Predictions are a dangerous thing. Because even fantastically smart people can be fantastically wrong. To wit:
“There is not the slightest indication nuclear energy will ever be obtainable.” —Albert Einstein
“Television won’t last.” —Darryl Zanuck
“There’s no chance the iPhone is going to get any significant market share.” —Steve Ballmer
And yet predictions are also a safe thing. Because even when you are dead wrong in public, almost nobody remembers. (Which is why your local weatherperson still has a job.)
So with this in mind, I offer my five cyber security predictions for the coming year, based on my belief that history repeats itself – and I am seeing some familiar patterns, albeit in new context. On one hand, making accurate predictions can be satisfying – but I honestly hope I am reading the tea leaves wrong on some of the more worrisome topics.
1. Cybercrime will soar. 2014 set new records for cybercrime, with hack attacks up 55 percent from the previous year according to CSO magazine’s “State of the CSO” survey. I don’t think anyone would be surprised with more breaches, but I believe the magnitude of breaches will grow as digital criminals, activists, and terrorists become more automated and crisp in their execution. Well-orchestrated and automated attacks can tear through broad swaths of information systems at a blinding rate. The stealthy ones can go undetected for months or years, inflicting damage over long periods.
More frightening still, the Internet of Things, in addition to providing new attackable surfaces, will itself be leveraged in orchestrating attacks of higher orders of scale. Just as any other connected system, many IoT devices can be compromised and weaponized into botnets. If attackers can compromise a network of game consoles, Trojans can weaponize millions of individual consoles and build an army of botnets to launch phishing, denial of service, exploit mapping, or brute-force authentication attacks. The IoT is a botnet waiting for a master.
A second major concern is that, when actual devices are compromised, the damage can be much worse than when a retailer like Target gets hit. Yes, Target and other retailers lost a lot of credit card numbers and that’s a huge problem. But if a virus worms its way into an internet-connected car, for instance, and disables the braking system, people will die. Medical devices, industrial control systems – mechanized hacks on these targets transcend cyberspace and become full-on terrorist attacks.
My prediction? In 2015 we will see the first IoT attack with human consequences.
2. Amazon cloud will fly solo. Amazon Web Services is getting very big and very different from the rest of Amazon, which is stretched across everything from media production to devices. This leads me to predict that AWS will be spun out into its own company in 2015, allowing AWS to spread its wings even more. In fact, it has to happen. AWS needs to be “set free” to grow to its true potential.
And it’s large enough to stand alone. A growing number of companies are making the move to AWS for more than just development and testing. They’re starting to move mission-critical workloads to the environment, which makes AWS an increasingly significant player in the technology ecosystem. And if AWS continues their nearly flawless execution, their capabilities will continue to grow throughout the application delivery stack and spill over into adjacent technology markets.
In any case, AWS will expand. However, based on what I hear from technology leaders in large enterprises, concerns still exist about committing to core technology services with a company that’s not a pure technology services play. Spinning out AWS and making it a fully formed, unencumbered company 100 percent focused on technology will enable AWS to accelerate its rise.
Love ’em or hate ’em, there’s no denying that AWS has changed the face of IT delivery. Setting it free, Amazon might make AWS unstoppable.
3. Skills shortages will dent cloud adoption. In the past, security was seen as the anchor to cloud adoption. Now it’s talent—and the talent gap will grow into a huge drag this year. More and more companies want to adopt cloud technologies, but the talent pool isn’t there to make it happen for all of them – yet.
This is a familiar problem, of course. There is always lag time between emerging technologies and the number of skilled workers to maximize it. But it will be especially bad in the case of cloud, as demand for cloud services goes through the roof in 2015 and talent struggles to keep up.
My belief, based on what we see with some companies aspiring to be cloud enterprises, is that two major skills-related snags will jam up cloud projects.
First is the “forklifted application” fallacy. Many companies without cloud-experienced architects believe that applications running on dedicated hardware today can simply be “fork-lifted” into a private or public cloud environment. That’s rarely the case. Characteristics like I/O speed, variability in network latency, and the “noisy neighbor” problem create problems for applications built under outdated (but probably correct-at-the-time) assumptions of highly consistent environments. Probably more important, however, is that for an application to fully benefit from cloud infrastructure it needs to be architected as a cloud application. That means higher levels of distribution, de-sensitizing apps to network and I/O latency, assuming that systems will simply vanish, and taking advantage of on-demand and transient resources.
Second is the “cloud-in-the-title” fallacy. Some companies mistakenly believe that their technical resources can simply be pointed towards the cloud model and they’ll figure it out. The reality is that it’s a complex process. It’s easy to get a cloud up and running – migration and operation at enterprise-class levels is something entirely different. Technical resources need training and time to learn and fail-up. It’s not something that happens overnight.
Cloud security is perhaps an even tougher skills order to fill. CSO magazine reports that about 90 percent of chief security officers can’t find people for many of the positions they need to fill. Worse, a systemic lack of skills is not a problem that can be fixed overnight. There will be cloud certification programs and schools forming to accredit new workers in the cloud field but – as we saw with the emergence of the Internet – it could take a decade to meet the demand.
4. Managed services will fill the cloud skills gap. The cloud skills shortage will bring a marked increase in the number of managed cloud security and managed cloud providers as companies that can’t hire people in-house will turn to outside services to meet their needs. This could mean a big opportunity for a services-oriented company like RackSpace in 2015, especially if it can jump on the opportunity and excel on the people front (something that RackSpace prides themselves on). In fact, managed services will be a greenfield opportunity for many companies over the next three to five years, and will actually be a hotbed for growing talent that will eventually disperse into the larger technology workforce.
5. Feds will write a “Sony’s Law.” Who hacked Sony? The U.S. government says North Korea. But a lot of security experts blame a Sony insider.
No matter who’s right, we will see the federal government start to take aim at state-sponsored cyber espionage against private industry. What matters is the fact that the broader public now truly believes state-sponsored cyber attacks can happen and can cause damage. Experts estimate the cost to Sony will be between 1 percent and 2 percent of the firm’s market value, an estimated $200 million. And cybercrime costs the world economy between $300 billion and $575 billion a year, according to a recent report by McAfee. This year, I expect we will see the drafting of a new state-sponsored commercial espionage policy intended to make a big statement to the world, even if that policy is initially toothless. Old security dogs out there – expect a replay of the HIPAA iterations.
Those are my five cyber predictions for 2015. Sure, some may turn out to be wrong. But as Niels Bohr—another great scientist and Einstein adversary—once said, “Prediction is very difficult, especially if it’s about the future.”
Best wishes for a cyber-safe 2015. Just don’t hold your breath.