Cyberthreats for 2014: Not just the usual suspects

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Public-sector cybersecurity experts predict that threats will not change dramatically in 2014 but will seek new platforms, including bring your own cloud, the Internet of Things and wearable computing.

January ushers in a new year, but the cybersecurity threats that come with it will for the most part look an awful lot like the ones agency IT managers already know. They will continue to morph, evolve and multiply to keep admins on their toes.

The research and analysis company Ovum predicts that 2014 will bring “more of the same,” just at higher volumes. The greater complexity of software, hardware and systems are putting a premium on automation — and on the need to protect data rather than systems, which are too dynamic to quickly defend. All of this puts a focus on the need for government to reform IT acquisition to enable a more flexible response to rapidly evolving threats.

The expanding need for threat intelligence and analytics to defend complex systems makes security as a service an increasingly attractive option. The recent award of a $6 billion blanket purchase agreement to 17 companies for security monitoring tools under the Homeland Security Department’s Continuous Diagnostics and Mitigation program is a step in this direction. But it has been hampered by uncertainty in the federal budget. “It’s critical that the program continue to move forward in a constructive way, and without budget interference,” said FireMon president Jody Brazil.

Here are some of the trends, issues and things to consider in in the coming year, most of them familiar, but with one wild card.

Bring your own cloud: Threat from the perimeter

One thing that most observers agree on is that the convergence of mobile and cloud computing will present a new and unintended hybrid: bring your own cloud. End users with mobile devices will knowingly or unknowingly use consumer cloud services to store and access work data, moving it outside of the enterprise’s immediate control.

Jerry Irvine, CIO of Prescient Solutions, calls the convergence, “an issue that is bringing in security risks.” As consumer cloud services move data out of the enterprise, mobile devices also provide new routes into the enterprise.

This is another example of the disappearing perimeter, says Paul Christman, Dell Software’s VP for the public sector. He calls the convergence a profound shift that will require greater attention to the security and management of mobile devices in the workplace, whether government-issued or BYOD.

“It represents another vector by which valuable government data can be lost or stolen,” said Paul Royal, associate director of the Georgia Institute of Technology’s Information Security Center.

That vector also puts an emphasis on managing devices and protecting the data itself, no matter where it is stored. “The cost of doing this is coming down,” Christman said, but the technology is not fully mature. Manoj Nair, general manager of RSA, said open and extensible security features for mobile devices are needed and called for Apple to open its iPhone 5s biometric to developers.

Information sharing: Even more problematic

To make the most of information in enhancing situational awareness it should be shared, but this proves surprisingly difficult. It is not so much a technical problem as a people problem, and a lot of people have been disturbed by recent revelations about National Security Agency’s freewheeling digital information gathering.

Bit9 CSO Nick Levay says that cooperation between the public and private sectors was strong in 2013 but that reports that NSA has been tapping fiber-optic cables as well as gathering data directly from carriers could sour relationships. Major online players have been embarrassed by news that makes it seem that they either are in bed with the NSA or are not doing enough to protect their networks and data.

Customers will demand greater transparency from their technology providers, says former White House advisor Howard Schmidt, now executive director of SAFECode. “Companies, individuals and governments reeling from the surveillance disclosures will increase and expand their use of encrypted products, keys and data flows to try to get a better handle on controlling their information.”

This is good security, but protection may well take a back seat to cooperation in the coming year.

Security on the Internet of Things: An afterthought?

The Internet of Things is more than a buzzword; it is becoming a reality.

“More and more devices will be connected to the Internet,” said Georgia Tech’s Paul Royal. Increasingly, they will be communicating with each other without going through their users or administrators. “We need to have a thoughtful understanding of what the security implications might be.”

As these interacting systems become more diverse and complex, the focus of security will have to shift from the systems to the data they house and use. Royal said he is afraid that security will be a secondary consideration in the process of wiring (and unwiring) the world, and will not be taken seriously until there is a crisis. “Same old, same old, I’m afraid.”

Critical infrastructure: An increasingly visible target

Threats to the critical infrastructure are closely related to the Internet of Things. The nation’s power grids, financial systems and utilities all are becoming networked, often linking control system software that was never intended to be exposed to the Internet. Research on vulnerabilities will lead to increased exploits of this critical infrastructure, says Schmidt. 

Although malicious exploits so far have been few, breaches and compromises in critical systems have been reported. The financial services sector, which is heavily regulated, has the most mature security posture, but “all areas need to awaken to the problem,” says Bit9’s Levay.

The National Institute of Standards and Technology is developing a cybersecurity framework for critical infrastructure under a presidential policy directive, but compliance will be voluntary. Control system software and device firmware need the same level of scrutiny as higher level software, Schmidt says.

The wild card: Wearable computers

The idea of wearable computers has been around for a while, but it is now moving from fiction to production. Samsung has its Galaxy Gear smart watch and Microsoft is prototyping its own smart watch, while Google is beta testing its Google Glass.

The concept is not yet fully baked, said Prescient’s Irvine. But half-baked or not, it looks as if it is here. “I am a new owner of Google Glass,” he said.

So far, attention to security in these devices appears to be minimal and the introduction of wearable technology can make the mere presence of an individual a cybersecurity risk. “This is not a risk that can be addressed by automation,” Irvine said. “It requires policy.”

RSA’s Nair predicts that “2014 looks to be the year when the wearable trend goes mainstream for government,” and other markets. “Vendors should be looking to build security into their wearable devices and applications now — and not view security as an afterthought. Otherwise, a trend for 2015 could be the stories of personal information being leaked from these devices.”

NEXT STORY: Firms offer single path to securing cloud and physical networks

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.