The year 2020 was an extraordinary one in so many respects, and was a particularly busy one in the field of cyber-threats. This included the increasing proliferation of ransomware, a decline in “digital hygiene” and of course the intriguing Sunburst attack… So, what sort of cyber-threats, can we expect in 2021? Here are our four predictions for the year 2021, which has got off to a flying start.
If 2020 was film about cybersecurity, it would be a western as at times the cyber-threats seem to be firing away at us from all sides. We’ve seen a ramp-up of cyber-attacks on health establishments, municipalities, industrial systems, the maritime sector or water infrastructure. The year was a packed one when it comes to cybersecurity news. Not forgetting of course the last-minute cliff-hanger with the Sunburst attack, for which the degree of sophistication and the list of victims was particularly alarming. What lessons can be drawn from 2020? What sort of threats are waiting in the wings for 2021? Just like every year, we bring you our predictions. And we’ve never hoped so much to be wrong.
COVID-19 and teleworking, long-term entry points
The (not so weak) signals from 2020
In cybersecurity as in so many other fields, context is king. This principle was particularly true in 2020 when we witnessed several opportunistic cyber-attacks. These included the exploitation of vulnerabilities due to teleworking or cyber-attacks conducted on the back of the COVID-19 pandemic... After the earth tremors which devastated Haiti in 2010, cyber criminals had already shown that they can move quickly to take advantage of a crisis (at the time, they faked emails from the WHO). In 2020, they had a great time with the coronavirus and with surfers’ legitimate quests for information. Including phishing campaigns, the circulation of malware and identity theft from official websites, in a report published in May the UNODC listed the main special COVID-19 threats identified. And according to Interpol, in late March 2020, more than 2,000 new domain names incorporating the term COVID-19 were identified as malevolent and more than 40,000 were categorised as high-risk. This is not even counting the surge in delivery fraud, boosted by the growth of e-commerce.
It must be said, that the cyber-criminals have certainly been helped by the different lockdowns during the 2020, in which the growth in teleworking has led people to forget a few essential security rules… Thus, one company in four stated that they found it necessary to settle for compromises where security is concerned during the first lockdown. A figure which can rise to up to half of employees, who admit taking liberties with security rules when working from home, according to the report from Tessian: The State of Data Loss Report. We have to keep in mind the levels at which personal equipment is used to continue working – the good old BYOD (Bring Your Own Device) has been transformed into RYOOD (Retrieve Your Old Own Device), something capable of compromising companies’ IT security. Finally, teleworking has made video-conferencing a daily reality. And the “Zoombombing” phenomenon has quickly become an emerging trend. The European defence Council meeting, which was supposed to be secret but was infiltrated by a journalist, is just one example among many others. Does all of this leave your inner IT manager somewhat exasperated? Your trials and tribulations may well be set to continue in 2021.
Scenarios for 2021
Teleworking and to hell with the rules. Hybrid working (a combination of attendance-based and remote working) is becoming a permanent part of life within companies. It brings with it the risk that employees will lack discipline where cybersecurity is concerned. At home, everyone follows their own rules... Far away from the watchful eye of the IT manager. People behave differently when working on their own personal computers. Personal tabs can be found alongside business ones, people’s attention levels are down and the risk of downloading a corrupted file increases over time. Especially if it appears to have come from your own company. In the future, it’s a safe bet that documents and emails from human resources teams will be among the most hacked or faked, with the goal of compromising an employee’s workstation. This scenario presents two challenges: all company staff must be sufficiently trained in cybersecurity and the IT manager must take steps to maintain regular links with those working remotely and a secure relationship with service providers. In future, will companies need to vet the suppliers of solutions installed by their employees at home? Will it be necessary to draw up a restrictive cybersecurity charter covering the equipment to be used for teleworking? In the event that personal equipment is not considered as sufficiently secure, will the company need to supply all of its employees with a works computer, with all the related security guarantees? Another question then arises, that of the price of security…
Threats driven by artificial intelligence
The (not so weak) signals from 2020
In the opinion of the ISS (Institute for Security Studies) new technologies will be a driving force behind the conflicts of tomorrow. In December, this European organisation published 15 scenarios for 2030, in which experts try to imagine what future wars will be like. The term Artificial Intelligence appears in it 547 times… Europol has listed the current and future threats from artificial intelligence. According to this report, AI is already being used to crack passwords, to beat CAPTCHAs and even… to clone voices. But tomorrow however, it’ll be in the physical world that terrible consequences occur. And with the growth of machine learning operations (MLOps), it is the industrialisation of AI (and its threats) which is currently the focus.
The year 2021 should be a year in which AI is adopted on a large scale by companies, forecasts Forrester. By 2025, the market for artificial intelligence software will be worth 37 billion dollars. So, a fast-growing market. Already in 2019, 52% of French companies used AI solutions or planned to do so, according to figures from Wavestone. In August 2020, an artificial intelligence solution was used in a US Air Force military aircraft. However, companies which adopt emerging AI technology first are underestimating the risks and leaving the planning of their security until a late stage, according to an Accenture study published in November 2020. A grey area, ideal for cyber-attacks.
