This article is a part of BG BrandLab’s Cybersecurity Special Report, meant to provide insights about today’s cyberthreats and the steps readers can take—as  individuals, employees, and decision-makers—to protect against them.

The realities of cyber threats cannot be overstated. The US, including Boston, must learn to defend against cyber adversaries ranging from enemy states to organized crime rings. Threats are growing in volume and sophistication. To protect themselves, and to secure public and private entities, people must understand the key trends that will shape cybersecurity’s future.

Attacks and losses on the rise
For starters, attacks on smaller targets will continue, and probably increase, as adversaries use more-advanced tools that make these small attacks financially viable. Aided by AI and automation, bad actors can attack smaller targets at scale to reap large financial gains.   

The Boston Globe reported earlier this year that Recorded Future, a Somerville data security company, identified 53 ransomware attacks against state and local agencies in 2018, up from 38 the year before. Allan Liska, threat intelligence analyst at Recorded Future, says that trend is continuing. 

This year, they have observed an acceleration in ransomware attacks across all sectors, but particularly for state and local governments. Liska notes attackers are finding new ways, beyond phishing, to gain access to their targets, such as taking advantage of remote access and Managed Service Providers vulnerabilities. 

Alan Brill, senior managing director at Kroll, a division of Duff & Phelps, notes the rise in ransomware attacks is also due to the availability of smaller, lesser-known attack variants on the dark web. 

The security ramifications of 5G and IoT
5G wireless networks will soon be ubiquitous. These networks afford unprecedented speed with low latency (lag time). Together with the roll-out of Internet Protocol version 6 (IPv6), 5G will transform the cybereconomy within the next two to three years, says Samuel Sanders Visner, director of the National Cybersecurity Federally Funded Research Center at the MITRE Corporation and an adjunct professor at Georgetown University.

According to the Federal Communications Commission (FCC), the current IP system, IPv4, has four billion available IP addresses, but they are running out. Per the FCC’s website, “IPv6, the next-generation protocol, provides approximately 340 undecillion IP addresses, ensuring the availability of new IP addresses far into the future, as well as promoting the continued expansion and innovation of internet technology.”

This means we will be able to assign IP addresses to more devices and enable them with computer-aided programs, explains Visner. Everything from smart fridges and security cameras, to sensors and valves, to smart cars and road signs, to heart monitors and pacemakers will be computer-enabled, and the data these devices produce will be used by artificial intelligence to manage businesses and critical infrastructures. This will afford tremendous gains in efficiency and capabilities across industries and homes, but it will also pose a huge risk by providing cybercriminals more points of entry into a software environment or network.

Engin Kirda, co-founder of the cybersecurity company Lastline Inc., computer science professor at Northeastern University, and director of Northeastern’s Cybersecurity and Privacy Institute notes that although traditional computing systems have gotten better at protecting users, the emergence of mobile and IoT devices complicates the defense landscape.

“The difficulty bar for exploiting a modern operating system such as MacOS or Windows 10 is much higher today than it used to be a decade ago. However, most of the simple techniques are extremely effective against many IoT devices, or even modern vehicles such as e-scooters,” he says.

He says our best shot at a solid defense is government-mandated standards for all internet-connected devices to ensure all devices meet safety standards and are updated regularly to address discovered vulnerabilities.

The AI bright side

The good news is the same tools criminals use to strengthen attacks can be deployed to improve defenses. Research is underway in Boston to explore new ways to use AI to automate security decisions, discover anomalies, and identify cyber breaches quickly, says Kirda. For example, at Northeastern and at Boston University, Kirda and his colleagues are working on using AI to detect anomalies in network traffic that are indicative of malicious activity.
 
Mike Pinch, director of threat management at Security Risk Advisors, a cybersecurity consulting firm that does work in Boston, believes AI and machine learning-based security systems are making the most significant impact in prevention and detection of malware.

“They are not perfect, but they have been enough to force attackers to sharpen their toolsets,” he says. “The next phase for AI/ML based tools is in the response phase, through automating or aiding the actions taken to neutralize a threat or attacker once they are detected on the network.”

Up in the cloud
One of the most common trends for Boston tech startups is the use of cloud services, notes Pinch, indicative of a global trend. According to an analysis of a LogicMonitor survey, 83% of enterprise workloads will be in the cloud by 2020.

The same survey found that 66% of IT professionals cite security as their greatest concern when it comes to adopting an enterprise cloud computing strategy. Cloud platforms will continue to take steps to strengthen and secure their offerings, but companies using them must learn how to keep “serverless architectures” secure, says Pinch.

The blurring lines of work and home
An estimated 57 million Americans freelance, according to the “Freelancing in America: 2019” report by Upwork and Freelancers Union. The report found freelancers are most likely to be skilled professionals, and 60% of freelancers do so by choice. This shift creates significant workplace changes. Companies need flexible technology solutions that facilitate remote-working and decentralized collaboration. But these new workstyles open companies up to security risks.

Freelancers will need to master their own vulnerability management to protect themselves, and the companies they work for, and companies will need secure solutions and processes for managing these modern workforces.

The case for R&D, collaboration, and education
This year, the US launched the Cybersecurity Solarium Commission, a bipartisan initiative comprised of members of Congress, federal agencies, and the private sector with the purpose of addressing cybersecurity threats. This is an important step, but Visner believes the nation must also double down on whole-of-nation collaborative research and development (R&D).

“When the US puts our minds collectively to R&D, we exceed expectations,” he says, pointing to the Manhattan Project, US dominance in aerospace, and the handling of the HIV aids epidemic as examples in which government, academia, industry, and nonprofit worlds came together for a shared goal.

Udi Mokady, founder, chairman, and CEO of CyberArk, a Boston-based cybersecurity company, also notes the need for collaboration to improve cybersecurity. “When government and industry leaders—locally, nationally, and globally—work together to connect the dots across technology and legislation, organizations are given the tools to better protect themselves and their customers against a common enemy,” he explains.

Boston can strengthen its defenses by emphasizing education. “The earlier we start educating in schools, not only about personal cybersecurity best practices, but also about coding, developing, and entrepreneurship, the stronger our cybersecurity community will be,” says Mokady.
 
Kirda notes that students who study cybersecurity-related skills leave college with phenomenal job prospects, and those prospects will only get better. The cybersecurity unemployment rate dropped to zero in 2016, and has remained there ever since, according to Cybersecurity Ventures. Its “Cybersecurity Jobs Report” predicts there will be 3.5 million unfilled cybersecurity positions by 2021, up from one million in 2014.

Kirda reasons cybersecurity courses should be mandatory for students. “Many attacks succeed because users fail,” he says. “Showing them how not to become cyber victims would be an important step in preventing many future attacks.”