Last year was all about money and politics, which set the stage for 2017's cyber skirmishes to play out in fake news and malicious augmented reality, Europe’s peak network security research group ENISA says.
With pressure on Google, Facebook and Twitter to suppress fake news in the aftermath of the US election, all eyes are on Europe’s 2017 national votes in France, Germany and the Netherlands. While Europeans should be cautious of fake general news, ENISA reckons citizens could be left exposed by media lapping up stories about real but decoy cyber attacks.
There may, for example, be instances when an attack on one target blindsides the public to the attacker’s real intent. The casualty may turn out to be public indifference to news that could inform them of real risks.
“Users will become disinterested about or get used to media reports on cyber-threats and will disregard their real risk exposure. This is the worst thing that can happen in the cyber-protection battle,” ENISA warns.
ENISA considers alleged efforts by the Kremlin to sway the US election via hacked and leaked emails a “scary scenario” that achieved "impressive" results.
It expects governments, security agencies and service providers eventually counter the the threat however they may be caught on the back foot, like Google and Facebook, which began taking steps to stamp out fake news late in the election cycle.
“Given the potential role of both cyber-criminals and state sponsored actors with regard to multi-level cyber-attacks, one can easily understand the impact and range of this attack type may achieve in the future,” says ENISA.
The other two major questions facing people and organizations next year include how to stem the tide of data breaches and coming to grips with distributed denial of service attacks powered by networks of connected and hard-to-secure devices, otherwise known as the Internet of Things (IoT).
Analyst firm Gartner this week estimated that there would be over 8 billion IoT devices online in 2017. The recent Mirai botnet attacks relied on a few hundred thousand compromised web cams and digital video recorders to launch attacks between 600 Gbps and 1 Tbps.
ENISA questions whether, in this day and age, distributed denial of service (DDoS) should be considered a cyber-weapon on the same level of Stuxnet, which disrupted a Iranian nuclear enrichment facility and was thought to have been developed by the US government.
“Is a [one terabit per second] DDoS attack-capability a cyber-weapon? These questions are extremely important and extremely relevant for the cyber-security and national security community,” says ENISA.
Referring to the Wassenaar Arrangement’s recent inclusion of cyber tools in its dual-use list for conventional tools that can be applied to warfare, ENISA contends botnets of this scale suggest cyber “would deserve an own context that goes definitely beyond conventional weapons”. It also recommends zero-day vulnerabilities be included since these have been weaponized.
The other key issues to watch in the coming year include ransomware, innovation in malware, online behavioral differences between rich and poor, security and privacy as a hindrance to cross-border trade, and the perennial cyber security skills shortage.
One area ENISA does see “quick-wins” on the defensive side is in is awareness training, which could slash incidents in half if only sophisticated users could devise programs to efficiently educate the average person.
“Though guidance and good practices do exist, there is no systematic means of getting this knowledge to end-users. It seems that a better “packaging” and better dissemination of these practices may improve the situation, especially for stakeholders with low capabilities, including consumers,” says ENISA.