Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
Crowdsourced Cybersecurity CTO's 2021 Cybersecurity Predictions
By Casey
Ellis, CTO/founder/chairman, Bugcrowd
As
we advance into the 2020's, technology will continuously improve and bad actors
will become more sophisticated in response. Here's a glimpse at some threats we
can expect in the new year, and how different organizations might prepare their
defenses.
State-sponsored
attackers will use false flag attacks more often in their cyberwarfare efforts
A false flag attack is when an adversary
attempts to make their attack appear to originate from another entity. This
category of attack made major headlines when Russian attackers used this tactic
against the 2018 Winter Olympic Games in Pyeongchang,
South Korea, and attempted to make their intrusion look as if it were carried
out by North Korean actors. Given the already severely strained relationship
between North and South Korea, this is a good demonstration of the low cost and
ease of misattribution - as well as the potentially devastating consequences.
Since then, there has not been a major attack
that was discovered to be a false flag operation. But, there has been ample
time for state-sponsored cyber groups to improve their tactics in order to
successfully launch more advanced false flag campaigns. 2020 has also seen an
increasing burden of proof around the effectiveness of cyber-enabled
disinformation and misinformation as a tool in the hands of both foreign and
domestic actors with a political goal.
Looking ahead, governments should expect
state-sponsored attackers to launch false flag campaigns more frequently. As
such, governments must consider information warfare and cyberwarfare to have
merged in their execution and outcomes, and be very focused on clear and clean
attribution when an attack takes place.
The
life or death nature of ransomware in healthcare will increase pressure to pay
ransoms
Historically, hospitals have been a lucrative
target for ransomware attacks, as the need to access computer systems and
patients' protected health information (PHI) creates a sense of urgency that
leads to victims likely paying their extortionists. However, this year showed
that ransomware attacks can now have fatal implications, further driving the
urgency to combat ransomware in the healthcare sector.
In September 2020, adversaries hit a German hospital with ransomware
that led to a patient not being able to receive life-saving treatment and
passing away, the first known death that was directly caused by a cyberattack.
Looking ahead, it's likely that other attackers will prioritize ransomware
attacks on strained healthcare facilities' critical life support systems as the
urgency to save a patient's life would put great pressure on any hospital to
pay a ransom.
To prepare for potentially fatal ransomware
campaigns, the healthcare sector needs to identify its critical systems and
determine which are most business critical. Then, each healthcare organization
can prioritize those critical systems for upgrades to ensure proper security
for patient well-being.
As ransomware becomes more a question of
"when it will happen" than "if it will happen", legislators
and the cybersecurity industry itself will be pressured to find ways to solve
the ransomware problem without needing to reduce the choice to "pay or not
pay".
Ethical
hackers will play a key role in securing future elections
In 2021 and beyond, all organizations with a
stake in the voting process will collaborate with ethical hackers to ensure the
integrity of voting systems and processes, therefore assuring the general public
that the election process is as secure and trustworthy as possible. The reality
is that security researchers can test voting systems just as an adversary would
to uncover exploitable vulnerabilities, and then relay that feedback to the
appropriate personnel for remediation on a prioritized basis.
Previously, voting equipment manufacturers
looked down upon security researchers that would proactively test their
equipment, but we saw major leaps this year as major providers like Election
Systems & Software (ES&S) announced policies to work more closely with
researchers to find bugs in their networks and websites, as well as support from the DHS and CISA to enable states
like Ohio and Iowa to implement VDP as a state level, including safe harbor
language from disclose.io
to ensure clear guidelines around legal safety for everyone involved.
What's needed next is cooperation from the
U.S. government, specifically with clarification around the Defending the
Integrity of Voting Systems Act and the Computer Fraud and Abuse Act (CFAA).
These laws currently serve as barriers for security researchers to do their
jobs and test voting systems in good-faith, as ethical researchers fear being
prosecuted for doing their jobs. Looking ahead, as government officials start
to pay closer attention to cybersecurity, it's possible we may see these laws
revised for the betterment of our democracy.
Governments
around the world will continue to adopt vulnerability disclosure as a default
Governments are collectively realizing the
scale and distributed nature of the threats they face in the cyber domain, as
well as the league of good-faith hackers available to help them balance forces.
When you're faced with an army of adversaries, an army of allies makes a lot of
sense.
Judging by the language used in the policies
released in 2020, governments around the world (including the UK) are also leaning in to the
benefit of transparency inherent to a well-run VDP to create confidence in
their constituents (neighborhood watch for the internet). The added confidence,
ease of explanation, and the fact that security research and incidental
discovery of security issues happen whether there is an invitation or not is
making this an increasingly easy decision for governments to make.
##
About the Author
Casey is the Founder, Chairman, and CTO
of Bugcrowd. He is a 20 year veteran of information security,
servicing clients ranging from startups to multinational corporations as
a pentester, security and risk consultant and solutions architect, then
most recently as a career entrepreneur. Casey pioneered the Crowdsourced
Security as a Service model launching the first bug bounty programs on
the Bugcrowd platform in 2012, and co-founded the https://disclose.io vulnerability
disclosure standardization project in 2016. A proud ex-pat of Sydney Australia,
Casey lives with his wife and two kids in the San Francisco Bay Area. He is
happy as long as he's passionately pursuing potential.