Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

12/19/2017
04:36 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

My Cybersecurity Predictions for 2018, Part 1: Following Trends & the FTC

2017 was a wild ride in cybersecurity. It's looking like 2018 won't offer any calmer ride.

It's that time of year again. Leaves have fallen, brick-and-mortar retailers are pumping Christmas music over their speakers and security pundits are looking to the new year with fresh batches of predictions on what to expect in InfoSec in 2018.

It's hard to predict the future. For this reason, many predictions are blindingly benign flashes of the obvious -- basic stuff like "passwords will still be problematic" and "bot attacks will increase." In McAfee's 2017 Threat Labs Predictions, the antivirus-software peddler went out on a not-so-bold limb indeed by declaring that the cloud would become a bigger target because more people and enterprises would rely on the cloud. McAfee's 2017 prediction report is chock full of several of these -- shall we say -- "high-level" prognostications.

"We will continue to see conflicts of speed, efficiency, and cost pitted against control, visibility, and security in cloud offerings." (Duh.)

"Attacks will come from all directions and leverage both east-west and north-south attack vectors." (Stop it! You're killing me!)

"[Internet of Things] device makers will continue to make rookie mistakes as they IP-enable their products." (Satire is dead.)

It's particularly easy to pick on this particular McAfee report only because it is so voluminous. Short blog posts covering the same topics are guilty of the same sort of faux psychic demonstrations -- such as a recent item oh so eerily predicting increases in both the "cybercrime epidemic" and "the adoption of artificial intelligence" in 2018.

Rarely do cybersecurity forecasters swing for the fences -- and when they do, such predictions involve terms that can be tenuously defined. Even their bolder predictions tend to be near-binary -- predicting that there will be either more or less of something.

Usually, the guesses involve predicting more attacks of such-and-such type. Once in a blue moon, you might see the opposite, ostensibly to shake things up a bit -- and the results are usually as disastrously wrong you might expect. For example, last year more than one cybersecurity company predicted that ransomware exploits would slow down in 2017. LOL.

To wit, there is a shortage of good annual cybersecurity prognostications that don't wuss out. I'm here to help make up for that. So here begins the first of my series of my best InfoSec predictions for 2018 -- bold, "out there" forecasts that don't bear the hedge-your-bets weaknesses of the so-called predictions described above.

I am staking my professional reputation on these honest-to-God predictions that could very well be wrong -- or could very well be right. Accordingly, to any extent that these predictions prove false, I welcome you, dear reader, to throw this article in my face with a good old-fashioned "neener neener".

2018 Prediction No. 1: Following a headline-making exploit, the Federal Trade Commission will seek to make an extremely harsh example of a major smart-device manufacturer.

If you know anything about the FTC, it's not difficult to see why the infamously regulatory-phobic Trump Administration has delayed nominating new FTC commissioners for so long.

The FTC is the uber-regulator (and, incidentally, the Uber regulator -- see: Uber Loses Customer Data: Customers Yawn & Keep Riding). It has incredibly broad enforcement and oversight powers and responsibilities spanning 70 federal laws. Most notable among these is the FTC Act, which by itself gives the FTC tremendous consumer-protection powers.

On the one hand, the FTC has long lobbied for yet more power to regulate IoT and all other things cyber -- to little avail. Cyber laws of any kind, still being somewhat of a political niche, are hard enough to push through even with bipartisan support -- especially because of the rather libertarian roots of the Internet. Last year, tough-on-crime Republican hawks could not get various anti-encryption bills out of subcommittee last year. Meanwhile, after years of advocating for tougher oversight of IoT makers since shortly after his election in 2013, a bill introduced by Senator Edward Markey of Massachusetts that merely seeks to implement voluntary cybersecurity standards through public-private sector collaboration has had no action on it since being introduced in October.

On the other hand, the regulatory agency -- in part because it has so much power and enforcement responsibility -- is stretched thin. And regulators are essentially political demagogues; they tend to not reach too far past the low-hanging fruit unless the target is quite large.

In short, the FTC is champing at the bit to get someone for a major IoT snafu -- a big someone, because the agency needs a big win to justify itself politically.

Given IoT manufacturer's long history shrugging off white-hat security researchers and more recent history of getting their butts handed to them by black-hat attackers, the fulfillment of this prophecy is just a matter of time. That time will be 2018.

Related posts:

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26030
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
CVE-2021-26031
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
CVE-2021-27710
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...
CVE-2021-28484
PUBLISHED: 2021-04-14
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send i...
CVE-2021-29654
PUBLISHED: 2021-04-14
AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution.