Most years I write predictions for the new year. I’m not better than anybody else. So in this post, I thought I’d do something else, criticizing the predictions made by others. This post is in response to a specific “predictions” I saw go by on Twitter from a self-labeled “cybersecurity thought leader” (to remain nameless — it’s not important enough to single out).
Critical infrastructure
No.
Digital Pearl Harbor and Cyber 9/11 attacks against critical infrastructure have been predicted as being just around the corner for decades. They haven’t really appeared. Those predicting these things have just been fear-mongering to promote their agendas.
Individual events do happen. Russia did disrupt Ukraine electrical grid a few years ago. Ransomware did disrupt an oil/gas pipeline in the U.S. last year. But these are just occasional blips and not part of any trend.
But what’s really notable is the absence of critical-infrastructure cyber-attacks in the war in Ukraine. Russia is targeting Ukraine infrastructure with missiles and bombs, not hacking. Everybody predicting Russian hackers attacking Ukraine infrastructure needs to answer for why it’s not happening.
The reason is that most hacks are opportunistic whereas missiles are deterministic. Hackers rarely choose a target then the techniques needed to hack it. Instead, they choose a technique first then go looking for targets that might be vulnerable.
This means that Russian generals can ask their hackers to go disrupt things in Ukraine, in general, while still being unable to target some specific thing they want to attack for political or military reasons. For over a decade, Ukraine has been the victim of such cyber-attacks, random rather than focused.
If you want to target critical infrastructure, to achieve a specific goal, the easiest way is bombs or missiles. I saw this as a hacker with a bunch of experience attacking power grids. If you asked me to blackout the countries, I’d do it with kinetic rather than cyber.
Critical infrastructure continues to have worrisome vulnerabilities. It’s wild the sorts of things we find — opportunistically. We should address these problems. Occasional incidents will happen because of these problems. But still, there’s not much to fear from directed cyberattacks against critical infrastructures — bombs are more a threat.
Space war!
No.
At the start of their invasion, Russia did disrupt satellite Internet in Ukraine. Thought-leaders fell over themselves declaring this is just the beginning of cyberwar in space, the beginning of hackers attacking satellites.
This is a misreading of the situation.
What really happened is that Russian hackers attacked the VisaSat satellite modems, located on the ground. It was a ground attack not a space attack. Yes, the effect of hacking ground stations was disrupting a satellite service, but none of the satellites or their signals were affected.
Hacks against satellites have been a thing for well over a decade. Most years there is some presentation on satellite hacking at random cybersecurity conferences. Lots of minor stories hit the news. There’s no particular trend here.
There is a trend in exploiting space. Companies like OneWeb and Starlink are launching low earth orbit Internet satellites that completely change how satellite Internet works, which used to be defined by high orbit geostationary satellites. Hackers will want to target these things. Already, it sounds like Russia is trying to make missiles that home in on the radio frequencies Starlink uses.
But the trend here is the rise in exploitation of space not the rise in hackers going after space. People putting new things into space certainly have cause to worry that new things will get targeted by hackers. But this doesn’t spill over to old satellites.
Industry and Government Collaboration
No.
There is certainly a rise in regulation, the idea that the non-technical need to tell technical people how to secure things. But it’s silly to call it “collaboration”.
There is a prejudice that cybersecurity comes from moral weakness, sloth, greed, hubris, villainy, and so on. Thus anybody can have an opinion about cybersecurity, that those responsible just need to take it more seriously. Anybody can become a “thought leader” in cybersecurity simply by finding creative ways to tell people to “safen up!”.
A good example is the World Economic Forum (WEF) aka. “Davos” (named after their annual meeting in Switzerland). It pretends to be a forum for the rich and powerful, so CEOs and government ministers attend their symposiums to avoid missing out, but it’s a largely a know-nothing, do-nothing organization. They’ve been applying this strategy for the last few years on cybersecurity. Their content is full of platitudes (like this document) that no-nothing business/government leaders will agree with, but which have no meaning.
Another example is CISA, the U.S. Cybersecurity and Infrastructure Security Agency. They’ve done some good work lately with the most backwards of organizations, but at the same time, they are hapless when dealing with emerging cyber threats like ransomware. Their advice is still lame perimeter security (like strong passwords, patching, phishing education) that hasn’t worked for 20 years. Ransomware works precisely because organization focus too much of their effort on things that CISA tells you to focus on. Again, the problem is moral weakness and platitudes. They think the lack of patches is because organizations are lazy and if they just tell people to “safen up” and take patching seriously they can stop breaches at the perimeter.
But “thought leaders” love WEF and CISA. It’s exactly the sort of platitudes that they can spout themselves to demonstrate their thought leadership, that they agree with such exalted agencies.
For the technical, WEF and CISA provide no value. The true leaders are cybersecurity companies, or better yet, leading tech companies for whom cybersecurity is a necessary part of doing business. Instead of reading WEF and CISA reports, you want to read reports from Akamai, Rapid7, Verizon, Apple, CloudFlare, and so on — companies in the thick of it, not non-technical outsiders.
