What Will Underpin Organizations’ Cybersecurity Priorities in 2021?
My days working in and then with law enforcement began when personal computers were becoming more mainstream and the interconnection of computer systems around the world began with a USA Department of Defense project (ARPANET) and then a project out of CERN. During this time, I was lucky to have needed an understanding of binary and ASCII as well as a few programming languages in order to work in information technology at all. So, back then, our concerns about bad things being done comprised a short list of threats. Now, as we all know, cybercrime has become a big money-maker for criminals and nation-states alike and it has become a tool in the weapons arsenal of many nation-states as well, and cybercrime tools have become increasingly easy to use such that anyone with limited technical skills can launch cyberattacks.
Fast forward to 2021, and we have, once again, a changing threat landscape: many employees now work from home, either fully or in part, organizations are relying far more on cloud or online services, applications, and infrastructure, nation-states are launching larger and more devastating cyberattacks, social media has become a cornerstone of societal action and also societal disruption, various elements and forms of artificial intelligence are being utilized for defensive and offensive security, and some older forms of cyberattacks based on social engineering have been updated to improve their effectiveness.
One common denominator remains, however, the human element in security and, as the saying ascribed to Alexander the Great goes, “Remember: upon the conduct of each depends the fate of all.” Let’s take a look at the crystal ball together and see what 2021 might look like with regards to cybersecurity.
Work from home or remote working is not a new concept, but it has become an essential element of every organization’s business continuity plan and, if you have not yet documented your business continuity plan, then you do need to get on top of that! With a remote workforce, it is always best to have a structured plan that includes: a) secure endpoint devices (either through issuing organization-owned devices that you manage and control access to and/or through the use of MDM or similar software deployed to the endpoints), b) secure communication channels (through the use of secure VPN or similar technology), c) secure document management (through data loss prevention, forced storage to secure locations only, etc.), and d) continuous security awareness for all organization staff and third-party partners).
In 2021, organizations should be investing effort (and probably money) in this new world of remote working because it is not only a new reality during the pandemic, but it can also become a money-saving business model for many organizations (e.g., less bricks and mortar required, less time spent commuting, etc.).
As we have already witnessed in 2021 (e.g., SolarWinds attack(s)), more sophisticated nation-state sponsored cyberattacks are now occurring and they will certainly continue. With the SolarWinds attack, there was an added level of impact due to the pervasive nature of the compromised software throughout government and private sector. In addition, attacks on critical infrastructure (e.g., water supply in town in Florida, USA) which utilize IoT or IoMT (medical devices) have already begun to occur in 2021 and these will continue to be a risk going forward with these attacks mainly being of benefit to foreign nation-states. Here in Canada, there has already been talk about strengthening our cyber defense/offense capabilities due to the new realities of a “gloves off” cyber cold war that we are currently in the middle of (whether any country wants to admit this or not). These types of attacks will continue in 2021 and critical infrastructure and manufacturing where IoT or automated industrial control systems are utilized will have to continue to strengthen their cyber defenses.
On the financial front, 2021 has already seen several cyberattacks against cryptocurrency trader or warehouse vendors – I mean, why try to attack the blockchain that runs cryptocurrency if you can instead compromise a password on a cryptocurrency vault that houses the cryptocurrency?
We have also witnessed how a small, dedicated group of non-professional Wall Street traders can immediately influence stock value on a listed company (e.g., GameStop). Cryptocurrency may be in jeopardy in 2021 as a viable alternative to state-backed currencies; also, trading regulatory bodies worldwide will be looking to protect the stability of exchange-listed companies.
Social media has become weaponized in 2020/2021 with examples such as nation-state elections being disrupted, the rise of online hate groups, the coordination of attacks by private citizens on governments, and the radicalization of citizens of even Western democracies through conspiracy theories launched via and supported by social media. I used to get a chuckle out of memes shared on social media with a photo of someone famous and a statement attributed to that person which that person never really said but, today, this previously humorous activity has become a means for creating disinformation or misinformation.
