I don’t think I am alone in the conviction that time is accelerating and each year is shorter than the last. In my mind Y2K is thankfully behind us but not by very much, and I still have the remnants of the millennium bug bonus I earned (ahem) to spend. We are actually less than two weeks from Christmas 2019 and in some ways the next real work I do will be done in 2020. Good for my eyesight, if nothing else.
Farewell then 2019. As the son of a Scot I might ask, sit awhile afore ye go and we shall talk. What will you leave for us to recall, as you go? Threat levels have not improved any, that’s for sure. Did we expect them to? Not really – we don’t even see the beginnings of any great panacea out there, on the cusp of solving all our problems. But it is also true that such a panacea – if one could ever be found, which we very much doubt – still isn’t really the point. We still, nationally, corporately and individually, need to do the basics better. That just isn’t happening; weak passwords, outdated software, poor (no) access controls and much more are still commonplace. In short accessing, traversing and emptying too many networks is still too easy, too often.
It is – see above – basically 2020 and yet recent surveys once again show that the most common passwords in use in the UK today include strings of concurrent numbers and the names of our dogs. We blame the users – those who choose them – but that is just victim blaming (“We live in an era of smart phones and stupid people” being perhaps the most offensive and egregious example – and I have seen this used to excuse a breach). We should instead look to ourselves as an industry, as a community and as employers; quite frankly if we can’t make users understand how important passwords are, then we should have a long hard look in the mirror and consider our career choices. We are failing. The NCSC have to some extent grasped this problem with their advice around three random words, but so far behaviour isn’t changing (and the fierce debates around the sagacity of this advice anyway still rage); length not girth, basically. This won’t do – we must do better in 2020.
2019 also leaves behind some large fines for GDPR breaches – finally, I hear you say. BA most famously but also EE and even HMRC have been found wanting, as have many others. Expect to see more of this, although anecdotally the ICO is said to be worried that the over-reporting of breaches (too many, too soon) could make their workloads untenable. GDPR will settle down and we will all understand it more effectively and practically, and we will be advised by more and better case law. It isn’t going away, Brexit or no; it is one of the regulations ported across as is and will stay. Ignorance is no excuse but fine avoidance will continue to drive security budgets. As far as that goes it’s enough for now, but how much better if we thought instead about security from a positive perspective? As an enabler rather than, as the saying goes, a cost of doing business in the digital age? A lot, frankly.
Huawei was fun this year, or at least the US-China trade war fought by any other means was. We have had government vacillations par excellence, an unprecedented leak from the NSC, the beating heart of the UK’s security establishment (ironically enough said to be rooted in concerns about our national security), and we now see an industry ploughing ahead with 5G as fast as possible, on the basis that once it’s in, it’s in. Predicting anything in this uncertain political world is a mug’s game. I predict that the new government in the UK, emboldened by the election, will bend to Donald Trump’s will and bar Huawei from the UK’s 5G networks. I equally predict that this will be done such that the network will work enough until the issue can be dealt with away from the glare of publicity; it has to, because Huawei is already embedded and removing it doesn’t bear thinking about. As Anthony Kiedis might have put it, sugar, syrup, cream, heat; fudge, in other words. In all of this, it is the NSC leak that matters and risks real damage to our national security, rather than any sort of Chinese technology; this all ought to bar the leaker from public office, but of course it won’t.
To end with a couple of predictions for 2020. I mentioned above that incentives for security budgets are still widely rooted in fear. I predict that this year we will see an increase in the imperceptible shift we have sensed already; more people will spend more money more positively. Think about a bank and ask yourself, would you bank with anyone who wasn’t good at security? No, clearly not. That philosophy will spread; customers will want to engage with secured products, from secured companies, in exactly the same way. Given a choice of two widgets, increasingly the one with security in-built will be winning and selling.
Finally, the effective privatisation of state capability will continue to grow. This will happen in two ways. One, there will be a continued (and possibly continuous) seeping of state capability into the wild; Shadow Broker II (Shadow Brokered? Shadow broken?). Capability with those antecedents was behind Wannacry, apparently, and whilst we are on that subject we also learned this year that the attackers were paid a total of only $86,000 and all of that is frozen, inaccessible, in a bank account somewhere. But back to privatisation. Wannacry was attributed to North Korea and attribution will drive more states to adopt an outsourcing model – think Fancy Bear. Apparently criminal gangs won’t be, and won’t be equipped as such either. This of course feeds the seepage described above, and so ad infinitum. It is still true that nation state attacks won’t impact very many of us at all, but increasingly (aging) nation state capability may do so.
I have ended a little bleakly. There is room for optimism of course. The UK will make 5G work and it will work well (and in my opinion it won’t be spying for China – networks could potentially be closed, should things change between us and China some time in the future, but it’s not an espionage risk. Belt and Road as one of the most successful foreign policy initiatives of recent times? Please discuss). The number and impact of attacks we’re seeing now means we will continue to see more people and companies engaging with cyber (and the only truly cardinal sin is to ignore the issue completely); from that in time will come better defences. As a nation, we will make and take only a small uptick. Microsoft is moving into security and think what you will of them, when they’re good they’re good; expect to see more of their stack and expect it continuously to improve. The NCSC is engaging more effectively too and will and should do more. Should because, for me, an effective public-private partnership is two things; vital and still some long way off. I won’t end bleakly but I will end with a challenge; come on NCSC, make it happen in 2020. Make 2020 the year of collaboration.