Traditionally, this time of year one either looks back at the previous year, or looks forward to the year ahead. While there have been great advances over the years with respect to informations security tools, technologies, training and awareness, significant challenges remain. What follows is my estimation of the top information security challenges for 2022. Please note, that I could probably have written the same challenges for 2021, 2019, 2001, and perhaps even 1973. Some of these issues are perennial, some are new. As a lawyer, some of these challenges are ones faced by security lawyers rather than technical challenges which might be faced by CISO’s.
10. Document Retention Policies
People often forget that digital security is first and foremost about information management. It’s all about the data, not the hardware, not the software. At the end of the day, the goal of data security is to ensure that the right information gets to the right people (with integrity) and that it does not go anywhere else.
To a great extent, this means doing things that are very very hard to do. It means mapping data flows (not networks). Knowing what data is located where, where it is supposed to go, and where it is backed up and stored. It also means knowing HOW the data flows through the system, where it passes through, what networks and devices it flows through, and how it is stored (permanently and temporarily). One problem is, much of the data created (think e-mail) may be stored or transmitted on or through third parties, or may be sent to third parties which may themselves retransmit the data, or incorporate it into other data streams. Sounds like fun, no?
After mapping the data flows, the next step is to classify the data. What’s secret, what’s confidential, what’s public? What data is critical from a confidentiality standpoint (what would happen to the enterprise or third parties if the data was released?) What data is critical from the standpoint of data integrity (e.g., financial disclosures)? What data is critical from the standpoint of availability (e.g., that implanted pacemaker)? That’s just data classification from a data security standpoint. The data also then has to be classified for a data retention and data destruction standpoint. How long do you have to keep it? How do you have to keep it? Where do you have to keep it? Can the data be exported? Can it be deleted? Must the data be “wiped” rather than deleted? And, once again — if the data is to be deleted, do we know where it is?
These issues are really hard because of — well, humans. People tend to want to keep data. They tend to want to keep it handy. Which means moving it from place to place — to thumb drives, onto mobile devices, and emailing it to themselves. They are also lazy. There’s little apparent utility in spending hours going through documents and emails and “classifying” them. So we end up with a huge pile of data that we never classify and never delete. Or more accurately, many huge piles of data. We have no good tools to automatically classify data, and automatically delete it. And if we did have such tools, of course, they would be powerful tools for hackers and fraudsters. So that’s a challenge right there.
“Cyber” insurance has been around — in one form or another — for more than thirty years (although most carriers don’t know that). With the increase in “successful” ransomware and extortionate attacks (and claims related to them), carriers have responded by being more selective in who and what they cover, by requiring prospective insureds’ to take certain actions as a precondition of coverage, by raising premiums, and by excluding certain losses from coverage. They have also responded by taking a narrow and defensive position with respect to claims — rejecting for example claims related to files “damaged” by ransomware as not truly being “damaged.” In addition, insurance companies have forged relationships with digital forensics and investigation firms, as well as cyber law firms to provide “one stop shopping” for risk reduction, risk mitigation, risk transfer, and incident response. The challenge for 2022 (like in the past) is to ensure that the insurance and the insurance market are poised to meet the actual threats and challenges posed by the digital marketplace. Fraudulent wire transfers, supply chain interference, third party liabilities, business reputation management, and loss of cryptocurrency are all new threats (well, some are) for which most entities insurance policies may be inadequate. Additionally, with the increase in the price of cyber-insurance, many Small and Medium Sized businesses are being priced out of the marketplace. Finally, the current commercial cyber insurance marketplace may be inadequate to meet two related problems — systemic supply chain (third party) claims, and claims related to state-sponsored cyber-attacks. It may be time for a government (or multiple governments) to step in to ensure that cyber policies are reasonably comprehensive, and are reasonably affordable. Or maybe not. But it’s still a challenge.
Ransomware remains a significant challenge for companies, not simply because it has become ubiquitous, but also because of the significant impact a single ransomware attack may have on a company and every company or customer that relies on that company. Unlike previous types of “hacks,” where data is stolen and then exploited or sold, ransomware and extortionware rely on payment by the victim themselves. Instead of having to steal data and then find a buyer for that data, a threat actor can sell the data (or mere access to that data) to an already willing buyer — the victim themselves. Easy, peasy, lemon squeezy. With the ubiquity of anonymous payment processes through cryptocurrency, a threat actor may target a particular company, industry, computer or database, or may simply go after targets of opportunity. The defenses to ransomware — whether they are intrusion prevention, network segmentation, data backup and restoration, or advanced incident response (including payment) are complex and not comprehensive. A classic set up for a disaster.
7. “Supply Chain”
For these purposes, I take a very expansive definition of “supply chain.” For my purposes, a company’s “supply chain” is anything upon which the company depends for critical data, processes, or services. Software can be supply chain. Firmware too. Hardware is part of supply chain. Services are part of the supply chain. People are included. When we talk generically of “supply chain security” or “supply chain resilience” (a better concept), we are really talking about examining all of our dependencies and interdependencies (including who is dependent upon us) and asking hard questions like how do we know the provenance of that product or service, and what would happen if…. If the data was not available. If the cloud was not secure, if I could not access the data, etc. Supply chains (under my definition) are hard to understand and ever more difficult to manage. Because of the interdependencies, the security (and resilience) of any entity is dependent upon the security (and resilience) of any and all of the hardware, software, people, processes, etc., upon which it depends. While third party audits, data protection agreements, and standards all may help, the problem is really complicated, and will likely persist.
