Recently I have been asked by many CISO’s, CSO’s and IT administrators–who have become very tired of the constant system patch battle and constant security software updates–whether new operating systems like Google Chrome could loosen Microsoft’s stronghold on the desktop OS and just maybe whether we could be safer 5 years from now.
Actually this is a difficult question. We in the IT industry will likely see more disruptive technologies 5 years from now. So the safest way to answer questions like the one above is to reflect on what’s going on at the moment.
It is clear that there is an ongoing cyberwar. The attackers are cybercriminals who are making a lot of money via malware, hacking, and other malicious activities. They are able to do this because the desktop is pretty much dominated by one OS. If you are an attacker and you focus on attacking Microsoft platforms, you will be able to reach enough computers to make sufficient money. This is a simple economy of scale. As other operating systems (for example, MAC OS) become more popular and gain desktop marketshare, we see more malware there as well. No surprise.
But what if the operating system were very small and open source? What if all the data and applications were stored in the cloud, like with Chrome OS? Would it be safer?
In theory, yes. The OS is smaller, which means fewer bugs (fewer lines of code), and as it is not that powerful, locally installed multipurpose malware indeed might be a thing of the past. I personally don’t believe that open source is riskier because the attackers could figure out the weaknesses faster (the argument we typically hear). Security by obscurity has never worked!
But some attack scenarios might still work:
- Manipulating the connection to the cloud. What about fiddling around with the OS, just a little bit to change the DNS records. So the user at first visits an underground site, and then redirects to his web application page. This might reveal all his data, if the communication channel can’t be locked down. Ok, we could rely on IP V6, encryption and certificates, but still, this might be an attack vector.
- Attacking the cloud itself. If cloud-based applications and cloud-driven OS become mainstream, how important is a 99.999% availability? It’s the key: without being able to reach the information and application host, your computer is useless. What if the attackers are using standard botnets (as we will see bot infected computers on standard multipurpose operating systems for sure for the next 10 years) to overload the cloud infrastructure of the host? What if the attacker asks for a small “donation” to ensure that the cloud host, being overwhelmed with requests, could deliver the service again? For sure a lucrative business for the attacker. Science Fiction? No! This is happening already on a small scale, but if one business driver (infect desktop computers with malware to misuse them) loses importance or profitability (not enough targets to reach anymore) then another business model will replace it.
- Grab valuable items (credit card information, social security number, logon accounts) in the cloud (since they can no longer be grabbed from victims’ computers). The cloud vendor must ensure that an unauthorized access is not possible, that a hacker will never be able to copy millions of user records, login credentials, online banking info, billing info, transaction records, etc. So data breaches need to be avoided- I doubt that this is possible.
So again, I try to avoid predicting the adoption of the Chrome OS. I don’t want to predict which OS will be dominant in 5 years from now, but one thing is for sure: The security industry will not disappear, it just will need to reinvent itself to be able to address these new attack vectors.
So no local antivirus with huge signature files anymore but cloud-based reputation services for Web, E-Mail and Files. And of course vulnerability assessment, shielding, encryption… the complete arsenal needed to enable the safe exchange of digital information.