One Person’s Opinion on Cybersecurity in 2020: Part 1 (What Will Happen)

Tim Junio
Expanse Co-Founder and CEO Tim Junio.

People love stories, so here are some stories about the future based on what I learned last year. I’m the CEO of Expanse, which sells Internet Operations Management software to cybersecurity buyers at the world’s largest companies and government agencies.

In this article, Part 1, I highlight five consequential things that I think will happen in 2020. In Part 2, I’ll write about some trends that I think are hyped and will not matter much this year.

1. Fragmentation of the Internet is going to accelerate.

The Internet is being divided into various interconnected networks, or Internets. This is not totally new; we saw the beginning of governments regulating Internet content in the ’90s.

The problem is getting worse though, with democratic governments expanding their scope of regulation and authoritarian governments conducting aggressive surveillance.

GDPR and other regulations in the EU have created one of the world’s most prohibitive Internet zones; the EU now has authority over IP and domain registration data, consumer web data, and more.

China evinces Orwell’s prescience every day with its government’s use of smartphone applications, distributed sensing, machine intelligence, embedded carrier and ISP surveillance, and corporate partnerships to monitor citizens and limit their access to foreign information.

The challenge extends to other geographies, like Russia and India, both laying their path to separate Internet regulatory environments. Other countries will surely follow.

2. We will see attacks on AI/ML systems in the wild.

The application of artificial intelligence to everyday business problems is one of the defining technology transformations of our time. It’s similar to the advent of basic statistics, which was first a niche in the workplace, and ultimately democratized to the degree that every employee has basic statistical analysis software on their desktop.

Like many early technology adoptions, the security consequences of AI/ML have not been worked out. Most research focuses on adversarial inputs to fool AI/ML systems and create an undesired response from the associated platform. For example, unusual inputs can cause image recognition software to fail to correctly classify an object.

The year 2020 will be the first in which we see meaningful attacks against production, real-world – not research environment – AI/ML systems. While the world is generally early to adopt AI/ML, in high-tech societies AI/ML software is already embedded in our smartphones, autonomous vehicles, unmanned aircraft, surveillance cameras, and payment systems.

What kind of system will be subject to the first software-based attacks of consequence is hard to say, but it’s worth noting that contested political environments may be testbeds for early AI/ML system hackers. The protests we’ve seen in Hong Kong are a potential case; many people have a strong interest in circumventing facial recognition in public areas.

I bet we’ll see practical attacks in those kinds of environments in 2020, which matters much more than the iconic hacker model of someone trying to make a name. I also think what we observe will be Darwinian; the first successful AI/ML security events may be accidental or random, but then knowledge of the method will be rapidly shared among an interested community.

3. “Hybrid” will remain the dominant operational network architecture.

Conventional wisdom among tech journalists implies it’s the way of big companies – and the government with the JEDI program – to migrate to commercial clouds and build all-new capabilities there. I call it the cloud migration myth. It’s true of only a small number of organizations, and “cloud-native” is a status reserved for relatively early tech companies.

But the reality is that as much as enterprise IT staffs would prefer to simplify and consolidate their networks, business needs exceed the pace of networking, and legacy systems are not being undone at a fast clip. Political factors also stand in the way of realizing the cloud migration dream, like CEOs fearing to give Jeff Bezos all their data, the need to sign up for less popular cloud services for the sake of other business relationships, or legal mandates for geographic data segregation.

In practice, the vast majority of large organizations have a complicated mix of environments – on-premises, multi-cloud, co-location facilities, corporate data centers, regional offices, vendor/ISP-operated. The classic enterprise enclave network model that many organizations still attempt to plan and operate under is therefore eroding. As some marketing folks in the industry have aptly recognized, the Internet (or, soon, Internets) is the corporate network, as software is increasingly used to govern what is going where over semi-public networks.

4. Time to replicate Internet attacks will continue to fall.

Internet-facing exposures are particularly risky because anyone on the planet can attempt to exploit them. IT staffs can buy some time when an exposure is only inside the enterprise network; when the exposure is on the Internet, time is a mortal enemy.

The last few years have seen a spate of exploits against Internet-facing targets, like BlueKeep and EternalBlue, and Internet-propagating malware, like WannaCry and Mirai. When malicious actors start using Internet exploits opportunistically – looking for any vulnerable systems – the rest of the world is able to observe those activities. This is because many organizations, including criminals and government agencies, run honeypots to measure Internet background noise.

What we observed in recent Internet-facing incidents is that bad people are replicating the activities of other bad people with alarming and increasing speed. When the Mirai worm was widely used in 2016, it took about a month for others to replicate the exploit and start deploying their own software to take control of IoT devices over Telnet (a vulnerable remote access protocol). When EternalBlue was used, we saw variants pop up within a couple of weeks. We have not (yet) observed similar replication of BlueKeep, but I think that will prove to be an exceptional case.

In 2020, new Internet Asset exploits will surely be discovered, and some of them will be used to bad ends. I think we’ll start to see reuse of associated malware within days, and maybe it’ll be the first year we see mimicry within hours.

5. There will be a major supply chain security incident.

Remember the (in)famous 2018 Bloomberg article about Super Micro, which alleged that Chinese intelligence had implanted surveillance devices in data centers in the United States? Ultimately, no public evidence emerged to support the claim.

I think another version of the story (involving other companies, implants, and maaaaybe another adversary) will be written, and its accuracy will be verified next time. For a long time in the cybersecurity industry, we’ve known hypothetically that suppliers can be the weakest link for large global business operations and intellectual property protection. Public examples of consequential breaches are surprisingly few. I suspect many have happened but were privately settled between the companies.

I think things have changed going into 2020. Over the last five years, companies have taken notice of the breaches against Sony, Equifax, Capital One, Office of Management and Budget, and many others that originated over the public Internet. This has resulted in large companies buttoning themselves up and reducing their attack surface.

The basic shift in mindset regarding cyber hygiene – that every company is an opportunistic target if it has assets exposed on the Internet, and the time to exploit an Internet exposure has dropped dramatically – has not cascaded to smaller businesses with less awareness of, and fewer resources for, cybersecurity.

This implies that the kinds of opportunistic attacks referenced above will be successful against smaller businesses, and there will be a lag before they catch up to modern cybersecurity practices. The gap will be a costly one in inelastic market circumstances; the loss of a key supplier can suspend business operations. And suppliers working with critical data could result in the loss of core intellectual property.

While we are already seeing customers diversifying their supply base to avoid such circumstances, it is a business reality that, in some cases, supplier concentration also creates economies of scale and other efficiencies. Because risk management has little data to work from, some companies are going to get the security/COGS tradeoff wrong, and it’ll cost them. I think at least one of those events will happen this year.