test their equipment, but we saw major leaps this year as major providers like Election Systems & Software (ES&S) announced policies to work more closely with researchers to find bugs in their networks and websites, as well as support from the DHS and CISA to enable states like Ohio and Iowa to implement VDP as a state level.
What’s needed next is cooperation from the U.S. government, specifically with clarification around the Defending the Integrity of Voting Systems Act and the Computer Fraud and Abuse Act (CFAA). These laws currently serve as barriers for security researchers to do their jobs and test voting systems in good-faith, as ethical researchers fear being prosecuted for doing their jobs. Looking ahead, as government officials start to pay closer attention to cybersecurity, it’s possible we may see these laws revised for the betterment of our democracy.
Governments around the world will continue to adopt vulnerability disclosure as “a normal part of being on the Internet”
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you’re faced with an army of adversaries, an army of allies makes a lot of sense.
Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence in their constituents (neighborhood watch for the internet). The added confidence, ease of explanation, and the fact that security research are “always on” and incidental discovery of security issues happen whether there is an invitation or not is making this an increasingly easy decision for governments to make.
More information can be found in the following resources: BOD 20-01, NIST 800-53, Australian ACSC Guidelines, and UK MOD VDP.
State-sponsored attackers will increase the use of false flag attacks in cyberwarfare efforts
A false flag attack is when an adversary attempts to make their attack appear to originate from another entity. This category of attack made major headlines when Russian attackers used this tactic against the 2018 Winter Olympic Games in Pyeongchang, South Korea, and attempted to make their intrusion look as if it were carried out by North Korean actors. Given the already severely strained relationship between North and South Korea, this is a good demonstration of the low cost and ease of misattribution – as well as the potentially devastating consequences.
Since then, there has not been a major attack that was discovered to be a false flag operation. But, there has been ample time for state-sponsored cyber groups to improve their tactics in order to successfully launch more advanced false flag campaigns. 2020 has also seen an increasing burden of proof around the effectiveness of cyber-enabled disinformation and misinformation as a tool in the hands of both foreign and domestic actors with a political goal.
Looking ahead, governments should expect state-sponsored attackers to launch false flag campaigns more frequently. As such, governments must consider information warfare and cyberwarfare to have merged in their execution and outcomes, and be very focused on clear and clean attribution when an attack takes place.
The life or death nature of ransomware in healthcare will force innovation in dealing with the ransomware epidemic
Historically, hospitals have been a lucrative target for ransomware attacks, as the need to access computer systems and patients’ protected health information (PHI) creates a sense of urgency that leads to victims likely paying their extortionists. However, this year showed that ransomware attacks can now have fatal implications, further driving the urgency to combat ransomware in the healthcare sector.
In September 2020, adversaries hit a German hospital with ransomware that led to a patient not being able to receive life-saving treatment and passing away, the first known death that was contributed to by a cyberattack. Looking ahead, it’s likely that other attackers will prioritize ransomware attacks on strained healthcare facilities’ critical life support systems as the urgency to save a patient’s life would put great pressure on any hospital to pay a ransom.
To prepare for potentially fatal ransomware campaigns, the healthcare sector needs to identify its critical systems and determine which are most business critical. Then, each healthcare organization can prioritize those critical systems for upgrades to ensure proper security for patient well-being.
As ransomware becomes more a question of “when it will happen” than “if it will happen”, legislators and the cybersecurity industry itself will be pressured to find ways to solve the ransomware problem without needing to reduce the choice to “pay or not pay”.