Scenarios for 2021
Hacked and hijacked objects on the road and in the air. With self-driving cars increasingly using artificial intelligence to automate certain tasks, the question of data protection is a central one. By compromising the integrity of the data used by this AI, it’s possible to modify calculations and even influence certain commands (speed, trajectory, itinerary, etc.). In the future, cyber-attackers will be able to carry out actions in the physical world, ranging from simply re-routing deliveries to planning assassinations or terror attacks by using cars as battering rams. In the air, the use of autonomous drones or the hijacking of military aircraft piloted by an AI system will also provide the scope for catastrophic scenarios.
Blackout in the city. Will the increasingly connected Smart City of tomorrow become the prime target for cyber-attackers? All the ingredients are there, with multiple artificial intelligence systems and a growing potential attack surface. And the threats may range from the “simple” disruption of electrical systems (traffic lights, public lighting, etc.) through to the crippling of electricity generation facilities.
IoT and 5G will accelerate and multiply cyber-attacks
The (not so weak) signals from 2020
The roll-out of 5G has started in Europe. It offers the promise of processing more data, more quickly. This opens the way to the development of a real Internet of things (IoT), the nature and applications of which will be varied (telemedicine, self-driving vehicles, smart buildings, etc.) or which will profoundly change the geography of a company’s networks. Which will also increase the attack surface. Among the risks inherent to 5G, Accenture mentions “the hyper precision of geolocation and the explosion in both the volume and speed of the network”. It has to be said that the distributed nature of 5G networks, to which a multitude of connected objects with dubious security will be connected, further reduces the visibility of threats. Because 5G technology brings with it its own range of vulnerabilities. And requires a specific form of cybersecurity based on integrated protection, governance and user data protection. On this topic, it should be noted that in December 2020, Europe launched an audit to check that the cybersecurity of 5G technology currently deployed in several countries meets the required levels.
Scenarios for 2021
An attack via 5G in the industrial field. With higher transfer speeds, high performance, real-time operation and even wireless connectivity (to remove certain security risks inherent to wiring), 5G is presented as the key to the industry of the future. Faster connectivity between people and machines, even over vast industrial sites, will mark the start of a fourth industrial revolution. But with 5G and the coming explosion in the number of connected items, the attack surface seems almost uncontrollable, with the massive connection of technologies insufficiently focused on the issue of cybersecurity. The cyber-criminals of tomorrow may attempt to target a manufacturing plant launching the first trial 5G connections. As 5G contributes to the industrial control system, how do we guarantee the verification of the 5G technology itself? In the absence of a clear answer to this question, we should remember that three major classical threats are never far away: industrial espionage, the pure and simple shutdown of the activity and the hijacking of the production (to change a formulation or affect its quality). Already identified last year, these risks are unfortunately still with us.
The geopolitics of cyber-attacks
The (not so weak) signals from 2020
Over recent months, several cyber-attacks targeting strategic national interests were attributed to APT groups close to state-sponsored organisations (China, North Korea, Russia, etc.). National elections have also been the subject of great speculation. Before the election of 4 November 2020, observers considered that Russia remained the main cyber-threat to the American presidential election. In the battle for influence which an election represents, all it takes is an item of fake news or a deepfake to win or lose votes. Or a tweet. The hacking of Donald Trump’s Twitter account might open the way to a new form of hacktivism: that of making fake public statements. The rise of electronic voting is also of concern as in November 2020 once again, a flaw in a supercomputer’ AI disrupted the counting of votes in Brazil’s municipal elections.
This is without counting new economic threats and the risk of destabilising a country’s economy. In November 2020, the Cigref (the Association for large French companies and government organisations) sent a letter to the Prime Minister at a time when attacks targeting major French companies had increased in both number and intensity. “They are increasingly affecting public or private organisations and are a growing threat to the economy”, stressed the note.
During the first half of 2020, the water industry in Israel was the target of several series of cyber-attacks. In April, the IT network of a water pumping station was infected by malware program aimed at affecting the water pump controllers. The objective: to increase the quantity of chlorine in the water. Such an attack could have resounding mechanical or human effects. The Financial Times went as far as to give this the evocative title “Cyber winter is coming”.
Scenarios for 2021
A new form of cyber-terrorism. On the cyber-war front, should we fear the future convergence of hackers and militia groups, with the ability to carry out potentially fatal cyber-attacks? Either by carrying out online actions with “real world” ramifications, or by coordinating online and physical attacks. In the future, a worst-case scenario could be terrorist organisation or extremist group carrying out a physical terror attack combined with a cyber-attack to disrupt emergency services, delaying or preventing access to treatment for the victims. State support and the accompanying interference, whether concealed or otherwise, would be an option here.
These are all possible futures and scenarios for cybersecurity trends in 2021 – we’ll be watching them closely. And what about 2022?