Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/18/2020
10:00 AM
Pieter Danhieux
Pieter Danhieux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

2021 Cybersecurity Predictions: The Intergalactic Battle Begins

There's much in store for the future of cybersecurity, and the most interesting things aren't happening on Earth.

This column was written with Matias Madou, Chief Technology Officer and Co-Founder of Secure Code Warrior.

Cybersecurity predictions are something of a tradition in the security industry, as we look toward the year to come and see what may lie ahead in a field that changes counstantly. Sometimes we're right, and sometimes a once-in-a-generation pandemic comes along and challenges us in ways we could never have expected.

Related Content:

The Race to Hack a Satellite at DEF CON

The Changing Face of Threat Intelligence

Criminals Could Be Coming After Your Coffee

Let's not focus on that, however. This is about 2021, and while we will take some of 2020's adaptations with us, there's a whole lot in store for the future of cybersecurity, and the most interesting things aren't even happening here on Earth.

That's right, we're predicting that 2021 is the year we take a new kind of space race into the mainstream: Keeping our galaxy safe from cyber threats.

NASA Already Employs Cybersecurity People Who Work Outside the Earth
It's should be no shock that NASA employs many security experts, as well as engineers with a deep focus on fortifying NASA's software and operations to withstand the most powerful of cyberattacks.

But what might surprise is the fact that NASA employs a senior satellite engineer — 28-year-old Kenneth F. Harris II — to protect and defend satellites in orbit. Far from an automated process, Harris is a real-life Superman who stands (metaphorically) between NASA's satellites and the numerous deliberate attempts to physically attack them, in addition to helping mitigate the risk of potential cyber threats that could come from anywhere on Earth.

What's at stake if a nation's satellites are damaged? A deliberate collision, or bad actor managing to leverage a software vulnerability could potentially disrupt GPS networks, weather warnings and forecasts, and the communications systems we take for granted every day.

It's a threat that might literally be out of our orbit, but we're confident that security people focused on space asset protection will be a niche area that experiences big demand going forward.

Governments Are Assembling Space Forces, and They're Going to Need Security Experts
In December 2019, the US government introduced a new branch of its military operations — this time, in space. America's Space Force is a technology-centric department with a focus on preserving space as a "global commons," according to US Secretary of Defense Mark Esper: "It's important not just to our security, but to our commerce, our way of life, our understanding of the planet, weather, you name it. So, it's very important that … we now treat it that way and make sure that we're prepared to defend ourselves and preserve space," he said.

In October 2020, it was reported that as many as 130 cyber experts from the US Air Force would be redeployed to the Space Force ranks, with Maj. Gen. Kimberly Crider, Space Force chief technology and innovation officer, identifying space as "the next front of the cyber conflict."

While the USA may have been one of the frontrunners in assembling a Space Force, at a time where it might seem a little over the top and more like a comic book plot than a serious department, space cyber warfare is already a risk area, and it goes without saying that most countries will eventually follow suit with programs of their own.

Tesla Has Already Put a Car in Space While Computers Drive on Our Roads
In 2018, Elon Musk sent a self-driving Tesla vehicle into space. By October 2020, the car piloted by a spacesuit-clad mannequin nicknamed "Starman" has clocked 1.3 billion miles, and has now cruised past Mars.

While this situation isn't a cybersecurity issue, it is curious that we've got a car doing an infinite intergalactic version of a NASCAR race, while our roads here on Earth are slowly, but surely, being populated with cars driven by computers. Anything powered by software carries at least some element of cyber-risk, and automotive software has been compromised before, with the outcome signaling the potential for catastrophe. Tesla has already been tested several times by security researchers, with one exploit resulting in the autonomous, involuntary acceleration of the vehicle from 35 to 85 miles per hour. Yikes! Still, Tesla's comprehensive security programs set a high standard for the industry in terms of testing and compliance.

Autonomous vehicles are the future of our personal travel, but all eyes will be on the software security aspect of their build as more players than the likes of Tesla enter the market, and it's likely we will see this market explode from 2021.

So Much Advancement, Yet We're Still Forgetting the Human Factor
Despite the inherent risks of brand-new tech, we are certainly in a very exciting time. Most industries are innovating with cutting-edge use of software, and we can't wait to see what's next.

However, it seems that the cybersecurity industry as a whole is a little stuck. Everywhere we turn, the most common advice for organizations that want to build more secure software is to keep buying tools, automated scanners, and other solutions that are essentially leaving it all up to robots to solve our security problems. Huge data breaches every other day prove that this approach needs a serious upgrade, and that we aren't utilizing all the options at our disposal.

Gartner's "Hype Cycle for Application Security 2020" report details a wide array of the latest security solutions, in fact, it's hard to think of a technology solution it hasn't outlined as a viable option for secure application development. It seems comprehensive, and it seems like good advice. Sadly, though, there isn't one mention of the human factor at play in secure application development, nor the immensely beneficial role that trained, security-aware developers can play in reducing common software vulnerabilities. It is by far the most economical solution for recurring software bugs, and one which would free up tools and security experts to work out the more complex problems.

Perhaps we need to end with a question, rather than a prediction. Will 2021 be the year that industry analysts keep humans front-of-mind in the race to ramp up secure software development?

Pieter Danhieux is a globally recognised security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organisations, systems and individuals for security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...