It’s the end of the year and the 2017 predictions are flooding in. From the mundane to the mad, companies are falling over themselves to tell us what will happen in the coming year. Here at SecTor, we thought we’d take a different approach and look back to last year’s predictions. What were people saying twelve months ago, and did their forecasts pan out? Here are some notable 2016 predictions, along with a SecTor-style analysis.
Hackers did influence the election
Palo Alto Networks made one of the most forthright predictions last year, forecasting that a cyberattack will impact the 2016 presidential election. It called the prediction a long-shot, but as we now know, it came to pass. Hackers breached the Democratic Congressional Campaign Committee and the Democratic National Convention, stealing emails and leaking them to Wikileaks. US intelligence points to Russia as the culprit.
Five CEOs were not fired because of a data breach
DNC chief Debbie Wasserman Schulz resigned over that scandal, but her departure wasn’t enough to fulfil another prediction over at insider threat detection firm Veronis last year. The firm pointed to Target, Sony Pictures and the Office of Personnel Management as organizations that had lost their CEO or executive director thanks to cyber breaches, and said that this year, at least five more CEOs would go.
In fact, 2016 saw less attrition among senior execs in compromised firms. There were some cases. Austrian aerospace parts maker FACC fired CEO Walter Stephan after a whaling attack in which scammers impersonated him in hoax emails, asking employees to transfer money to an account. The firm lost €42m Euro through the compromise.
But many beleaguered CEOs stayed. UK firm TalkTalk was hit with a £400,000 fine after it lost customer details in a badly-managed breach, and its CEO stayed on (but donated her bonus to charity). Marissa Meyer is still at Yahoo, in spite of the firm losing over a billion user accounts to hackers during her tenure there.
Old technology did came back to haunt us
Forcepoint argued that ‘the ghosts of technologies past will come back to haunt us” as the cost and complexity of maintaining obsolete technology creates problems for defenders. That manifested itself in strange ways.
For example, it came out this year that America’s Strategic Automated Command and Control System – that’s the network used to control nuclear weapon launch orders – ran on seventies-era IBM floppies. Yikes. The General Accounting Office said in a report that legacy IT investment across the US government were becoming increasingly obsolete.
Some tech isn’t obsolete, but is so interdependent and so unprotected that it renders large parts of the web vulnerable. Remember Azer Koçulu?
Ad blocking didn’t stop malvertising
Trend Micro hoped that in addition to changing the Internet’s advertising-driven model, the rising use of ad blocking technology would deal a blow to malvertising, forcing criminals to seek other methods.
Malvertising is healthier than ever. We’ve seen some dastardly attacks, including hacks using DNSChanger that cause home routers to serve up ads from rogue DNS servers. Ad servers supporting adult web sites were hit, but users are far from safe even if they avoid such corners of the web. Answers.com was infected (and thus so were its users), Malvertising hit nearly 300 web sites in Holland earlier this year, Even Spotify’s ad-supported free service was pwned.
A consumer-grade smart device did contribute to a fatality
Sadly, one of Trend Micro’s predictions did come true. The company said that a consumer-grade smart device failure would prove lethal in 2016. In May, Joshua Brown died when his Model S, driving in autopilot mode, failed to distinguish between the sky and an 18-wheel semi. Tesla explained that the autopilot feature is not yet meant to be used as a fully autonomous driving mechanism and that drivers should still keep their hands on the wheel and their eyes on the road.
Extortion methods didn’t change
In 2016, Trend Micro highlighted the rise of ransomware. So far, so good – ransomware incidents grew in 2016. But it predicted that “cyber extortionists will devise new ways to target its victim’s psyche to make each attack ‘personal’ – either for an end user or an enterprise. Reputation is everything, and threats that can ruin an individual’s or a business’ reputation will prove to be effective and – more importantly – lucrative.”
Well no, not really. We didn’t see a flood of blackmail attacks on individuals in 2016, probably because existing means of extortion, in which large numbers of users are infected with ransomware, work so well. If an attack vector is still profitable, why would a cybercriminal move on?
The battle between quantum computing and cryptography did escalate
Unisys predicted that companies and governments would take investment in quantum computing up a notch in preparation for quantum computing. Quantum computers aren’t expected to hit the mainstream for some years yet, but that hasn’t stopped companies and governments alike from preparing.
China launched a satellite to test the distribution of quantum encryption keys, while Dutch telco KPN created a quantum-encrypted connection between two datacenters, joining BT, which installed one between two sites in 2014. The European Commission announced €1bn to support quantum computing research across the EU, and NIST issued a report urging firms to create quantum-resistant encryption algorithms.
We’ve written about the coming quantum computing revolution before, interviewing Michele Mosca, co-founder of the University of Waterloo’s Institute for Quantum Computing. Check out his talk at Sector 2016:
Insurance premiums did start to look unrealistic
Insurance featured among predictions from both Forcepoint and Forrester last year. The former said that insurance firms getting increasingly pounded by large claims from compromised firms would demand more evidence before approving policies. The latter predicted that $100m insurance policies would no longer be adequate.
We know that claims rose substantially in the last year, almost doubling in some cases, and premiums are going up. Insurance companies are still finding it hard to evaluate contracts, though, according to some reports, which suggest that an increasingly competitive industry is leading them to ask fewer questions, rather than more.
Are $100m policies failing to cut it? Forrester kindly graded its own prediction, pointing us to Yahoo, which was due $5bn in payments in its Verizon acquisition before revealing that it had lost 500m user accounts. This led Verizon to request $1bn off – and then, Yahoo revealed a hack twice as large. Verizon may now want a bigger discount.
The first proper cyberwar did begin
A few people, including DomainTools, predicted that 2016 would see the first openly-declared cyberwar. We’ve seen lots of covert operation in cyberspace apparently by nation states in the past, but there hasn’t been an outright declaration of war. US defense secretary Ashton Carter bucked that trend in April when he announced to the Senate that he had “given Cyber Command really its first wartime assignment,” to attack ISIL.
Predicting the future is difficult. Here’s what we can say with confidence about 2017: intruders will get smarter. The battle to secure our systems won’t get any easier. And SecTor will still dedicate itself to helping you fight it. Merry Christmas!