Art Coviello's Predictions for 2015 on state of information security.
1. Greetings,
As I reflect on the year that has passed and think forward to the year that is to come, Charles Dickens’ timeless
words come to mind, “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age
of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the
season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had
nothing before us, we were all going direct to Heaven, we were all going direct the other way.” Can you imagine a
more apt description of the times in which we are living and the dichotomy between all of the technology
innovation we enjoy and the oppressive cyber threat under which we live?
The best of times…
In 2014, mobile and cloud technologies continued to make our lives more efficient, more productive, and
generally better. Mobile is rapidly catching up to PCs as the preferred means of interacting with the digital world –
mobile Internet traffic is predicted to account for more than 30% of total Internet traffic by the end of the year
(KPCB), which represents a doubling of mobile traffic over the past 18 months. If you eliminate passive Internet
traffic like streaming, mobile’s rising dominance is hard to dispute.
Mobile technology itself continued to evolve from being something we hold to being something we wear, with the
2013 buzz around Google Glass giving way to buzz around smart watches in 2014.
But as pervasive as mobile has become, it is nothing in comparison to the Cloud. Upwards of 90% of organizations
(CompTIA) and 90% of Internet users (BI Intelligence) are now relying on the Cloud for easy, inexpensive, and
ubiquitous access to storage and services. The Internet has evolved from being the connection to storage and
services to being the location of storage and services.
The worst of times…
Despite technology’s advances, however, the risk of our increasingly digital existence was brutally apparent during
yet another “Year of the Breach.” Many retailers and financial services and healthcare organizations experienced
damaging breaches in 2014, despite having what were considered strong security programs in place.
The fact that our pool of adversaries extends beyond criminals and hacktivists was further driven home by the
growing sophistication and sheer number of nation-state cyber-attacks. For the first time, those dubious nation-
state cyber activities began to create real-world diplomatic crises (e.g., the escalating tensions between the U.S.
and China).
Speaking of the public sector, the U.S. National Institute of Standards and Technology’s work with industry
resulted in the launch of the Cybersecurity Framework, which was a positive step forward in providing a common
foundation for intelligently approaching today’s cybersecurity challenges, but little other real progress was made
by the world’s governments. The Snowden revelations of 2013 continued to polarize the privacy debate and stymie
the critical information sharing legislation we need to collectively secure our companies, industry and economy.
RSA Security LLC T 781 515 5000
174 Middlesex Turnpike F 781 515 5450
Bedford, MA 01730 www.rsa.com
2. So with that as the backdrop, what can we anticipate in 2015?
1. Nation-state cyber-attacks will continue to evolve and accelerate but the damage will be increasingly borne by
the private sector – In 2014, nation states around the world increasingly pushed the boundaries of acceptable
cyber assault to control their own populaces and spy on other nation states. With no one actively working on the
development of acceptable norms of digital behavior – a digital Hague or Geneva Convention, if you will – we
can expect this covert digital warfare to continue. Increasingly, however, companies in the private sector will be
drawn into this war either as the intended victim or as the unwitting pawn in an attack on other companies.
2. The privacy debate will mature – We’re beginning to see a softening of the current polarized environment in the
U.S. and Europe as people recognize that privacy is under attack from and being defended by a more varied and
complex set of actors than the current debates would lead you to believe. It is increasingly recognized that
privacy is not a monolithic concept and that it cannot survive apart from security. A more pragmatic, balanced
debate about how to secure our privacy will ensue in 2015 and the prospects for responsible privacy policies
and intelligence sharing legislation that would better protect our privacy may improve. One test of this prediction
will be the outcome of the EU General Data Protection Regulation, which may reach a final form in 2015.
3. Retail is an ongoing target and Personal Health Information (PHI) is next – As a result of the numerous retail
and financial services breaches in 2014, organizations who handle payment card data are strengthening their
defenses and shortening the window of opportunity for cybercriminals, making them a less lucrative target.
Unfortunately, the retail sector is massive and worldwide and will continue to be a target-rich environment. In
2015, however, well-organized cyber criminals will increasingly turn their attention to stealing another type of
data that is not as well-secured, is very lucrative to monetize in the cybercrime economy, and is largely held by
organizations without the means to defend against sophisticated attacks – personal information held by
healthcare providers. Unfortunately, we are likely to see another series of very public breaches before many
providers improve their security to effectively deal with these threats.
4. The Internet Identity of Things – Despite the publicity that software and system vulnerabilities receive, they are
becoming less lucrative for criminals than social engineering and other more easily executed “trust exploits.” I
saw a tweet this year along the lines of, “who needs zero days when you’ve got stupid.” The increase of
machine-to-human and machine-to-machine interaction will only exacerbate this situation. As such, the
authentication and identity management and governance of who, and with the Internet of Things (IoT), what is
accessing our networks and data will be an increasingly critical element of security in 2015. Get ready for the
Botnet of Things. When you consider this trend, the strong growth of IoT in the healthcare sector, and my PHI
prediction, the ramifications are truly scary.
While we just had a change in the leadership of the U.S. Senate, I’m not hopeful that we will see a lot of change in
the prospects for cybersecurity legislation in 2015. Though the subject is of critical importance for the future of all
countries, it is complex and progress is difficult in the current geopolitical climate. In the absence of
comprehensive legislation, industry regulators will step in to fill the void, creating a patchwork of new, potentially
incompatible compliance requirements (Oh goody).
3. That being said, I am cautiously optimistic about the prospects for collaboration and collective progress in the
private sector as companies and industries are recognizing that in the digital world, no one is an island. We’re
more like an archipelago and we’re starting to build bridges. The recent growth of industry groups and Information
Sharing and Analysis Centers (ISACs) is the proverbial rising tide that lifts all boats. The next step is for us to go
beyond information sharing and band together – even across industries – to advocate for and lead the
development of strong, global cyber policies. Because if we have learned anything over the past couple of years
it’s that if anyone is going to get us out of this mess, it’s going to have to be us. May we all continue to make
progress together in building a trusted digital world in 2015.
Sincerely,
Art Coviello
H13746