2017 has been a roller coaster year. Data breaches continued to get larger and more severe. Equifax dropped the personal details of up to 145m people, while leaving millions of citizens’ personal data unencrypted on cloud storage became a trend.
Things couldn’t get much worse from a security standpoint, but the new year is a time of optimism. We always hope that the next year will be better than the last, and 2018 is no different.
At SecTor 2017, we asked several experts what they wanted to see happen in cybersecurity in 2018. The responses were diverse and insightful.
Keynote speaker Bruce Schneier has two main hopes. The first was a more focused approach on securing the Internet of Things. As edge computing continues to grow, it has increasingly physical implications, affecting the world around us in more visible, tangible ways. This is something he talked about in his interview with the SecTor blog back in August.
Linked to this is his hope for cybersecurity practitioners to become more engaged in policy discussions. As tech becomes more pervasive, the policies society adopts to secure it become more important, and affect the environment in which cybersecurity pros operate. The prospect of regulating the IoT is just one example of how politics and cybersecurity are crossing paths.
A collaborative effort
That opinion ties in with SecTor co-founder Bruce Cowper’s. His biggest hope for cybersecurity in the coming year is that we think more holistically about it and its broader effects. It’s time to stop passing the buck and assume that cybersecurity is someone else’s problem, he says. We all have a part to play. In that spirit, he calls for more cooperation between the private and public sectors, who can support each other in protecting our broader ecosystem from attack.
This holistic approach to cybersecurity extends to thinking more about outcomes for users and consumers, says Allison Miller, who was product manager for security and privacy at Google when she spoke to us at SecTor 2017.
Instead of thinking about this issue purely from an enterprise and government perspective, we should be empowering those at the sharp end. These are the people whose data is at risk, and who must watch for scams and phishing attacks whenever they interact online.
Creating tools and techniques to protect them and bringing them security and privacy in an easier to understand way has been a key focus for Miller. She talked about lowering the security poverty line with SecTor just before her keynote address at the conference in November.
Other experts had their own hopes and expectations for 2018. They ranged from an increased awareness of the problems and the new technologies that can help to solve them, through to an unexpected and amusing insight from Toni Gidwani, director of research operations at ThreatConnect. We’ll let you play the video to hear that one.
What else might we expect from 2018? Maybe we will at last crack the identity problem.
We have been getting better at authentication in the last few years. Fewer organizations are relying solely on passwords, as multi-factor authentication becomes easier to implement. We could still use some work on defining and controlling digital identity itself, though.
Right now, most of us use separate accounts to sign into a constellation of different services. These systems and organizations understand who we are from their own perspectives, but the often sensitive credentials that constitute our identities are still in their hands, on their servers.
Consumers use their Google and Facebook IDs to access multiple services more easily, but that doesn’t really solve the problem. We are talking about putting our identities and credentials back in our individual control, enabling us to present different credentials to different institutions, on our terms, revoking that information as we see fit.
Some systems using identity service providers already exist, and there have been some blockchain-based initiatives to solve the problem, but the whole identity management problem still needs work and widespread adoption.
When will we know we’ve solved it? When you can easily use multi-factor authentication to identify yourself to your employer, your social media network, your gym, your bank, your telco provider, your government and whichever online store you’re using, through the communications channel of your choosing. When you can prove your age at your local liquor store and your right to board at the airport without having to offer any other sensitive information about yourself. On second thought, perhaps we should table that wish for 2028.
Learning from past mistakes
What else? Perhaps as in every other sphere, our biggest hope for the coming year is the same as for every year before it: that we learn from our past mistakes and make some progress in fixing them. When people hope for peace, prosperity and safety for all, that’s really what they’re wishing for, because if it wasn’t for our past mistakes, everyone would have those things already.
The same is true in cybersecurity. For 2018, we hope that more companies take the risk of cyber attack more seriously and make it a governance issue. We hope that they understand and execute basic cybersecurity hygiene. We hope that fewer organizations make rookie mistakes leading to massive data breaches.
If that happens in the next 12 months, then we’ll have made real progress. Here’s wishing everyone a happy and secure 2018.