The information security industry is going to spend the next ten years solving the problems of the last twenty, finds Danny Bradbury
Why did the Roman God Janus have two faces, one looking forward, and one gazing backwards? Because the god of beginnings and endings, of transitions and time, recognized that we can’t know where we are going unless we know where we came from. This applies when trying to predict the future. The chances, says experts, are that we’re going to spend the next 10 years focusing on problems that we spent the last 20 years screwing up.
It would be nice, for example, if we’d solved one of the main computing problems: confirming who we are. But we haven’t. When a hashed version of LinkedIn’s stolen password stash was publicly posted and analyzed last year, the most common password used was ‘link’. The second most popular was ‘1234’. So before we start predicting embedded chips under the skin to open doors, let’s take a step back.
It isn’t that the industry hasn’t developed countless solutions for solving the authentication problem. The bigger problem, according to Bob Ackerman, is that economics get in the way. “A lot of the technologies have been around for years, but the pain threshold hasn’t been high enough to encourage adoption”, says Ackerman, the founder of US venture capital firm Allegis Capital, which has poured money into security firms including IronPort.
“How many people really change their passwords?”, he asks, replying, “very few” to his own query. “We need to come up with more efficient and more effective mechanisms for dictating who people are.”
A Bigger Problem
Bill Coughran, a partner at prolific IT industry investor Sequoia Capital, has investments in security firms including FireEye. He was also a senior VP at Google, in charge of its security efforts. Two-factor authentication was the favored solution for authentication in the 2000s, but it experienced its fair share of problems, such as RSA’s SecurID hack. Now, he points to malware that will snoop incoming SMS messages, making out-of-band authentication difficult. “So a lot of people are considering whether they should do biometric”, he says, pointing to Apple’s $365m acquisition of the fingerprint scanning firm AuthenTec. “Will that technology come in over the next few years? I think yes”, he muses. “Those personal devices are becoming cheaper, smaller, and reliable.”
Authentication is just one part of a bigger puzzle, though. Identity management is a tougher nut to crack. In 1993, New Yorker cartoonist Peter Steiner drew his iconic cartoon of two dogs surfing the internet. “On the internet, nobody knows you’re a dog”, said one to the other. Twenty years on, canines can still go incognito. Companies like Google have tried to force people into using real names online, but surely by the time Steiner’s cartoon reaches its thirtieth birthday we’ll have found alternatives to such brute force approaches?
The chances are that identity and authentication (already closely related) will continue to come together. Maria Kussmaul, co-founder of venture capital firm AGC Partners, says that current identity systems are coordinated by institutions. That will have to change, she argues. You are, after all, a different person to your bank, your mother, your Alcoholics Anonymous group, and your alma mater.
Certificate authorities haven’t coped with that problem very well, she points out. “CAs have automated the issuance of that certificate, but how many times have they issued one to Mickey Mouse or Abe Lincoln?”, she asks. “The most credible ones tend to be employer-based, but what about the other institutions I deal with?”
It is important that technology evolves favoring an individual’s ability to control their own identity and transact with many organizations on their own behalf, as opposed to being tethered to a single organization. The challenge is, how do we get from one point to the other?
Thinking Differently
New ways of thinking will separate iterative approaches to security from disruptive ones. Ackerman divides security into two parts: the first involves securing the legacy architecture we already have. The second involves reimagining new architectures and platforms that are more secure, specifically for a world where cloud and mobile computing are part of the mix. “We won’t jump to a new paradigm as soon as it becomes available. There will be a long, protracted migration path”, he forecasts.
We can predict what these new architectures may look like by turning from the past to the present. Lenovo just announced that it is selling more smartphones and tablets than computers. Reports like those are good indicators that we really are in a post-PC era, and that after the hype subsides, bring your own device (BYOD) will be a staple part of the new IT landscape. It’s no wonder that Kussmaul thinks mobile devices will be a nexus for identity and authentication.
