China Trade Wars, Consumer Focus On Security And The AI Hype: What’s In Store For 2019
When thinking about 2019, the first thing that comes to mind is: “How are we going to top 2018?” These past few years, we have reached a new level of dystopian weirdness — toasters taking down the internet, a nation-state meddling in elections and more biggest-ever breaches — than we could have ever predicted. Outside “more, bigger breaches,” the following are three themes most likely to make headlines throughout the year.
U.S. And China: Trade War Or Something More?
This year, I expect we’ll hear more about evidence of China’s nation-state activity in the U.S., with more frequent and notable examples of attacks against the population, not just the U.S. government. There are two main drivers for these attacks: the need to continue to map the U.S. government’s employee base — including its covert operatives — and the deepening trade war between the U.S. and China.
Some of the most sensitive groups in the U.S. (the National Security Agency, the CIA, the FBI) commonly commute using United Airlines out of Dulles International Airport. They all have their details in the Office of Personnel Management database, and many use Marriott/Starwood hotels when traveling. All of these were breached over the past few years, and each of the breaches has been attributed to China. The Washington Post’s coverage of the Marriott breach noted that hotels carry information on travelers worldwide, which could include diplomats, businesspeople and intelligence officials. These attacks are fact-finding missions, and the amount of data that China now possesses gives them unique insight on both the government and the general population.
The counterintelligence component of this isn’t a new concept, but the new levels of escalation in the trade war with China give them a fresh set of reasons to understand the behavior and the makeup of their largest trade partner. The trade war also provides a fresh set of reasons for U.S. officials to disclose more of the breaches they discover, as a supporting tool in the narrative against China’s business practices. Not every breach makes the news, and the math applied to when and how to disclose is changing.
Conversely, I also expect we’ll hear less about Russian intrusions in 2019.
Data Security: The Consumer Begins To Weigh In
Until about five years ago, the average consumer was ambivalent when it came to cybersecurity: The risk was too abstract and difficult to understand. Then things started to change:
• 2013:Edward Snowden leaks: Hacking is real.
• 2014: Global credit card breaches: Hacking is real, and it happens to me.
• 2015: Health care, personally identifiable information, Ashley Madison, etc. breaches: Hacking is real, and it happens to me — and it hurts.
• 2016: General mayhem: My toaster took down the internet, and Russia hacked our election.
• 2017 and 2018: More of the same.
One thing we saw for the positive in 2018 was consumer awareness when it comes to security. I’ve been predicting for years that consumer concern about cybersecurity and getting hacked will change behaviors. We’re seeing more evidence of this every day. And businesses are responding.
This isn’t just related consumers being uneasy and worried; it’s about them changing their behaviors to better manage the perceived risks. The change that began in 2018 and will accelerate in 2019 is the availability of clear, actionable, easy-to-understand data that empowers the average citizen to factor cyber risk into their buying decisions.
Until recently, there hasn’t been data or a clear, easy-to-understand plan consumers can follow to make themselves more secure. Further, companies haven’t had financial incentives to improve the state of it all.
Built on a growing demand, and the result of this uneasiness, companies are taking a more proactive and visible approach to security. Vulnerability disclosure programs are a visual indicator of a proactive approach to security. We’re not only seeing increased adoption in our own customer base, we’re seeing it in legislation.
Security is a differentiator. It demonstrates concern for customers, and in a time of increased fear of loss of personal data and identity theft, it is easy for consumers to see the value. The idea of security marketing (people changing the way they spend money based on security) is relatively new, but growing. We can expect to see more of it this year.
Artificial Intelligence: Reality Or Hype?
We keep hearing that artificial intelligence (AI) and machine learning (ML) will change the game for attackers, making it easier than ever to breach systems and steal data for their nefarious (usually financial) purposes. We’re seeing attackers start to use basic ML and AI for bulk tasks, such as to improve the efficiency of phishing attacks. But in 2019, this will be a continued incremental improvement, not a game-changer.
When I hear people talk about AI, they tend to say two things: It will make attackers more aggressive, and it will replace humans. The former is true, but I disagree with the latter. In cybersecurity, ML and AI are levers, not replacements. It’s an arms race over a battlefield that is written by humans, where defense is set up and managed by humans, and attacks are driven and guided by human incentives. Anytime there is an improvement on the attacker side, there needs to be one on the defender side, and vice versa. By the time ML can replace a human fully in cybersecurity defense, we’ll be worried about robots taking over the planet (and hopefully still being vulnerable enough for us to subvert them — but that’s a different conversation).
Human intelligence is intractable from the problem of cybersecurity. For as long as humans write code and humans attack code, there will be last-mile cybersecurity that automation won’t be able to touch. This is not a technology problem — it’s a human one. It’s in that last mile where the bad stuff happens, and it’s the humans who can find and fix it.
If 2019 is anything like 2018, it will be a predictably unpredictable ride.