Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

04:36 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now

My Cybersecurity Predictions for 2018, Part 1: Following Trends & the FTC

2017 was a wild ride in cybersecurity. It's looking like 2018 won't offer any calmer ride.

It's that time of year again. Leaves have fallen, brick-and-mortar retailers are pumping Christmas music over their speakers and security pundits are looking to the new year with fresh batches of predictions on what to expect in InfoSec in 2018.

It's hard to predict the future. For this reason, many predictions are blindingly benign flashes of the obvious -- basic stuff like "passwords will still be problematic" and "bot attacks will increase." In McAfee's 2017 Threat Labs Predictions, the antivirus-software peddler went out on a not-so-bold limb indeed by declaring that the cloud would become a bigger target because more people and enterprises would rely on the cloud. McAfee's 2017 prediction report is chock full of several of these -- shall we say -- "high-level" prognostications.

"We will continue to see conflicts of speed, efficiency, and cost pitted against control, visibility, and security in cloud offerings." (Duh.)

"Attacks will come from all directions and leverage both east-west and north-south attack vectors." (Stop it! You're killing me!)

"[Internet of Things] device makers will continue to make rookie mistakes as they IP-enable their products." (Satire is dead.)

It's particularly easy to pick on this particular McAfee report only because it is so voluminous. Short blog posts covering the same topics are guilty of the same sort of faux psychic demonstrations -- such as a recent item oh so eerily predicting increases in both the "cybercrime epidemic" and "the adoption of artificial intelligence" in 2018.

Rarely do cybersecurity forecasters swing for the fences -- and when they do, such predictions involve terms that can be tenuously defined. Even their bolder predictions tend to be near-binary -- predicting that there will be either more or less of something.

Usually, the guesses involve predicting more attacks of such-and-such type. Once in a blue moon, you might see the opposite, ostensibly to shake things up a bit -- and the results are usually as disastrously wrong you might expect. For example, last year more than one cybersecurity company predicted that ransomware exploits would slow down in 2017. LOL.

To wit, there is a shortage of good annual cybersecurity prognostications that don't wuss out. I'm here to help make up for that. So here begins the first of my series of my best InfoSec predictions for 2018 -- bold, "out there" forecasts that don't bear the hedge-your-bets weaknesses of the so-called predictions described above.

I am staking my professional reputation on these honest-to-God predictions that could very well be wrong -- or could very well be right. Accordingly, to any extent that these predictions prove false, I welcome you, dear reader, to throw this article in my face with a good old-fashioned "neener neener".

2018 Prediction No. 1: Following a headline-making exploit, the Federal Trade Commission will seek to make an extremely harsh example of a major smart-device manufacturer.

If you know anything about the FTC, it's not difficult to see why the infamously regulatory-phobic Trump Administration has delayed nominating new FTC commissioners for so long.

The FTC is the uber-regulator (and, incidentally, the Uber regulator -- see: Uber Loses Customer Data: Customers Yawn & Keep Riding). It has incredibly broad enforcement and oversight powers and responsibilities spanning 70 federal laws. Most notable among these is the FTC Act, which by itself gives the FTC tremendous consumer-protection powers.

On the one hand, the FTC has long lobbied for yet more power to regulate IoT and all other things cyber -- to little avail. Cyber laws of any kind, still being somewhat of a political niche, are hard enough to push through even with bipartisan support -- especially because of the rather libertarian roots of the Internet. Last year, tough-on-crime Republican hawks could not get various anti-encryption bills out of subcommittee last year. Meanwhile, after years of advocating for tougher oversight of IoT makers since shortly after his election in 2013, a bill introduced by Senator Edward Markey of Massachusetts that merely seeks to implement voluntary cybersecurity standards through public-private sector collaboration has had no action on it since being introduced in October.

On the other hand, the regulatory agency -- in part because it has so much power and enforcement responsibility -- is stretched thin. And regulators are essentially political demagogues; they tend to not reach too far past the low-hanging fruit unless the target is quite large.

In short, the FTC is champing at the bit to get someone for a major IoT snafu -- a big someone, because the agency needs a big win to justify itself politically.

Given IoT manufacturer's long history shrugging off white-hat security researchers and more recent history of getting their butts handed to them by black-hat attackers, the fulfillment of this prophecy is just a matter of time. That time will be 2018.

Related posts:

Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x2c17e. This vulnerability can lead to a Denial of Service (DoS).
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via add_lineno_map_item at src/mjs_bcode.c. This vulnerability can lead to a Denial of Service (DoS).
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via parse_cval_type at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via free_json_frame at src/mjs_json.c. This vulnerability can lead to a Denial of Service (DoS).
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_set_internal at src/mjs_object.c. This vulnerability can lead to a Denial of Service (DoS).