As 2012 draws to a close, it can be useful to look at how some events that shaped the past year might continue to shape the future. One standout over the past year was the number of ways information security and government crossed paths in the news.
In February, a group of hacktivists temporarily took down the CIA Website. The attack, one in a series for which the group took credit, was soon followed by an uploaded video from an alleged hacktivist group member on why the CIA should have been better prepared.
In a security conference in July, director of the National Security Agency Director Gen. Keith Alexander told audience members that since 2009, there had been a 17-fold increase in the number of attempted cyber attacks on the country’s infrastructure systems. Alexander said that on a scale of 1 to 10, the United States sits at a 3 in terms of preparedness to handle a cyber attack. He said he was most concerned about disruptions to services provided by water treatment facilities and power plants.
Also in July, the “Black Monday” predicted after the FBI pulled the plug on servers that supported millions of users infected by the DNS Changer Malware around the country turned out to be less drastic than many predicted. After months of warnings, the FBI finally cut off the safety net that allowed as many as 4 million virus-infected computers to continue to safely access the Internet over the first half of 2012. However, it was widely believed that various outreach efforts helped avert an all-out “Internet Doomsday” predicted by some.
August saw the defeat in the senate of the Cybersecurity Act, a bill aimed at putting teeth into government involvement in information security to protect the nation’s critical infrastructure. The bill was an outgrowth of congressional committee meetings on cyber security held since the late 1990s. While giving the government more power over the sharing of information security information, the act also would have given the public the right to sue the government if it intentionally or willfully violated the law. Some critics of the bill, including a number of legislators and business organizations, warned that creating another government bureaucracy would do more harm by saddling organizations with increased costs of doing business. Another commonly voiced criticism of the bill was that it was not clear just what incentive measures would be offered to private companies for compliance.
So what will the year ahead bring? Rather than dust off our crystal ball, we would be better served by looking at information security trends that ran through 2012 and will likely continue into 2013.
Malware will become increasingly sophisticated and will be a fixture on the information security scene for the foreseeable future. Hacktivism, a startling phenomenon to many in 2011, appears here to stay, as well.
As mobile, social media and BYOD use continues to pick up pace, so will interest by cybercriminals, who will continue to look for ways to exploit the sheer number of data sources and additional points of entry these trends make possible.
And regulatory compliance related information security activities will continue to grow with the expanded enforcement of HIPAA/HITECH standards and the increased attention on PCI DSS compliance. Vulnerability management programs are a critical component of compliance and few organizations have a plan in place to address this key aspect.
Yes, it does sound like more of the same for 2103. But hackers, social engineers, and identity thieves will continue to take advantage of these weaknesses until they are eliminated or at least substantially strengthened.