In Part 1 of this 2-part ESG 360 Video, ESG's Jon Oltsik and Doug Cahill talk about their expectations for Cybersecurity in 2017. Part 1 focuses on Ransomware, Cyber-attacks and Government.
Announcer: The following is an ESG 360 Video.
Doug: Well it's the holiday season and that means that it's that time of year again to start talking about some predictions when it comes to cybersecurity. Jon, I have to be honest, after this political season, I'm a little apprehensive to make predictions. Maybe we can call these things that are on our radar screen for 2017.
Jon: Good idea.
Doug: Let's start by taking a look back. You know how much I hate to admit that you're right, but boy, when you predicted ransomware was going to be a big issue in 2016, you were spot on.
Jon: Unfortunately, that's true. Ransomware grew around 300% this year. It's a billion-dollar business. It's also the most profitable form of malicious attack ever. I just don't see a letup in 2017 so we're just predicting a continuation of a trend but there'll be more ransomware attacks. There'll be more automated ransomware attacks. Ransomware as a service using automated tools to get ransomware into a bigger pool of people and maybe the ransom will go down, but it'll be a bigger market to service.
Doug: It could be highly transactional.
Jon: It'll be highly transactional and it could also be more targeted at different industries. We saw healthcare this year. It could be financial services in 2017.
Doug: Yeah. We can see different types of ransomware as well, as the controls evolve and being able to detect things like the rapid encryption of files. Crypto may not be the means of choice by the bad actors. I wonder about applications frankly like Tinder. If we sort of connect the dots between the Ashley Madison hack last year and ransomware, boy, there could be some blackmail and extortion that could be had if Tinder ever got hacked.
Jon: Yeah, and I think we'll also see very visible famous personalities being attacked. They have the money. They have more at stake personally because of their reputations. We saw the success of the attacks on the DNC, the attacks on John Podesta. Those types of targeted attacks for money, I think that's a growth industry.
Doug: Absolutely. Then we had sort of the return you might say of DDoS attacks with the Mirai attack emanating from IOT. What do you see happening in that area in 2017?
Jon: It appears to me that was a proof of concept type of attack and it was successful. There's the concept of shadownets now where there are these botnets of IOT devices. We don't know how big they are. We do know they can generate terabits per second of traffic. There aren't many back-end services that can withstand that type of attack. That's very scary. I think that combined with hacktivism or even nation-state activity is going to mean some major attacks this year.
Doug: It's keeping the IOT devices themselves secure as more connected devices come online but then those devices being hijacked to participate in botnets. It's really two dimensional. It's worth talking about here.
Jon: Yeah, and IOT is something that we'll keep our eye on because there's a lot of very insecure devices out there with just default passwords enabled. The question is will the market accept that or will governments step on that with regulations. Actually speaking of governments, we do have a new administration coming in in the United States. We've seen some activity in Europe. What are you looking at for government activity next year?
Doug: Yeah. Well, starting with Europe GDPR was ratified this past spring. It goes into effect a year from this spring. Organizations and vendors alike have a year to get ready before what are some pretty appreciable fines start to take effect. Talk about carrot and stick, these are pretty big sticks. The fines are anywhere from 2% of turnover to 4% of turnover capped somewhere between I think 10 to 20 million euros. These are not trivial fines. This is a regulation with some real teeth in it and it affects of course not only European organizations but U.S. organizations, not to be ethnocentric but U.S. organizations that are doing business overseas, and obviously Cloud service providers. Fortunately, there's a two year runway and I think everybody's going to need every day of that to get ready for GDPR when it is effective in the spring of 2018.
Jon: Yeah, the lawyers will be busy.
Doug: Lawyers will be busy as always.
Doug: How about here in the States? As you mentioned we have a new administration.
Jon: We do.
Doug: I think we've both been disappointed at sort of the lack of taking cybersecurity seriously at the federal level. I know you've been talking and writing about your suggestions on what a Trump administration ought to do in terms of attacking cybersecurity. What are some of your summary thoughts?
Jon: Well the Trump administration will have support in Congress. Typically Republican agenda is to push voluntary measures. What I'd like to see or what I think should be done is just a continuation of the NIST Cybersecurity Framework. It's had some success. We need to push for more success. We need success metrics. We need to push that into small organizations. We need...I'd like to see the government work with insurance companies to just make that a standard way that they measure risk. That would empower the insurance companies to have some actuarial data that they can now fine tune policies, they could help reduce risk with their customers. So there are things we can do. I also wouldn't rule out regulations because if we have a major attack on critical infrastructure or if we continue to see these really insecure IOT devices being produced someone's got to step in. It could be a Republican administration if things get pretty hairy.
Doug: Sure. Should fines be part of that? Should organizations be more responsible with respect to financial penalties if they're not adhering to things like the NIST Framework and following best practices?
Jon: Well yes, but I don't see that in this administration. I think that again they want voluntary measures, they're very, very sensitive to any kind of regulations, they want to cut regulations so I don't see that.
Doug: Well, great. Well we have a lot more to talk about.
Jon: We do.
Doug: So stay tuned for the next edition of our series.
Jon: Yeah, and happy holidays. Happy holidays, Doug.
Doug: Happy holidays, Jon.
Jon: Oh, thank you.