This is not going to be presented in chronological order folks, so I apologize ahead of time if my thoughts provoke some confusion. It was a busy year in cyber, and there were a lot of interesting developments.
First, we still have never determined who was the original designer/employer of Stuxnet. This worm has opened up the eyes of lots of folks who doubted that cyber would ever be much of a threat. The fact that now everyone realized that industrial control systems (even those air gapped like the Iranian nuclear network) can be attacked and that physical damage is very doable with cyber means. A cousin of Stuxnet – DuQu – was found, but we couldn’t really tell what it was for. Was it a precursor or a successor? One researcher claimed that DuQu was a recon tool for Stuxnet, and proposed that Conficker (the largest botnet that we still don’t have a purpose for) was actually a deployment means for Stuxnet, and that there might be other weaponized variants out there waiting to be used. Lots to ponder there.
Staying on the SCADA track, there was an alarm sounded when a report came out saying that a water treatment facility was hacked and a pump damaged. It turned out to be a false report and had been released prematurely. Just when everyone gave a sigh of relief, a water facility in another state was hacked by someone just to show it could be done. More SCADA events will happen this year.
Social media played a huge role in the world. Its effect was given credit for the Arab Spring. It certainly played a role (a pretty big one), but it still takes brave people to stand up to tyrants. In addition to taking out several leaders, and making many others seriously consider change (or unfortunately increased repression), social media also took down a U.S. Congressman who thought sexting is a good idea for married public figures (women are not that easily impressed guys, get over it). A Tweet also gave the Nation its first notice that UBL had been killed. Well done, SEALs.
Three growing tech trends continued to grow. Mobile computing is exploding and is unlikely to slow down. The security issues are significant, but most folks don’t seem to care. We really need to get our arms around this soon. Smart Phones and Tablets are computers, and fairly powerful ones at that. They must be protected because we are using them more and more, and the Bad Guys know it.
Cloud Computing is still growing also, but not as fast as one would think. There is lots of talk in this area about security, but much of it is FUD. Cloud providers and their customers need to be very serious about security. If the bad guys get into the cloud, they get a very lucrative target, but it is tough to do. The Cloud actually adds security in a lot of ways, and that should be acknowledged. It also saves huge amounts of money, is good for the environment, and uses computing power efficiently. It gives little companies power, and large companies flexibility and savings.
The Smart Grid is another technology that is not going away. Professionals are very concerned about the potential security vulnerabilities, but the public is largely oblivious to the entire issue. They shouldn’t be; this is a big one.
There were still no (obvious) terrorist acts using cyber as a modality. I still think one is coming. The closest we came is the hacks made by Anonymous, but targeted theft of personal data is an old-fashioned crime, not really terrorism. The elegance of striking through cyber means and the potential for going after SCADA systems is such an obvious terrorist action, I am still baffled (and grateful) that none have occurred.
What about the future? We still do not have the needed Awareness and Education programs that everyone agrees we must develop. It is badly needed. Likewise, we need legislation to force some of the stovepipes to break down and to give industry the direction it needs. That said, everyone is scared to death that if Congress does act, it may do more harm than good. We should see something this year; one hopes it is a good result.
Big Data plays seem to have potential to aid in securing our networks, so keep your eye there. More schools are trying to educate professionals and policy makers about cyber (I teach in a Homeland Security Management Masters program, and they are adding a certificate in Cyber Security Policy with a separate Masters to follow). Additionally, I still think we’ll see a major (negative) cyber event this year. It will involve one of our major infrastructure sectors. It will not be a national-level take down (that is tough to do, and those nation states with the capability have no interest in trying it), but will likely be aimed at a city or a circumscribed region.
I must end with a note that the cyber world lost one of its visionaries when Steve Jobs died. He opened up the cyber world to enormous numbers of people who would never have played in the arena were it not for the tremendously innovative devices he pioneered. Some might say he opened Pandora’s box, but I think that is backward thinking. He opened a door – we need to learn how to walk through it and operate safely.
It should be another interesting year. Be wise and be safe as you maneuver in the Cyber Realm.