Further out, she foresees the ‘Internet of Things’ as another game changing technological development that security policy will have to cope with. Estimates vary on how many machines will be speaking to each other on the internet. Cisco, which stands to make lots of money from it, says 50 billion within seven years. Already, news stories are emerging about people being able to hijack everything from smart toilets through to pacemakers and light bulbs. Kussmaul argues that connected cars aren’t far away. “Think about people wanting to manipulate the system for fun, or criminal intent. That’s a whole area of security that isn’t on the map today that ten years from now will be far more relevant.”
Whether we’re talking about mobile devices, cars, or Japanese toilet seats, one thing is clear: we’ll be dealing with a large collection of decentralized nodes, all talking together in a highly complex system that will be difficult to centrally manage. And then, there’s the cloud.
Complex Systems
Like mobile, cloud computing is already here, and getting bigger. Because it can be more decentralized and more internet accessible, it will also be a target. “That reflects more capability for cybercriminals, too, because if they want to intercept data, there’s more of it”, says David Emm, senior researcher at Kaspersky Lab. “There will be more hours in the day to do it, and more places to get it.”
"A lot of the technologies have been around for years, but the pain threshold hasn't been high enough to encourage adoption" |
Bob Ackerman, Allegis Capital |
The other problem is that the systems themselves will become more complex, making it increasingly difficult to get a single, cohesive picture of what is happening and react to it. Ackerman envisages an age of “sentient networks”, where we move away from dealing manually with threats. This goes beyond traditional intrusion prevention systems, verging on artificial intelligence. It’s about chasing a threat through the network, tracking it down, and killing it.
Luke Burns, partner at venture capital firm Ascent Venture Partners, predicts near-real-time analytics. “In the past, when combatting some of the threats out there, we had to go back and do forensics on it”, he says. “Big Data analytics and real-time computing, when applied to security, enable companies to react more quickly. We also see better data sharing, so that the whole community can learn from those more quickly.”
New Blood
All of this new thinking will take new blood, say experts. In 1995, Bill Gates was asked what the biggest threat to Microsoft is. He argued that it was the small company in some garage that may not even have been started yet. Inside ten years, Google was founded and went public. It disrupted everything. The same may be true in the security space.
“Some of the most interesting things going on right now aren’t happening in the big companies, they’re happening in the smaller ones”, says JP Haynes, CEO of eSentire, a small Canadian managed security services firm that just won $7m in financing. “These are companies that evolve, solving problems with different ways of thinking as the next generation approaches.”
Matt Fates, Burns’ partner at Ascent, agrees. “Every time someone becomes big and successful, the attack vector changes slightly. Then you have a new set of startups.”
It’s worth remembering that none of this happens in a vacuum. Broader policy informs developments in security and privacy. In the UK, the government is trying to censor pornography at the ISP level. In the US, the government is monitoring the communications of its own citizens, and secure email services are already shutting down. It’s a strange world when your own government forms part of your threat vector. The security industry is already reacting, looking for new opportunities to solve growing problems.
Grass Roots Solutions
Perhaps it’s unsurprising, then, that some of the most promising security-related developments are grass roots ones. They stem from decentralized structures with similar characteristics to those in Kussmaul’s mobile utopia, where people control their own online identities and authentication mechanisms, or in developments like the ‘Internet of Things’, where lots of small, autonomous nodes talk to each other.
One example is bitcoin, a peer-to-peer cryptocurrency and payment network based on mathematics, which has yet to enter the mainstream. Its founding principles include decentralization. It relies on a truly distributed network of nodes, each of which can create and spend bitcoins without referring to a central bank or payment authority.
The protocol, itself developed by an unknown expert working under the name Satoshi Nakamoto, has since been adapted for other purposes. BitMessage, a decentralized communication system based on the bitcoin protocol, is now being used as an alternative to ‘secure’ email services that went offline in the wake of the PRISM incident.
We saw decentralized systems such as peer-to-peer file sharing set the scene for the disruption of the music industry in the 2000s. Decentralized technologies could do the same for security in the next ten years.
Predicting what will happen in 10 years in the technology business is indeed tricky. It’s a little like popping popcorn. You know there’s going to be an awful lot of activity and noise, and it’s impossible to predict any single movement. But you know that it’s all going to happen in one place, and that it only happens when the heat is on.