As we roll up to the end of the year it's usually time to start making predictions about what will happen next year. But since Drew and the team already did a great job of that I'll instead take a step back and take a look at the shape of the forest, rather than discuss individual trees (important as they may be).
I caught this video recently in which Tony W. Sager, chief operating officer of the Information Assurance Directorate of the NSA, discussed both the likelihood of a "digital Pearl Harbor" and his views on how to build defenses against attackers. Given his role and the kind of information he is responsible for, it's definitely worth the time to watch it.
Unsurprisingly he's rather sanguine about the prospect of some kind of state-sponsored internet apocalypse. While a lot of our infrastructure is still vulnerable to attack (and aging faster than we can fix it), it's hard to imaging who both benefits from such a total takedown of the US and at the same time has the capability to get it done.
The real problem is that the bad guys aren't here to turn the lights off, they're here to steal the designs for building cheaper light bulbs. While the economic impact of a massive attack on our infrastructure would be huge, there is already a steady drain of R&D value being siphoned away from US businesses as a result of APT's (advanced persistent threats).
While the complexities of dealing with this "white noise" of attacks remain a constant thorn in the side of both government and private security organizations, the rules of the game are changing quickly. Cloud data stores are are growing in both size and ubiquity. And if businesses had trouble staying on top of data moving out to the cloud before, the problem is going to get far more difficult to deal with over the next year or so. Consumer-focused offerings such as Box and Dropbox have already started to impact corporate security policies, and more and more information is going to be slipping through IT Security's fingers as business units and individuals take advantage of plentiful and free storage. Next year Windows 8 will deliver built-in cloud storage in the form of SkyDrive, and of course the likes of Box and Dropbox are already shifting their focus to target corporate users more directly. Apple's iCloud could also have a real impact on the way that files are stored, especially as more and more business users switch out laptops for tablets like the iPad.
It's not hard to see where these two trends collide, and what the results might be.
On the one hand, a steady and unrelenting wave of attacks designed to steal data from governments and businesses perpetrated by very large numbers of state-sponsored (or at least state tolerated) attackers. On the other hand, a trickle of unmanaged data moving to the cloud (and therefore beyond the direct control of corporate security teams) is poised to become an uncontrolled flood of information.
As "big data" gets even bigger, targets for attackers will surely shift to the places of greatest potential opportunity. Cloud data storage services represent a huge opportunity for cheap storage, sharing and collaboration. But as an industry we must quickly develop the standards and tools to ensure that when we share data in the cloud, we know who exactly we are sharing it with.