When you squeeze a balloon, it bulges out where you aren’t squeezing. Likewise, when you increase the difficulty and cost to break a cyber system, attackers will naturally flow to where security is weaker. This might mean moving from attacking operating systems to applications, or to low-level hardware, the network or the underlying infrastructure.
Cyber attackers consistently follow the path of least resistance to most return. We see this flow-to-the-weakest time and again. When it became more difficult to attack traditional Windows systems, attackers starting targeting browsers and social media, printers and routers. This type of move is quite simple, really, when seen as a return on investment calculation: attackers will make investments in techniques and targets that give them more return for less cost and risk. Shift the cost, risk and return values a little, and likewise, the attackers will adapt.
Following the improvement of cyber relations between the US and China at the end of the Obama administration, we saw Chinese attackers move to more subtly target infrastructure and telecommunications providers and that shouldn’t have come as a surprise to anyone.
Now, the combination of upcoming elections, continued Brexit strife, and trade wars between the US and several countries, including China and Huawei, has created a perfect storm for another adjustment and move in cyber techniques. The more complex the geopolitical landscape becomes, the more likely we are to see nation-states flex their cyber muscles and exercise their cyber options. And that means that cyber agencies and actors must be preparing now. To continue the analogy, more air is being fed into the balloon.
The question is, where will it bulge next? For that, we have to consider both overlooked pieces of the security landscape and new, emerging, underprotected technologies. Like a toddler walking alone on the side of a road, new technologies are in a world of fast, dangerous traffic. New tech is uniquely vulnerable due to its immaturity: this puts technologies around IoT, OT and 5G in the crosshairs next.
IoT and OT have received their share of security attention and general hype, but 5G is perhaps the most imminent wave of technology that will get abused. With its bandwidth and raw capacity promises, architectures must be revisited to take advantage of 5G, especially around Software-Defined Network and Network Function Virtualization. This will open new opportunities, ironically driving a renaissance of older techniques like denial-of-service (DOS), spoofing and in-the-middle classes of attack.
The most important demand now is to improve authentication, authorization, and trust models in addition to strategies for dealing with massive DOS threats ahead of the attention 5G will get when the cyber balloon is squeezed. Attackers are undoubtedly building arsenals and optionality for all the tasks they will soon need.
In the old days, we worried about a tap on a copper line, then later we worried about protocol interception in the world of IP addresses, and now we will have to worry about the identity of everyone and everything, from systems and services to control plane and auditing. The attack surface will balloon thanks to the technologies that come along with 5G, technologies that seek to optimize the value of all that juicy bandwidth. And the pressure squeezing that balloon is only going to get tighter.
It’s still the early days for 5G, and we don’t want to slow adoption down for macro-economic reasons; but the sincere hope is that security will be part of the conversation early and often as we re-architect and gear up in a more active cyber world.