In 2003, the international stage was dominated by the drumbeat of war and the US/allied invasion of Iraq. In science, the Human Genome Project was completed after more than a decade of work. In technology, Apple released the Panther version of its OS X operating system. It was also the first year that Infosecurity magazine was published, and the decade since has witnessed events that have fundamentally altered the information security landscape.
Some events were so large that they completely transformed the industry; others have been just a piece of a larger trend. If one thing is certain, it’s that choosing just a handful of milestones for this decade-long retrospective was no small task.
First, the methodology: As deputy editor of Infosecurity, I was keenly aware that I have been with the magazine for only the last three (almost four) years, so any significant events before my arrival may not receive the attention they deserved. That’s where the help of the industry, our editorial advisory board, and our editor, Eleanor Dallaway, came into play. With their recommendations, I have culled together this list of the seminal events/trends impacting the industry over the last 10 years. I have ranked them in the order of importance based on this feedback, culminating in what may be the most impactful in the final slot.
Have we missed some things? This much is a certainty, but so is this: all of the items you will read in this review have – in one way or another – had a profound influence on our readers’ lives, both personal and professional.
The NSA, GCHQ, and Edward Snowden
We start off this countdown with our most recent event of note, which requires little in the way of explanation. The revelations from former NSA contractor, Edward Snowden, receive first mention mostly due to timing. We know this is important, and has the potential for sweeping changes in how privacy and security are approached, but not enough time has elapsed since Snowden first told the Guardian in June 2013 about the NSA’s program to collect cellular call metadata to truly gauge the long-term ramifications.
Since this time, Snowden has disclosed a litany of surveillance programs operated by the US and UK governments, each one damaging the reputation of the NSA and GCHQ. A brief cross section includes: Operation PRISM, a program by the US and UK governments that collects private data from web services; XKeyscore, a system that allows NSA analysts to search through vast databases of emails, online chats and browsing histories; Operation Tempora, whereby GCHQ has tapped hundreds of undersea fiber cables to monitor data transmissions; and among the most recent allegations that the NSA and GCHQ have been hard at work on methods to control and crack the cryptographic keys of protected information.
“There’s an assumption that the government are out there wheeling and dealing your data, but nothing could be further from the truth”, said Gen. Keith Alexander, head of the NSA, in an address to attendees at this year’s Black Hat conference in Las Vegas. Alexander told the audience that proper oversight mechanisms are in place to safeguard privacy and that “collection is focused and purely about counter-terrorism”. Countless industry observers and civil rights advocates dispute these claims, even as the NSA chief explained to the US Congress that such programs have thwarted dozens of terrorist attacks – both domestically and abroad.
On the enterprise front, Forrester analyst James Staten’s predicted that US cloud service providers stand to take a 20% hit on their future revenue generation abroad, especially given competition from European providers that operate under a stricter regulatory framework with respect to data security. An August 2013 report by the Information Technology & Innovation Foundation sounded a similar alarm. While stressing that its predictions were preliminary, and based on assumption about the US government’s response to PRISM’s disclosure, the ITIF estimated that US cloud providers could lose 10–20% of their business to European and Asian service providers, for a total estimated $21.5–35 billion in lost revenues.
“The key question is not whether the unmasking of Operation PRISM will influence businesses’ decisions as to where to store their data”, said David Gibson, a vice president at security vendor Varonis, in responding to these figures. “The more important decisions involve how they monitor and secure their data, regardless of where it lives.”
Stuxnet and the Rise of Weaponized Malware
It was November 2010 when the Iranian government confirmed that the Stuxnet worm derailed the country’s nuclear enrichment facility in Natanz, setting the program back by years. With it, the first highly publicized case of weaponized malware was unleashed, most certainly through the cooperation of the US and Israel. It was a hallmark confirmation in the hype surrounding the idea of ‘cyber war’ or, as both security vendor Sophos and I prefer to say, ‘cyber campaign’.
Stuxnet is a highly complex malware code designed to infect and reprogram industrial control (SCADA) systems, and in this case, caused the centrifuges that enrich uranium to spin at such a speed as to render the material useless for nuclear capabilities. It marked the beginning of what Kaspersky Labs called at the time “a working prototype of a cyber-weapon that could lead to a cyber-arms race”. Eugene Kaspersky, the company’s founder, described Stuxnet as the “opening of Pandora’s box”.
