Reading the IT press can be a pretty depressing thing sometimes. The past 12 months in particular have seen an avalanche of cyber-attacks on public and private bodies all over the country. Whether it’s nation state actors, financially driven cybercriminals or personal motivated hacktivists, the effect on organizations and individuals from the federal government down, has been devastating. Just consider some of the tragic alleged outcomes of the Ashley Madison hack.
The good news is that Trend Micro predicts 2016 will see things get better. Building on some good work done already this past year, governments and law enforcers across the globe will refocus their efforts on more arrests, more convictions and more effective laws to turn the tide in their favor.
A good year
Despite all the sensational cyber-attack headlines over the past 12 months, there have also been a fair number of wins for the white hats. Here are just a few:
We’re clearly seeing more global co-operation between law enforcement agencies so that they can act quickly and decisively to bring known or suspected cybercriminals to justice. Partnerships with industry players like Trend Micro will also continue and deepen. In fact, we signed a landmark MoU with the UK’s National Crime Agency this year which has seen members of our Forward-Looking Threat Research Team work hand-in-hand with the agency on entire cases. It’s already led to the arrest of two suspected cybercriminals.
Challenges and optimism
Building on the momentum of the past year, we think cybercrime legislation will take a significant step towards becoming a truly global movement in 2016. But it won’t be without its challenges. There are still far too many regions of the world in which hackers can sit tight and operate with virtual impunity – safe in the knowledge that as long as they don’t focus their efforts on domestic vested interests the authorities will turn a blind eye
Suspected JPMorgan hack ringleader Joshua Aaron, wanted by the FBI, is known to have traveled frequently to Russia, for example. Many more countries across the Middle East and Asia also represent something of a blind spot for police, despite the best efforts of Interpol.
For there to be movement on this we need politicians to forge closer bonds with the common understanding that economic cybercrime does no country any good. The deal between the US and China on this was a step in the right direction. There will always be nation state espionage, but if we can differentiate that from economic cybercrime, there may be a way to forge an agreement on improved co-operation on cases going forward.
Within the US and the EU, the escalation of cybercrime incidents may be reaching a tipping point where the potential loss of private information to criminals begins to be a greater public concern than vulnerability to governmental surveillance. The perplexing trade-off between these issues has largely chilled effective cybercrime legislation for the last several years, with many proposed schemes being criticized for overbroad language that could unnecessarily expose citizens to further risks or be abused for law enforcement or even private litigation objectives that are largely unrelated to cybercrime.
In the US, 2016 will be a very important year for cybersecurity policy due to the Cybersecurity Information Sharing Act of 2015 (“CISA”) that was attached to the omnibus budget bill recently passed by Congress, and the pressing controversy about strong encryption technology. Although a slightly more privacy friendly version of CISA passed the Senate in October, and White House Cybersecurity Coordinator Michael Daniel was quoted as saying that “the [Obama] administration will be pushing to ensure that there are very robust privacy provisions” in the final version, the current CISA version is actually less narrowly tailored for its ostensible purpose. In the current version, data shared with government authorities could be used for non-cybersecurity purposes where there’s a “specific threat” (vs. an “imminent threat” in the prior version), and the contributor is no longer required to make an effort to remove irrelevant personal information from the data prior to submission. While we expect to see some benefit from broader sharing of threat and incident data, the benefits may be tempered by reduced participation and backlash from privacy and consumer advocates if the data is used for purposes that don’t have a legitimate security nexus (e.g., illegal downloads of copyrighted music and films on p2p networks being characterized as cybercrime to encourage ISPs to monitor customers).
As the debate about strong encryption seems to be rekindled with each new revelation of terrorist conspiracy, there has been an increasingly urgent call for cryptographic communications and software companies to enable governmental access to encryption keys or “back doors” for surveillance purposes. While these calls are often well intended, and hidden communications are indeed an important tool for terrorists and cybercriminals, most technology industry groups (including the Business Software Alliance, of which Trend Micro is a member) oppose the weakening of encryption technologies or the concentration of encryption keys in a single repository because of the high probability that cybercriminals would soon learn to exploit those weaknesses and gain access to any key repositories, jeopardizing the privacy and security of millions of citizens. There’s no easy answer to this conundrum, but any laws adopted by the US or other countries requiring the compromise of encryption technologies may well drive the bad actors to use offshore or “rogue” encrypted communications apps and services, defeating the primary purpose of the laws while still increasing the vulnerability of the legitimate users of the affected products. A technology breakthrough to solve this problem is something of a “holy-grail”, and could become the biggest cybersecurity of the year if someone can figure it out.
Although the cybersecurity threats we’re facing have never been greater, the unprecedented level of attention on these issues we’ll see in 2016 make it a year for optimism and the acceptance of new challenges!
To find out more on this and all of our security predictions for 2016, check out Trend Micro’s new report, The Fine Line.