People pose in front of a display showing the word 'cyber' in binary code, Zenica, Bosnia and Herzegovina, December 27, 2014

commentary

(U.S. News & World Report)

December 31, 2014

After a Year of Major Hacks, 2015 Resolutions to Bolster Cyber Security

People pose in front of a display showing the word 'cyber' in binary code, Zenica, Bosnia and Herzegovina, December 27, 2014

Photo by Dado Ruvic/Reuters

by Lillian Ablon

2014 was the year the hack went viral. Retailers like Staples Inc., Neiman Marcus Inc., Michaels, Home Depot Inc., and eBay Inc. announced breaches, while millions of customers were helpless to stop the flow of credit card information and personal data to cyber attackers. But it wasn't just retail giants: Firms in health care (Community Health Systems), finance (JPMorgan Chase & Co.), and entertainment (Sony Pictures) also fell victim to cyber attacks. In addition to breaches, major software vulnerabilities surfaced. The OpenSSL Heartbleed vulnerability shook confidence in Internet security, while Shellshock exposed a majority of Internet-facing services to attack.

2014 also saw big moves designed to disrupt attackers. A particularly bold one was the U.S. indictment of Chinese hackers accused of infiltrating American companies. There were also internationally coordinated takedowns of black market sites and arrests of high-profile cyber criminals. For example, Operation Onymous resulted in several arrests and disruption of dozens of black market sites, including the latest resurrection of Silk Road, an anonymous marketplace known for its illegal drug trade.

Of course, cyber security issues and efforts to combat them aren't a passing trend. They'll only proliferate as the cyber black markets grow, new devices are introduced (e.g., Internet of Things, wearables), tech is used more extensively in new areas (e.g., health information technology, education, self-driving cars), and state and non-state actors continue to use cyber to attack and gain intelligence.

As such, in 2015, expect more attention, but not necessarily more action. Discussions about data breaches and cyber security will increase among the media and general public, both of whom have already taken notice of these issues. Some discussions may be counterproductive, but greater awareness of and conversation about cyber threats is a net positive for security.

There will likely also be more focus on dual-use technologies, such as the anonymity network Tor, and their benefits or detriments to privacy and security.

The boom in smart devices will continue as the world becomes more and more connected. In fact, connected devices are expected to outnumber connected people six to one by 2020. As more devices go online, it's safe to expect an accompanying boom of hacks. Some will stem from criminals, some from savvy consumers who want more control over their devices.

Security will remain a cost to companies—not a top priority. Why? Persistent, unanswered questions make it hard for a company to make the right decisions: How much security is enough? How much should be spent? Should security be run internally or outsourced? What tools and people are most effective? Smaller companies and new products are likely to wait until some of these questions have answers or until the threat is real for them—in other words, until it's too late.

Individuals will continue trading security for convenience. For example, they'll favor easy access to data more than security. This preference has ripple effects: Without sufficient demand, companies are that much less likely to make necessary investments in security.

With these trends in mind, it's safe to say that bolstering cyber security will be a 2015 goal for individuals, organizations, and governments. So what does that look like?

Multi-factor authentication is a good place to start. This could have possibly prevented the JPMorgan Chase breach. Apple Inc. learned this lesson too late, as well. But after a massive leak of celebrities' nude or otherwise personal photos, it decided to make a change and implement two-factor authentication for iCloud accounts.

Developing and enforcing stricter laws on discovering and disclosing breaches could help, too. Currently, there's no consistency for many data breach laws. For example, every U.S. state has its own policies (PDF) for breach notifications. Consistency could produce faster responses to breach victims, which would reduce fraud and black market trade while boosting accountability for those responsible.

Certain areas likely need special legal attention. Certain health information, for example, is already protected by some of the most robust security laws (e.g., the Health Insurance Portability and Accountability Act). But with the confluence of medical devices and the Internet of Things opening a new can of information security worms, these laws could be strengthened. What, if any, should be government's role in this? What new regulations should be developed, and how should they be enforced?

Of course, laws are only effective if the affected entities realize they've been breached. According to Verizon Communications Inc., unrelated third parties discover an average of 70 to 80 percent of attacks (PDF). This suggests that information sharing among companies (and government) could be bolstered in addition to boosting monitoring capabilities and user-awareness training.

Password storage is critical. Sony staff stored plaintext passwords in an Excel file, which unnecessarily exposed the company to attack. As always, individuals should be mindful of online security, maintaining password strength, avoiding dubious links and attachments, and refraining from giving away information on online forms.

Stakeholders need to bake security in from the start, making security as much of a priority from the beginning as functionality, productivity, and convenience. The recent holiday tech binge is a good illustration of this. Smart devices likely spiked as consumers unwrapped countless Christmas presents and connected them to the Internet of Things. For the vast majority of these devices, security is not baked in. Imagine if an attacker hacked your “smart home” kit and could control your air conditioner, lights, and garage door.

It's important to keep investing in security innovation. Companies receiving millions of dollars in venture capital should continue to tackle the hardest cyber security problems. This will result in new products like Apple Pay that offer both convenience and security, more tools available for defenders, and more collaboration to try to enhance security.

If these resolutions are realized, defenders might not gain the upper hand in 2015, but they'll make strides in better protection, tools, and techniques that could help turn the tide in years to come.


Lillian Ablon is a researcher at the nonprofit, nonpartisan RAND Corporation and a professor at the Pardee RAND Graduate School.

This commentary originally appeared on U.S. News & World Report on December 31, 2014.