With the cyber landscape continuing to evolve at a remarkable pace, just what the future has in store for cybersecurity is a much-debated question. It was also the topic of discussion in a panel at IP Expo Europe today featuring some of the biggest names in the industry.
Chair Rory Cellan-Jones asked the panel to share what frightens them the most about what’s coming in the next three to five years.
“The worst of the worst are attacks on systems and devices that are critical,” said Eugene Kaspersky, CEO and chairman of Kaspersky Labs. “Attacks on power grids, attacks on the Internet of Things – the things we depend on.”
"I am most frightened of cyber-mercenaries – the worst case scenario is the very bad guys hiring professional cyber-criminals to do their work", he added.
“For me the big concern is looking at the whole landscape of different devices, the weird connected junk from Wi-Fi toothbrushes to cars” said James Lyne, global head of security research at Sophos. “What scares me is that, as a society, we depend on all of this stuff more and more – this tech is becoming a founding pillar of everything we do.”
He further claimed that "it seems like we are so obsessed with building bigger and bigger boats to carry us to new places, whilst we are completely ignoring the fact we are also making the holes bigger, re-opening old wounds."
“The average consumer really isn’t to blame if they’re plugging in a Wi-Fi kettle and not thinking of it as a computer,” he continued. “There needs to be a greater burden put on the vendors to recognize these issues.”
For Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, the biggest worry is when data threats affect flesh and blood, with a particular focus on the vulnerabilities of hospitals, he said.
“I’m most concerned about hospitals, they typically have zero specialized security staff, they often use Windows XP, they never patch anything. If I was an attacker, the easiest target for me would be the hospital.
"We’re seeing huge amounts of hospitals fall victim to ransomware, with real damage being done to patient care. Hospitals are having to pay out a lot of money to get their systems back – thousands and thousands of hospitals are paying ransoms.
“I’m so tired of talking about the risks to credit cards, and never talking about ensuring medical data is kept safe,” he added.
Interestingly, Trend Micro’s Rik Ferguson took a slightly different approach, revealing that what scares him the most are all the people who work in security and are responsible for keeping their company’s data safe.
“You’re not really doing a very good job,” he argued. “Attacks like TalkTalk and Yahoo are prime examples. Those kind of attacks should not be possible in 2016, a single injection attack should fail, but because enterprises are not doing enough with basic security these attacks continue.
“How many enterprises can say, hand on heart, all of their data is encrypted? It’s a security basic, as is multi-factor authentication – yet these things are simply not rolled out.”
So what of the adversary? Jones asked. Who is the real enemy going forward, what are their capabilities and are we helpless to stop them?
Kaspersky explained that a significant threat both now and in the future are nation-state attackers, and whilst it’s difficult to pinpoint exactly where they come from, there are often clues left behind that shed a little light on their origin, such as the languages used by the hackers.
“The most common languages we see are native English, native Russian and simplified Chinese,” he said.
“One of the main problems here,” added Corman, “is that vendors often refer to state-sponsored attacks as ‘sophisticated’ but most of the successful attacks are very simple. We get distracted by the bright headlines.”
These were sentiments echoed by Ferguson, who argued that the term nation-state is often used as a 'duck's back' by companies to deflect blame and allow accusations of complacency to dissolve.
“For me it’s about changing the mindset and reducing fear by getting rid of complacency. We need to build security from the center – secure our data and build out to the edge.”