6. Multi-Factor Authentication
When we speak about authentication, we often mean “authorization.” Is the person accessing the data, computer, network, or process the person who is permitted to do so, and are they accessing and using the data etc. for a permitted purpose. Traditionally, we have used “authentication” as a proxy for authorization by providing the authorized person with some form of credential which they then represent to us to establish authorization. In the transfer back and forth of such credentials, we create vulnerabilities, including MiTM attacks, spoofing, theft of credentials, etc. Cat, meet mouse. Or mole, meet mallett. In addition, strong authentication can be an anathema to strong privacy, since a strongly authenticated individual can be tracked by their credentials through every place they visit and everything they do. We can and will do better in authentication schemes (first thing, let’s turn on MFA by default) but, because of the power of authentication it is often the most ubiquitous thing attacked. It’s a difficult and persistent problem, which is why it makes the list.
5. Data Protection Agreements
A corollary to the supply chain problem is the border problem. No, not THAT border problem. The problem that companies only directly control a tiny fraction of the infrastructure on which they depend. Their mail is provided by a third party cloud provider. Same for their salesforce infrastructure, billing, invoicing, HR, etc., They employ consultants, independent sales representatives, lawyers, suppliers, vendors, etc., each of whom have access to data, networks, computers, etc. For any data or processes outside our direct control, we can (and occasionally do) compel the third party to “do something” to protect our data. Sometimes it is just a duty to inform us of a data breach. Sometimes it is a duty to comply with some data privacy or data security standard (think ISO or NIST Security Standards). These agreements sit on a shelf like a ticking time bomb, until one of the companies suffers a data breach or other incident, and then we can sue them for breach of contract. In addition, we think that the fact that third party has signed an agreement that they will protect our data, we are in the clear. So the problem with data protection agreements is like the problem with the food at the borscht belt hotel. It tastes terrible, and such small portions.
4. International Data Privacy Regulation
Just as we begin to achieve consensus on data privacy principles (limited collection, consent, legitimate use, data lifecycle, right to be forgotten, etc.) data privacy law and regulation becomes exponentially more complicated and difficult to comply with. The other problem with privacy regulation is that the Internet has become dependent upon there NOT being data privacy — entities like Meta (Facebook, etc.), Alphabet (Google, etc.) Amazon, Apple and others depend upon the collection and analysis of massive amounts of personal data. It is what gives the company value. The problem with data privacy regulation is that we want both privacy and the utility afforded to having third parties collect data for and about us. Like many other complex problems, they are problems because we expect them to accomplish diametrically opposed goals. Sounds like fun.
3. Telework/Remote Access
If the pandemic has taught us anything it is that home is where the keyboard is. And the office too. The explosion of telework and remote access, together with some of the tools that enable such telework, has created a physical disconnect between the person and the data. Data can be, and often is accessed anywhere and everywhere. The disconnect creates opportunities for hackers, fraudsters, and others to attack data and networks. And as people demand more remote services (thing telemedicine) and demand to be able to work remotely, the problem will only get worse.
2. Staff Shortages
We have always suffered from a shortage of good security peeps — partly because of the nature of the work itself. A good security person follows complex rules. A good security person constantly disobeys complex rules and breaks things. A good security person fixes things. A good security person knows how to connect with other people and share their insights. A good security person doesn’t care about other people and sharing insights, but wants to think creatively about how to exploit people’s vulnerabilities. A good security person is a “team player.” A good security person can work for hours or days without any supervision. A good security person is a hacker at heart. A good security person would never do things that a hacker would do. And is it any wonder why we have trouble recruiting and motivating good security people?
1. Security Awareness
We do lots and lots of security training. Well, not so much. The average employee is compelled to take a 15 minute training session on security (Alice shares her password with Bob… this is A good or B bad?) and then a refresher class every 18 months. It’s a chore, and a passing grade is typically 75-80 percent, which means that they can be wrong 25 percent of the time and still “pass” their training. And yet, in many cases, users are either the first line of defense against attacks, or the first method of furthering such attacks. We must find a way to go beyond training, beyond learning and to change and reinforce culture. Sure, AFTER a major breach, AFTER a major ransomware attack, AFTER a major shutdown, everyone is more sensitive to data security. The problem is both that many users don’t know what to do to maintain security, or that they don’t care. Most of the time, however, it is because users believe that it is either necessary or useful to bypass a security requirement in order to get their job done. Thus, part of the job of the CISO is to find out how and why people are bypassing security and find a way to help them get their job done. And to inculcate a culture of security, curiosity, and concern within and throughout the company. And unicorns. Because, why not?
So these are MY top 10 security challenges for 2022. And 2023. Most of these problems are intractable and are bound to be repeated. And they are hard to fix. If they were easy to fix, they wouldn’t be on the list.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.