23rd November, 2020
Predicting cybersecurity trends for the year ahead isn’t usually difficult – simply extrapolate from the current possibilities. For 2021, sadly, there is no shortage to choose from in the shape of new forms of ransomware, the growth in nation-state activity and the idea of using the Internet as a delivery system for software weapons.
And yet what matters is not simply predicting events – an impossible task as these are inherently unpredictable – but understanding the deeper trends. Therefore, this article is less a series of 2021 cyber security predictions than a set of larger themes that will shape the coming year. It is not exhaustive, but it does set a realistic tone.
FROM ENCRYPTION WARS TO HIDE AND SEEK
Encryption has recently found itself caught between two opposing forces which show no sign of letting up during 2021. The first is efforts by governments to reign in end-to-end encryption by introducing surveillance backdoors into popular messaging apps such as WhatsApp.
Meanwhile, emerging encryption protocols such as DNS-over-HTTPS (DoH) and Encrypted server name indication (ESNI), used to secure DNS traffic from eavesdropping, continue to grow in popularity, becoming an embedded feature of web browsers. One backer of DoH, Cloudflare, now offers users access to private DNS alongside a free client that tunnels device traffic to the company’s network using a variant of the WireGuard VPN protocol.
Nation-states are turning their attention to these developments with Russia’s government reportedly proposing a law that would ban the use of DoH and SNI by websites in the country. For Telesoft, what matters here is how the appearance of mass traffic encryption services that operate at wire speed might be abused by criminals looking to hide their command & control traffic.
Of course, this is already possible using HTTPS, which can be countered by techniques such as JA3 fingerprinting. But DoH expands the possibilities further, as evidenced by reports during 2020 that APT groups are already experimenting with the technology to hide their activity.
IOT BOTNETS ARE OUT OF THE BOX
Internet of Things (IoT) botnets have long been theorised, but their expansion in the real world has been held back by a lack of targets beyond low-level devices such as webcams. With the surge in the number of smart home devices and medical IoT, this could be about to change and it’s one of the bigger cybersecurity trends to watch.
Rather than this leading to large botnets, it seems more likely there will be a greater number of smaller, more specialised botnets that try to obscure their activity as much as possible to remain viable. Some of these are becoming associated with nation-state attacks. As easy-to-compromise targets, home IoT devices will remain the biggest fuel for the creation of botnets. The European Union Agency for Cybersecurity (ENISA) recently proposed new guidelines that recommend that security by design be adopted in the IoT supply chain.
DOUBLE EXTORTION BECOMES PERSONAL
Ransomware usually appears in any list of cybersecurity trends and software is constantly evolving to beat counter measures. The first wave of attacks extorted victims by denying them access to their data using encryption. But as victims have grown wise and started backing up and mirroring their data, attackers have deployed a new variation of ransomware called the double extortion attack in which they threaten not only the encrypted data but to release or ‘dox’ it publicly.
In fact, ransomware has always implied data compromise, but double extortion makes that fact unavoidable. Naturally, this will continue in 2021 but perhaps we’ll see interesting doxing variations, for example releasing smaller sets of data which compromise IP, information about management, or financials, and medical data, complete with a publicity campaign to maximise embarrassment.
DATA SOVEREIGNTY AND THE CLOUD IN TECH COLD WAR
Data sovereignty has traditionally been an issue of corporate compliance, for example the need for the US companies to comply with GDPR through mediating by frameworks such as the EU-US Privacy Shield. Increasingly, there are signs that it is becoming more explicitly geo-political, with organisations coming under pressure from governments across the world to localise data.
A topical example of this is the campaign by the US Government against Chinese-owned company TikTok over the alleged access the Chinese Government might have to the data collected on US citizens. The next year is likely to bring more cases in which data sovereignty and company national ownership become entwined, especially regarding US and Chinese companies. Russia, too, has made data localisation an important element of recent legislation as it tries to wrestle control of information sources in the country.
HEALTHCARE CYBER ATTACKS TURN FATAL
It’s been clear for some time that malware attacks on healthcare put lives at risk. In 2019, one security company estimated that at least 764 healthcare providers were affected by cyberattacks in the US alone. In 2020, the first confirmed example of a fatality arrived when a German patient died after their admission to hospital was delayed by a ransomware attack that crashed their medical systems.
In this instance, the attackers reportedly stopped the attack and supplied encryption keys, but few healthcare organisations are as lucky. Reports suggest many simply pay up. At a time of pandemic pressure, it is ironic that attacks on healthcare should attract so little attention.
NATION STATE ATTACKS PROMISE VOLATILITY
One of the cheapest predictions for 2021 is that nation state activity will worsen. Given that this has been in lists of cybersecurity trends every year for the last decade, the question is: what form will this take? Increasingly, large tech companies such as Google and Microsoft track the campaigns that make up this activity using or their customers using what the latter calls nation state notifications (NSNs).
In the year to June 2020, the company issued around 13,000 of these, with the highest percentage originating in Russia, Iran, China, and North Korea, in that order. The top targets were, in order, the US, UK, Canada, South Korea and Saudi Arabia. So complex have these become, the company now plots them using a sprawling version of chemistry’s periodic table, with each threat group assigned a name based on an element.
The worry here is that nation-state attacks are slowly but dangerously becoming more like old-fashioned military action targeting ‘enemy’ infrastructure. On an Internet without rules, this would be a dangerous escalation.
BGP ATTACKS AND RPKI
In June 2020, customers using IBM data centres were knocked offline for three hours, an event eventually blamed on a major misconfiguration of the Internet’s core routing protocol, Border Gateway Protocol (BGP). It’s not clear whether this was a simple routing mistake or something more serious indicating a deliberate BGP hijacking executed at ISP level to covertly monitor traffic. But many suspected the latter.
Given the increasing number of these strange Internet routing issues in the last 15 years, this is not paranoia. Hugely disruptive, the possibilities for abuse by rogue ISPs and nation-states remains real, prompting calls for new security frameworks such as Resource Public Key Infrastructure (RPKI). More incidents are likely in 2021, strengthening the case for reform.
NETWORK DETECTION AND RESPONSE (NDR)
Every year the volume of traffic traversing the networks of communications service providers (CSPs) is growing exponentially on the back of the rapid expansion of the Internet of Things (IoT), cloud communication, and 5G traffic. This is generating huge economic, management and, ultimately, cybersecurity challenges – the more traffic and the more protocols and equipment generating it, the easier it is for threats to hide themselves inside a mass of traffic flow.
If passing malicious traffic from network to network was once acceptable, it no longer is. Every provider is coming under pressure to improve their Network Detection and Response (NDR) – the ability to detect and stop threats before they reach the customer layer. The catch is that this isn’t easy to do at line speed, or in real time. In 2021, the ability to detect, target and neutralise complex threats in high- throughput traffic will become a big differentiator for CSPs