Kaspersky’s assessment may be more confirmation then revelation, but Stuxnet did provide concrete evidence that governments have and will use cyber capabilities to engage in military-style operations without firing a shot, or deploying a single troop.
Mark James, technical director of ESET UK, points to Stuxnet as a significant milestone in malware development, as it transitions from its data-stealing origins to more intricate deployments. “We have seen a profound change in the way malware is created, spreads and behaves”, he told Infosecurity, adding that, in the cases of subsequent cyber-espionage malware like Ramnit and Duqu, “millions and millions of dollars are being invested in development. The evolution of malware from a state requiring little or no user interaction to today’s complex forms…has shaped the cybersecurity industry into what we know it today”.
Google, Operation Aurora, and the APT
Advanced persistent threat, or APT, is a commonly deployed buzz term that continues to dominate the information security industry. The label itself, however, had its popular origins in the analysis issued by McAfee in January 2010 about a long-term cyber-espionage campaign allegedly perpetrated by sources within China. The Chinese government, in a standard response, denied any involvement in the campaign.
McAfee may not have coined the term ‘APT’, but Operation Aurora – attacks targeting more than two dozen technology companies, including Google – put the concept squarely into the lap of the information security practitioner and right through today, is a mainstay of vendor marketing.
Operation Aurora was significant not only because of what it was, but also due to the openness of Google in disclosing how it was affected by the long-term data loss that resulted. The company confirmed in January 2010 that the attack was designed to steal its intellectual property, in addition to accessing the Gmail accounts of several Chinese political dissidents. The attacks were made possible by exploiting a zero-day flaw in Microsoft’s Internet Explorer, and remain a turning point in how organizations approach information security programs. It was the beginning of a new philosophy toward data protection: one that assumes if your organization maintains any data, compromise of this information is a matter of when, not if.
The McAfee report and its revelations are also significant because it marked a years’ long faceoff between Chinese government officials and their regional and Western counterparts, especially the US, that continues to this day. With each subsequent report about alleged China-based cyber-intrusions, leaders of both governments issue warnings and rebuttals, while enterprises prepare as best they can to defend against the industrial espionage they most assuredly will face.
Mobility and BYOD
Perhaps no trend has dominated the last decade of information security like that of increased mobility in computing, and along with it, the accompanying consumerization and bring-your-own-device (BYOD) policies. There was a time, not too long ago, that all hardware used within an organization was issued by the enterprise’s IT shop, but as survey after survey reveals, the use of consumer-based technology for work purposes will soon be the rule rather than the exception.
Therefore, it comes as no surprise that this confluence of trends occupies the most significant development on this list, as it was cited in nearly all the feedback I received from the sources consulted to develop it.
Mobility, consumerization and BYOD have complicated some of the issues previously cited in this decade-long retrospective, as Darren Anstee, a solutions architect from Arbor Networks, points out. He reflects on the past decade, the evolution of malware, and APTs and notes that, combined with the increased pace of mobility in recent years, it has “threatened the security of business’ customer data and intellectual property.
“This has been exacerbated by the way in which our service and network architectures have evolved; increasingly mobile workforces, use of cloud services and a preference for BYOD brings new challenges to the monitoring and control of business applications and data”, he observes. “These changes, and the softening of the network perimeter that has occurred due to them”, he adds, “have raised the priority of security in recent years, leading to much more C-level focus.”
This last point is an important one, and perhaps is the most profound effect of any trend to hit the information security landscape over the last decade. Increased mobility, APTs, weaponized malware, compliance requirements…the list seems nearly endless. They have all contributed to increased complexity that complicates the daily lives of professionals who work in the information security field. Yet, due to these developments, awareness of these issues among end-users, executives, and the general public has increased in tandem. It has led to an explosion in the need for industry professionals, and put the discipline of information security into the mainstream consciousness.
Hacks, data breaches, insider threats – they are all contributors to increasing the blood pressure of industry practitioners. But without them, the jobs information security professionals occupy would be minimized rather than elevated. If one thing is clear from taking a look back at the last decade within this industry, it’s that now, more than ever, the need to protect information could not be a more critical and useful profession.