Ed Amoroso's Cyber Security Predictions for 2017

Take a look at a speech I gave several years ago: (http://techchannel.att.com/play-video.cfm/2011/3/31/Conference-TV-2010-AT&T-Cyber-Security-Conference---Ed-Amoroso). Pretending on-stage with the audience that we’d all time-traveled ahead to 2035, I reflected back on mobile botnets, virtual cloud protection, two Cyber World Wars, and President Derek Jeter. (Don’t laugh. I really think he can win.)

And now, as part of our annual cyber security industry ritual, I offer my heartfelt views on what to expect in the coming year. Sadly, unlike the playfulness of my on-stage approach in the video, I feel compelled to offer here a much more sobering prognosis. We have serious problems brewing, and we would be wise to pay close attention. So please find below my five predictions for the cyber security community in 2017:

Prediction 1: We will see an endless stream of chaotic data leaks across the US Federal Government. When Cabinet heads like Rick Perry report to work, I doubt they’ll be met by welcoming committees. Instead, they should expect angry bureaucrats who believe it’s their turn to be that pissed-off factory guy from Indiana. And as any IT security expert will attest, this creates a ripe environment for data leakage. Once the barrage of insider leaks proves too much for our new Administration to handle, expect to see “snoopware” deployments across government LANs. And when this fails, expect to see a ban on email and networks for official government work. Sigh.

Prediction 2: We will see an increase in embarrassing voice conversations posted to WikiLeaks. No one is surprised anymore when prominent people like Amy Pascal or John Podesta discover their email posted publicly. In fact, such leaks have caused most of us to be much more careful about what we tap into our iPhones. But how many of you bother to filter the sometimes crazy things we all say into our phones? I’m sorry to be the bearer of bad news, but most voice calls are now a bunch of 1’s and 0’s, just like your email. So perhaps you might go back and re-read Prediction 1 above, but replace all references to “data” and “email” with references to “voice.”

Prediction 3: We will see an acceleration of remote mobile jailbreak incidents. If you were aware of the Pegasus malware incident this past year, then you already understand the dangerous precedent such expert mobile malware establishes. CISO teams have long rested a little more soundly in the belief that mobile jailbreaks require physical tethers. But now, with this new Pegasus malware, we know that remote jailbreaks are not only possible, but that they will likely multiply in 2017. What this means for normal users is that the problems of clicking on bad links from your PC will now extend to your mobile phone. This is not good news.

Prediction 4: We will see destructive malware produce consequential damage to US critical infrastructure. This claim should hardly come as a surprise, because we’ve seen cyber terrorists dabble increasingly in destructive attacks over the past few years. But now, with a more controversial world order, the likelihood that some irresponsible group will poke at our critical infrastructure with a grenade rather than a camera seems like the most obvious prediction on the planet. Expect the cyber security community to try to counter with methods from the resilience community including greater use of hot standby systems in the cloud.

Prediction 5: We should expect to see denial of service attacks begin targeting cloud workloads across APIs. Today, Tier 1 service providers do an amazing job filtering layer 3 attack volumes using BGP redirects to scrubbers. But the offense knows darn well that as workloads gravitate to public clouds, the best way to create denial of service conditions for virtual applications will be through APIs. The process will involve dropping malware into the enterprise from which voluminous requests will be made across APIs to software that was not designed for such repeat function calls. This is a naked vulnerability that requires attention. And fast.

I’m truly saddened by such depressing predictions. I wish I could have focused more on the advanced cyber security technologies being invented by so many wonderfully creative experts in our industry. Or that I could have included commentary on the increasing capabilities of the dedicated CISO teams working across industry. Or that I could have commented on the appropriately increased emphasis our government has placed in the area of cyber security and information assurance. I sure do wish that I could have included healthy reference to these fine trends in my predictions.

But the sad reality is that the bad signs in cyber security so far outweigh the good ones, that it feels more responsible to make the call this year that the glass is half empty.