This time of year, three things are almost certain. You will be tempted by all flavors of festive treats. You will wish holiday greetings to friends, family, teammates, customers and partners so often you may go hoarse (worth it!). And you will contemplate what’s going to happen in 2020. You’ve likely even made some predictions about it.
As for us, check, check and check. It’s an interesting time in the world of cyber security, with Google’s claim of quantum supremacy, two cyber attacks aimed at the Labour party during elections in the UK, an increasing number of attacks against small and medium businesses, hospital care for patients disrupted by ransomware, many countries developing IoT security regulations, and governments and tech companies at odds over encryption of devices connected with criminal cases. Just to name a few.
Our predictions focused overall on digital transformation and are divided into three sub-categories – Internet of Things (IoT), encryption and privacy. In addition to my thoughts below, a number of our experts, including Tim Hollebeek, industry and standards technical strategist and Mike Nelson, vice president of IoT Security also contributed to this year’s prediction forecast. Both IoT and digital transformation remain top of mind for many (Google “Internet of Things” and you’ll be greeted with a mind-blowing 2.6+ billion results), generating plenty of excitement, and promising interesting thing in the years to come.
Let’s take a peek into that not-so-distant future and explore our predictions for 2020.
Hackers will continue to find vulnerabilities in consumer IoT devices since security is not top of mind when these devices are developed. In contrast, industrial IoT security has improved, especially for critical systems such as automotive, SCADA and healthcare, and will tackle the challenge head-on.
Here are a few other IoT security predictions for 2020:
- The focus on procurement requirements will grow, with companies asking for assurances from their IoT device manufacturers that the devices are secure.
- The rapid growth in connectivity, telehealth and IoT devices embedded in patients will lead to a strong push for better security in medical devices.
- More device manufacturers and consortia will learn from key industries how scalable public key infrastructure (PKI) can secure IoT devices. PKI adoption will increase for connected device authentication, encryption and integrity. After do-it-yourself PKI lets down companies, they’ll turn to leading third-party experts/CAs to provide it.
IoT devices will face a growing number of global regulations in 2020. Consumers will help drive this by demanding more stringent security protections, such as device labeling – something that’s already required in the United Kingdom. In an effort to avoid government regulation, industries will come together in many markets including Germany, UK, South Korea, Japan, the U.S. and elsewhere to develop standards for securing IoT devices within their industry.
Markets like Japan, UK and United States are making strides in IoT regulation. Here’s a snapshot of current regulatory activity in these countries:
- Japan: In anticipation of cyber security threats during the Summer Olympics in 2020, the Japanese government passed a law enabling it to hack into citizens’ IoT devices. In cooperation with the country’s Internet Service Providers (ISPs), the government will attempt to hack into millions of devices using the default credentials of the devices. Owners who haven’t changed the defaults will be warned that their devices are at risk of attacks.
- United Kingdom: In 2018, the UK signed the world’s first IoT code of practice, including guidelines for manufacturers such as no default passwords. More recently, it announced plans to introduce laws requiring that manufacturers build security into IoT devices.
- United States: “While the U.S. federal government has been less willing to regulate IoT as aggressively as others, the state of California has led the way in regulating IoT devices sold in the state,” according to a Forbes article. The California legislation requires that security features protect the device and information it contains from multiple threats. The move has held sway with device manufacturers because of the huge market that California represents.
Scalability and Certificate-Based Security
Many of the companies trying to run their own PKI or small, private CAs supporting global IoT deployments will run into scalability issues as they realize the challenge of scale. This will cause manufacturers to turn to proven public CAs in an attempt to solve the scalability challenge. The public CAs will respond by creating or acquiring more robust IoT, or private trust, solutions to meet the growing demand for IoT security.
As far as what’s on the horizon for Transport Layer Security (TLS) certificates, shorter validity periods mean organizations will start embracing automation in order to make certificate management easier.
Quantum computing, which uses quantum bits (or qubits) vs. the bits used by traditional computers, can complete complex calculations simultaneously instead of sequentially, speeding the results. Medical sciences, particle physics and machine learning are among the potential applications. Research into it has attracted the interest – and dollars – and we predict a quantum computer to solve an economically important problem in 2020, which will only accelerate quantum computing development and investment. In addition, the push for adoption of post-quantum cryptography will gain added awareness as the need for protecting today’s and tomorrow’s investment grows.
That advanced computing power could prove irresistible to cyber criminals. A survey of IT decision-makers found that 55 percent consider quantum computing an “extremely large” or “somewhat large” threat today. Seventy-one percent believe it’ll be an “extremely large” or “somewhat large” threat in the future. Fifteen percent believe that 2020 is the year that quantum computing will advance to the point where it can crack existing cryptographic algorithms.
The industry must strengthen encryption algorithms to keep up. Hybrid digital certificates will grow more attractive as well. At some point between 2022 and 2024, the National Institute of Standards and Technology (NIST) will have standardized a post-quantum cryptography (PQC) algorithm that can meet the challenge. The achievement will kick off a global effort to deploy it. Companies that have inventoried their cryptographic systems and emphasized cryptographic agility will have an easier time deploying it; others, not so much.
This year, we’ve seen the adoption of the California Consumer Privacy Act (CCPA) and the failure of the New York Privacy Act (NYPA) to make it to a vote during the state’s recent session. Taking effect on Jan. 1, 2020, CCPA is sometimes called “GDPR-lite” in reference to the European Union’s General Data Protection Act (GDPR).
The GDPR was implemented in May 2018 to give people “more control over their personal data and make sure businesses prioritize data privacy.” There’s no country-wide equivalent in the United States, though the California data privacy law – the country’s first – comes closest to it.
Among other things, CCPA gives Californians the right to know what personal data is being collected and whether it’s being sold or shared with others. Companies must disclose that information to consumers or face fines if they don’t.
There’s a growing concern among consumers globally about how companies handle their personal data. Some believe the ultimate solution is a national privacy law, similar to GDPR, but the likelihood of one passing is low in the current administration. Other countries are looking at their own privacy laws beyond GDPR.
We predict that a growing number of states as well as countries around the globe will fill the gap by adopting their own data privacy laws. Unfortunately, the patchwork nature of privacy law adoption in 2020 will make compliance very difficult for companies with locations in more than one country, or even more than one state for that matter, and for those that sell goods online to consumers around the world.
2020 will be a big year
Time will tell which digital transformation trends emerge in 2020 but here’s hoping security can keep up so they’re as satisfying as those holiday treats. No doubt it will be exciting to see what’s in store. Wishing you a safe, prosperous and Happy New Year!