Some argue that the number of reported data breaches in 2018 is the result of GDPR’s requirements. Still, the cascade of recent breach reports suggests that 2019 might be a tough year for cybersecurity. I asked our CISO/VP of Operations Joan Pepin and Security & Engineering Operations Director Duncan Godfrey about what we might expect.
".@auth0’s @CloudCISO_Joan and Security & Ops Eng. Dir. @duncangodfrey share their Top 5 Cybersecurity Predictions for 2019."
1. Reduced Security Spend Will Lead to Economically Motivated Cybercrime
Economic indicators in the US and globally do not look good, with tech companies having borne the brunt of recent market corrections, says Auth0 CISO/VP of Operations Joan Pepin. “I predict that 2019 will be a difficult year for security funding, and companies across the spectrum will freeze or reduce Information Security spending. An increase in economic hardship and a reduced defensive posture will therefore probably lead to more economically motivated cybercrime in 2019.”
2. Information Warfare to Target U.S. Companies, Specifically Defense and Communications
“We may be entering a new cold war with China, as the trade war continues, now inflamed by actions taken against Huawei by Canada and the US,” says Joan. “I expect this to lead to increased cyber activity by the already rather active Chinese government, which may expand its operations to include more Russian-style disinformation and information warfare. Look for major U.S. companies, especially large defense and communications providers to be the targets of this activity in 2019.”
3. Kubernetes Vulnerabilities Lead to the Year of the ‘Big Container Escape’
When ZDNet reported a major security vulnerability with Kubernetes containers early in December 2018, they noted that “Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered.”
That nothing in software is perfect is accepted news for devs and enterprises, but it’s also becoming an accepted thing for consumers (see prediction #4).
The Kubernetes privilege escalation flaw is a big deal, but it’s only the latest in the system’s discovered flaws, says Auth0 Security & Engineering Operations Director Duncan Godfrey. “Continued vulnerabilities to be found in Kubernetes infrastructure and the big one in 2019 is the Year of the Container Escape.”
4. Cybercrime Accepted as ‘Cost of Doing Business’ by Consumers
Despite multiple open investigations into Facebook’s series of breaches and sharing of personal data with other corporations without users’ permission, Joan doesn’t predict a permanent impact for the company — because consumers are reacting more like businesses (and Facebook’s attorneys will do their jobs).
Joan offered an example from her years as an outsourced security provider for an incident response company for Fortune 100 and Fortune 500 companies.
A major investment bank was having a massive issue of being dossed and having public-facing servers being breached. While on a conference call with all their vendors, including Cisco and Checkpoint and 30 bank vice presidents, the bank’s CTO said he had one question: “Is this happening to anybody else?”
Before Joan answered, she asked if he was going to divert the team to answer the question and if the answer was “yes,” what did he plan to do differently? He said if the answer was “yes,” he would “feel better” — a prime example of an enterprise settling into the cost of doing business online (although whether or not he needed to accept that particular cost could be debated).
“Having your identity stolen is horrifying for the individual, but my observation is that it’s perceived differently when lots of people are affected. After a breach, people don’t change their habits. People still shop at Target, stay at Marriott, and share information on Facebook. I’m not a psychologist or neuroscientist, but these facts lead me to believe that the trend of consumers accepting cybercrime as a cost of being online will continue into 2019.”
Because companies are not economically motivated to change and consumers may not feel empowered (let’s face it, the tiny payout from a class-action lawsuit won’t pay for the damage and heartache of having your identity stolen), Joan expects regulators to step in, which leads us to Prediction #5.
5. Expect More Data Privacy Regulation
Shortly after the Marriott Mega Breach, the UK, the FBI, and three U.S. states opened investigations. The Marriott stock dip identified in many news stories, parallels that of the U.S. stock market, says Joan. Fines can function as a partial deterrent, but investigation and regulation move at a much slower pace than the agile tech lifecycle — the business consequence often lags far behind the technological changes needed.
GDPR is delivering an increase in reported breaches, but not clearly within the regulation’s 72-hour breach-reporting requirements and recent regulation in Australia demonstrates more than a sync problem — the way that Australia’s new backdoor requirements are written cripple tech’s ability to function securely, says Joan. Recent U.S. Senate hearings demonstrate that many of the legislators in charge of regulating tech require greater understanding and education.
The answer, says Joan, would be for the tech industry to have greater input into educating those in charge of the regulations, followed by rational debate, and empowered law enforcement.
Regardless of whether or not the tech industry can influence these ideal conditions, all signs suggest we should expect greater regulation in the U.S. in 2019.
"The economy, kubernetes vulnerabilities, and consumer complacency could equal more regulation in 2019 says CloudCISO_Joan and Security & Ops Eng. Dir. @duncangodfrey."
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.