Machine Learning and AI
No.
Well, yes. People are coming up with tricks like deep-faking your boss to convince you to give up your password or make a financial transaction. People are certainly coming up with interesting tricks.
But people are dreaming up nonsense ideas of combining AI with malware on the attacker side, or automating defenses by recognizing statistical anomalies on the defensive side.
AI defense is now snake oil and will continue to be snake oil in the future. Anything advertised as “AI” or “machine learning” is suspect.
Well, to be fair, all products will have “AI” in the near future. Customers are already telling their vendors that competitors have “AI”, so why don’t they?? Thus, every company, whether legitimate or snake oil, is adding gratuitous AI features to play that game.
What customers should care about is results, not how they are reached. Most AI actually isn’t much AI but simply hard-coded algorithms. If a product recognizes a cyberattack, it’s mostly because engineers wrote code to recognize the attack, rather than some machine learning model. They might do a little extra AI here simply to be able to advertise “AI”.
Hackers will certainly come up with new tricks. But there’s really no actionable thing I can tell you in order to defend against these tricks. At some point, an extinction-level meteor is going to hit the Earth. No, it’s pointless worrying about it because there’s nothing you can do to prepare.
Bots and botnets
No.
The only thing changing in this space is our increased ability to handle them, and the slowly diminishing attack service that hackers can use to build botnets.
Yes, yes, at some point in the next couple years we’ll have the biggest botnet fueld DDoS attack ever, measured in something like web requests-per-second or bits-per-second. But that’s because computer and Internet speeds are increasing.
But the relative vulnerability to such things is going the other way. It’s harder and harder for botnets to be a credible threat to organizations.
IoT
Big no.
In 2023, over 4 billion new IoT devices will be attached to the Internet. The thing to notice about that number is that it’s greater than the 4 billion reachable IPv4 addresses on the Internet.
In 2016, the Mirai worm infected 250,000 IoT devices (mostly security cameras), created a botnet, and caused massive DDoS attacks. This was the “wake up call” for IoT security.
But in the years since, billions of new IoT devices with horrible cybersecurity have been added to the Internet, but nothing similar has happened. In the last 6 years, there’s been no great IoT attack.
The reason is simply that IoT devices go behind firewalls, at least behind NATs. As measured by scanning the public IPv4 address space, the IoT attack surface has gone down, not up. As for the public IPv6 exposure, because the address space is so large, it’s almost impossible to find IoT devices to attack via IPv6.
The primary threat from IoT these days doesn’t come from the devices themselves but from cloud providers. Instead of targeting devices, hackers target the company controlling the configuration or software updates for those devices.
That’s what happened with Verkada. Their security cameras are centrally managed and completely secure from Mirai-style vulnerabilities. Yet, hackers broke into the company, took control of all the customer cameras, roughly the same number as Mirai. It didn’t hit the news because all the hackers did was post a few videos from the cameras to embarrass the company, but they could've executed DDoS attacks on the scale of Mirai’s.
Another example was the ViaSat attack at the start of the Russian invasion of Ukraine. The Russian hackers broke into the company and pushed out a configuration to all the modems at customer sites, disabling them. These modems are a type of IoT device, their security vulnerability was the company managing them, not the devices themselves.
This is threat of IoT. Sure, there are going to be unpatched vulnerabilities, but they aren’t exposed to the public Internet, so it’s less of a threat. Instead, the biggest threat by far is the cloud, the private information sent to the cloud, the central management that can push down configuration and software updates.
And since this applies equally to apps installed on phones, desktops, and servers, it’s not uniquely an “IoT” problem.
Ransomware
Yes, ransomware is still your biggest concern.
No, I don’t see much good actionable advice about what to do about it.
Most everything you read about ransomeware is some form of the platitude that you need to take it seriously, but they don’t tell you what this means. The sorts of advice they give you is to fix your moral weaknesses, such as being too lazy to patch or falling victim to phishing because you are too stupid.
My advice is that you need to focus on the lateral movement among Windows workstations. This involves some microsegmentation, but mostly restructuring how you do Active Directory, with hierarchical domains and privileged workstations. Hire pentesters, given them an average employee’s desktop: if they can’t get to everything, then neither can ransomware.
The point of the last paragraph isn’t it’s some comprehensive guide to fixing ransomware, only that there exists technical advice that doesn’t tell you to just be better at the things you’ve been failing at for 20 years.
Conclusion
I’m a technologist, so I’m not into the platitudes and cliches of the thought leaders. While it’s fun to speculate about what’s going to happen next year, the things organizations should actually worry about is paying attention to the trends of the last few years that have lead us to this point. Almost any “predictions for 2023” is probably a list of things you can safely ignore — and this likewise applies to any prediction by me.
By the way, the trend I’m most concerned about at the moment is “IT insiders”. This isn’t the normal “insider threat” but specifically your IT nerds hanging on forums with with IT nerds giving up the secrets, especially direct access to the core network. Following my advice above, that means you can safely ignore this unless and until it becomes an obvious trailing threat.