Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

04:36 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now

My Cybersecurity Predictions for 2018, Part 1: Following Trends & the FTC

2017 was a wild ride in cybersecurity. It's looking like 2018 won't offer any calmer ride.

It's that time of year again. Leaves have fallen, brick-and-mortar retailers are pumping Christmas music over their speakers and security pundits are looking to the new year with fresh batches of predictions on what to expect in InfoSec in 2018.

It's hard to predict the future. For this reason, many predictions are blindingly benign flashes of the obvious -- basic stuff like "passwords will still be problematic" and "bot attacks will increase." In McAfee's 2017 Threat Labs Predictions, the antivirus-software peddler went out on a not-so-bold limb indeed by declaring that the cloud would become a bigger target because more people and enterprises would rely on the cloud. McAfee's 2017 prediction report is chock full of several of these -- shall we say -- "high-level" prognostications.

"We will continue to see conflicts of speed, efficiency, and cost pitted against control, visibility, and security in cloud offerings." (Duh.)

"Attacks will come from all directions and leverage both east-west and north-south attack vectors." (Stop it! You're killing me!)

"[Internet of Things] device makers will continue to make rookie mistakes as they IP-enable their products." (Satire is dead.)

It's particularly easy to pick on this particular McAfee report only because it is so voluminous. Short blog posts covering the same topics are guilty of the same sort of faux psychic demonstrations -- such as a recent item oh so eerily predicting increases in both the "cybercrime epidemic" and "the adoption of artificial intelligence" in 2018.

Rarely do cybersecurity forecasters swing for the fences -- and when they do, such predictions involve terms that can be tenuously defined. Even their bolder predictions tend to be near-binary -- predicting that there will be either more or less of something.

Usually, the guesses involve predicting more attacks of such-and-such type. Once in a blue moon, you might see the opposite, ostensibly to shake things up a bit -- and the results are usually as disastrously wrong you might expect. For example, last year more than one cybersecurity company predicted that ransomware exploits would slow down in 2017. LOL.

To wit, there is a shortage of good annual cybersecurity prognostications that don't wuss out. I'm here to help make up for that. So here begins the first of my series of my best InfoSec predictions for 2018 -- bold, "out there" forecasts that don't bear the hedge-your-bets weaknesses of the so-called predictions described above.

I am staking my professional reputation on these honest-to-God predictions that could very well be wrong -- or could very well be right. Accordingly, to any extent that these predictions prove false, I welcome you, dear reader, to throw this article in my face with a good old-fashioned "neener neener".

2018 Prediction No. 1: Following a headline-making exploit, the Federal Trade Commission will seek to make an extremely harsh example of a major smart-device manufacturer.

If you know anything about the FTC, it's not difficult to see why the infamously regulatory-phobic Trump Administration has delayed nominating new FTC commissioners for so long.

The FTC is the uber-regulator (and, incidentally, the Uber regulator -- see: Uber Loses Customer Data: Customers Yawn & Keep Riding). It has incredibly broad enforcement and oversight powers and responsibilities spanning 70 federal laws. Most notable among these is the FTC Act, which by itself gives the FTC tremendous consumer-protection powers.

On the one hand, the FTC has long lobbied for yet more power to regulate IoT and all other things cyber -- to little avail. Cyber laws of any kind, still being somewhat of a political niche, are hard enough to push through even with bipartisan support -- especially because of the rather libertarian roots of the Internet. Last year, tough-on-crime Republican hawks could not get various anti-encryption bills out of subcommittee last year. Meanwhile, after years of advocating for tougher oversight of IoT makers since shortly after his election in 2013, a bill introduced by Senator Edward Markey of Massachusetts that merely seeks to implement voluntary cybersecurity standards through public-private sector collaboration has had no action on it since being introduced in October.

On the other hand, the regulatory agency -- in part because it has so much power and enforcement responsibility -- is stretched thin. And regulators are essentially political demagogues; they tend to not reach too far past the low-hanging fruit unless the target is quite large.

In short, the FTC is champing at the bit to get someone for a major IoT snafu -- a big someone, because the agency needs a big win to justify itself politically.

Given IoT manufacturer's long history shrugging off white-hat security researchers and more recent history of getting their butts handed to them by black-hat attackers, the fulfillment of this prophecy is just a matter of time. That time will be 2018.

Related posts:

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.