Next year’s threat landscape
2017 is near its end, which means it’s time to take stock of the shambolic incidents, and the wins, of the past 12 months, and throw them together in a cauldron to create a mist through which to activate a crystal ball and work out if we can do any better next year by anticipating the threats, risks and actors on the stage. Given this is ostensibly a CyberSec blog, I’ll throw my hat in and use my amazing technomantic gifts as well. All predictions subject to varying change, use for entertainment purposes only and all other legal disclaimers apply. No flies on me.
I would also like to point out that some of the following you will probably have seen elsewhere, as, rather unsurprisingly, the Monsters Under Next Year’s Bed tend to be the same ones that scare every tech-head. So no, it’s not plagiarism when everyone does it. Plus, these are some pretty scary monsters, so I’m expecting a fair few new analyst and consultant jobs for all CyberSec fields to appear in Q1 2018, particularly within law enforcement and intelligence, threat intelligence firms, and digital forensics companies.
Welcome to part four: the hangover.
Transport and Infrastructure
SCADA. Maritime InfoSec. (Semi)Autonomous vehicles. We know they can be hacked (remember Stuxnet?), and that should scare us. Lots. SCADA and other infrastructure technologies are a great plot for films: bad guy hacker/terrorist wants to set off a nuke without having to build one/smuggle one into the country, so he hacks the nuclear power plant and tries to blow that up. Unfortunately, Stuxnet showed us that certain nation-state actors have the capability to do just that. Which means it’s possible, which means Murphy’s Law.
Transport is just as vulnerable. Hackers might have given us some damn cool slogans to shout (Hack the Planet!), but the idea of hacking oil tankers? Surely that’s just daft? Given that up to 90% of global trade is only possible through shipping, I’d certainly suggest it’s worth giving it some thought. Technology has embedded itself heavily in the maritime tradition, with location, routes, communications and weather alerts all coming through satellites. Is it really that unthinkable that a little tinkering couldn’t put cargo and crew at risk?
As for road vehicles, we’ve known for a while that the progression with autonomous systems has been coming and is vulnerable. This isn’t going to slow it down any, and presents some very real issues: hijacking a car to kidnap someone is one, stealing a truck with nuclear or chemical materials is another. Secure software is only one part of this conundrum, as we need to lock down the communications also. If you are not convinced, then Vault 7 should convince you.
So, Crime-as-a-Service, Internet of Things, GDPR, Supply Chain, AI, Transport and Infrastructure. Those are my Big Things we need to lock down over the next 12 months, before they rear their ugly heads and bite us on the backside. I could always be wrong, in which case I’ll try rebooting CrystalBallLCD.exe, but even if I am, I don’t think this list if off by much. I wish I could give you good news, like your users will actually listen to you and follow the clear-cut policies you’ve written. But, we know better than that. That’s pretty much it from me for this year, and I’ll see you in 2018, beginning with review of 2017. This will be fun.
Happy New Year!