Conspiracy theories will continue to find willing believers in 2021 and this will continue to add a destabilization of the human factor in the cyber-threat landscape because radicalization of citizens (as some nation-states have obviously discovered) can destabilize entire countries. Social media companies will need to continue to tighten their controls over content on their platforms in 2021; however, we have already witnessed some controls being imposed upon social media content from the outside (e.g., Apple, AWS, and Google banning content related to the feeding of misinformation to those who attacked the US Capitol in January) and we have also seen the creation of new social media channels/applications specifically to avoid these types of controls.
On the topic of nation-states, we have seen several successful cyberattacks against nations that appear to have themselves been state-sponsored (e.g., the attacks against systems at uranium enrichment facilities in a certain Middle East country). The latest reports out of US intelligence agencies also describe how some foreign nations are making a fairly large amount of money from state-sponsored cyberattacks against other countries and the citizens of these other countries; this is so lucrative that a certain country near the Chinese border was identified as having funded the development of their latest ballistic missile with funds acquired through state-sponsored cybercrime. 2021 will see this trend of state-sponsored cybercrime continue so the rumored efforts to increase the strength of nation-state countermeasures against these types of attacks will, no doubt, need to be increased this year.
The need for cloud services of all types was mentioned previously in this article as a consequence of the remote workforce reality we now all live in, so the use of cloud will only increase in 2021 and, with this, the need for practical cloud security skills and the need to audit cloud security will both be important this year and going forward. If you are not yet familiar with (or certified in) cloud security best practices (e.g., from Amazon’s best practice guidance to ISO standards, and Cloud Security Alliance frameworks) then you will want to buckle down and get a grip on this information. Every cloud implementation or usage is an opportunity for poor security design or poor security implementation, so 2021 should be your year to get your head in the clouds and learn and apply cloud-specific security.
Everyone has been talking about artificial intelligence for the last few years and many organizations seem to be misusing this term to describe things that are not actually AI but are instead things like machine learning, deep learning, and similar, but AI as a general discipline has become more pervasive and this will continue in 2021.
You can even get your hands on machine learning source code today through GitHub that can get you started tomorrow on building your own machine learning-based application or process. I have a friend in Europe who has, along with colleagues, used some AI discipline tools to build an engine to analyze outputs from source code testing tools in order to weed out all of the false positives or informational types of findings to make troubleshooting source code issues far more cost and time effective. Because of the increasing availability of machine learning (and other) toolsets, we will most likely see an increase in AI/machine learning usage in 2021.
We have spoken a few times in this article about state-sponsored activity related to cybersecurity and I wanted to cover another aspect of the relationship between governments and technology: the use of technology as both a societal change engine and also its suppression as a means to stop such change. In 2021, as in some previous years, we have witnessed a nation-state (most recently, Myanmar) undergo a political upheaval, and then, once the citizenry began to resist the change, the government cut off all internet access in the country. Governments have come to understand that speedy communication amongst its citizenry can be used to hold the government to account (and not always in the best way, as we have also seen), so control of access to technology such as the internet has been and will continue to be a risk in the cybersecurity realm on all sides of the security discussion. Control of access to technology for nefarious purposes versus the public good or freedom of speech will, without doubt, continue to be a contentious topic in 2021.
Mobile devices have become an even more important tool in the organizational/work toolbox during this pandemic and the security of these devices has also become increasingly important. Efforts to gain access to these devices and intercept or divert their communications have correspondingly increased during this time of remote working and technologies that promise increased security, such as 5G, have also become a focus for organizations and end-users. Supply chain security especially in technologies like 5G has become critical and will be a vital focus in 2021.
As these pandemic times have demonstrated, nothing is constant except change and, as security practitioners, we must all be adaptable to change. To quote Alexander the Great once more, “There is nothing impossible to him who will try.”, and this applies to both the cybercriminals and the cybersecurity professionals who work to stop illicit or illegal activity. In addition to preparing for the evolving threat landscape of 2021, I think it is equally important to ensure you maintain your personal and professional commitment to ethical conduct when working in any branch of a security career and to instill secure practices at all levels of your organization. Best of luck in 2021!