This year was a pivotal one for security, marked by massive data breaches and high-profile hacks that taken as a whole, rather than isolated incidents, spark worrisome thoughts about the future. At the same time, the security industry made positive strides in 2015 as well. I recently spoke with Constellation Research VP and principal analyst Steve Wilson and got his thoughts on some of the security stories and trends that mattered most this year.
Hacking and the Internet of Things
If there was a gold rush in the tech industry during 2015, it centered on the Internet of Things. While it's easy to see the potential IoT has for reshaping the tech landscape, this year brought a stark reminder that when it comes to security, IoT has a long way to go. In August, Chrysler recalled more than 1.4 million Jeeps after hackers proved they could take control of one such vehicle remotely.
"While our passion for IoT continues, there’s this colossal disconnect between the quality of software and the expectations of software," Wilson says. "The fact you can take control of a vehicle over an API, it’s a doomsday scenario."
He observes that Chrysler's response evolved rapidly, from initially announcing the availability of a software patch, to issuing a formal recall: "Asking people to patch cars like they're laptops is just outrageous. Hopefully this experience will force all vendors in the IoT to rethink the fundamental quality of their software."
Another high-profile IoT hack this year involved Hello Barbie, a version of the popular girls' doll that can converse with children with the use of a cloud-based natural language processing service. "It turned Barbie into basically, a bug," Wilson notes.
“There’s a fetish for connectivity," Wilson says. "Systems engineers and strategists think connectivity is fundamentally good.” This mindset coupled with the general IoT rush to market is worrisome to say the least, he adds.
The Ashley Madison Breach: Why It Affects Everyone
In August hackers exposed the personal information of more than 30 million users of Ashley Madison, a website that facilitates adultery. This is a big deal, but not just for the reason that might immediately come to mind, Wilson argues. "The social impact has been horrible," he says. "We all sit there and giggle and blame the victim, saying 'you deserve what you get,' but the lesson is much, much deeper than that."
Ashley Madison's management had always promised users the site was safe and secure, Wilson says. "Swap over to any government website, and they'll say the same thing. Everyone from governments to dating sites are making the same security promises and most of them are failing. It seems that only big retail banks and big cloud superpowers are avoiding big breaches."
"There is a terrible breach of trust you know around the word 'secure," Wilson adds. "When a bank says 'your money is secure' they don't mean things are perfect, of course there are still bank robberies, but customers do not have to think about it. But when a digital service says 'your data is secure', all it means is they've passed some audit, if that. Security commentators actually say breaches are inevitable. Think about that. What does the word 'secure' really mean?"
The FIDO Alliance Gains Steam: A Bright Spot
This year saw big strides in the FIDO Alliance's efforts to create new standards for authentication. The biggest milestone was reached in November, when the Alliance the submitted specifications to the World Wide Web Consortium, as Wilson wrote in a blog post at the time:
In time, all websites are going to be able to invoke strong authentication natively, by accessing FIDO credentials in end-user devices via regular browser script in any W3C compliant browser. Technical APIs will be pushed further down the programming stack, so website developers need not worry about authentication technology; in their high level code they will be able to invoke a powerful suite of standard identity management functions.
Assuming the committee process runs its course, W3C standardization will make FIDO’s style of strong authentication essentially ubiquitous, as per the vision of its founders.
FIDO has moved forward at "light speed" as far as open standards processes go, Wilson says. In the meantime, many commercial companies are delivering FIDO-based authentication to consumers in apps and in mobile devices, including PayPal, Google, Alipay and Japan's big telco NTT Docomo.
Looking Ahead to 2016: Security As a Public Health Matter?
There remains a general lack of security awareness and care on the part of many users, even in light of massive data breaches and hacks. "Most security professionals sit around and wonder, what the hell is wrong with people?" Wilson says. "Technologists are baffled. 'Why don’t they change their behavior, what is it going to take?'"
The thing is, we've been here before with other types of risks, such as smoking and obesity. People often make poor choices in the face of overwhelming evidence of risk. "Public health researchers have known about this paradox of human behavior and I think it’s exactly the same with data security," Wilson says. Rather than disparage or scold the public, going forward security advocates should begin treating the topic more like a public health issue, with the battle fought through advertising campaigns, regulations and other means, he adds.
Reprints
Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.
