Ongoing Breaches

The number of breaches and data records reported every year as compromised shows no sign of letting up. The number of breaches covered by the Verizon Data Breach Reports for 2015 to 2019 has hovered just over 2000.ⁱ The Gemalto Data Breach Index shows that the incidence of identity theft in particular has increased in terms of number of records compromised, from 707 million in 2015 to 3.3 billion in just the first half of 2018.ⁱⁱ It’s important to remember that any statistics about security incidents and breaches depend on the events being discovered and voluntarily reported and therefore likely do not represent the whole picture. A large breach can also skew the numbers from one year to the next. However, both common sense and the numbers reported each year indicate that the need for cybersecurity is not going away anytime soon.

Evolving Targets

The targets and methods by which stolen data is monetized have been evolving. As one industry or avenue of theft comes under attack, consumers and service providers implement mitigations, causing cybercriminals to pivot to easier targets. The financial industry was an early target, but as financial institutions implemented more defenses, the entertainment and retail industries came under increasing attack, often as a source for stolen credit card data. Recent years have seen increased focus on healthcare and small/medium-sized businesses as well.

With the introduction of an EMV microchip in credit cards, and increasing use of multi-factor authentication in financial services, some hackers have shifted their focus to stealing identity data and creating new ways to monetize it. Fraudsters have used stolen identity data to obtain medical services, commit insurance fraud, apply for tax refunds, and even redeem loyalty club points. Hackers have successfully exploited vulnerabilities in the Signaling System 7 (SS7) system that allows interconnection between phone networks, in order to intercept SMS text messages commonly used for multi-factor authentication to protect access to financial accounts and other targets of value.ⁱⁱⁱ The constant adoption by attackers of new targets and techniques will require commensurate ongoing evolution in security defenses, including identity management mechanisms, to protect consumers and businesses.

Diversifying Motives

While early hackers often hacked into systems for entertainment and bragging rights, the motives for hackers have diversified over the years. Financial motives dominate today, with the 2019 Verizon Data Breach Report indicating that financial motives were behind 71% of the breaches studied.^iv Recent years have also seen attacks with other motives including hacktivism, industrial espionage, cyber espionage by nation states, election tampering for political gain, and cyberwarfare as a political tool or in support of physical warfare. The development of comprehensive threat models and mitigation plans will need to consider a widening array of actors and motives in addition to many new types of targets.

Homes and Businesses

Smart devices for homes and businesses offer many conveniences, but require security to prevent them from being used against their owners. Security cameras and baby monitors have been hacked to spy on people in their homes.^v Even smart dolls such as the My Friend Cayla doll and Furby, designed to interact with children, have been found to have significant privacy and security issues, being hackable via Bluetooth connection.^{vi, vii} Smart devices have also been used to enable attacks against other resources on the same network. A particularly eye-opening example is the hack of a network-attached sensor for an aquarium heater for a large fish tank in a Las Vegas casino lobby.^viii The sensor provided a conduit for hackers to infiltrate the casino’s network and exfiltrate data. Without adequate security, the Internet makes it possible for hackers anywhere in the world to leverage vulnerable network-attached devices, even innocuous-seeming fish tank heaters, for malicious purposes.

Cars

Cars now offer new infotainment systems with an increasing number of helpful services. Passengers can view movies and play video games. Drivers benefit from onboard navigation systems, and services like OnStar can provide communication, weather information, emergency assistance, and remote diagnostics.^ix Along with these valuable services, however, has come a new attack surface, and security researchers have demonstrated several exploits against it.

In July 2015, news broke of an attack against Jeep Cherokee where two security researchers demonstrated taking control of a car driving down a highway 10 miles away.^x By exploiting a vulnerability in the Uconnect system which controls the car’s entertainment system, they were able to send commands from their laptop to the car’s dashboard, steering, brakes, and transmission.^xi This incident was alarming by demonstrating the potential for a security vulnerability to be exploited to inflict physical harm on a car’s occupants. Since then, researchers have demonstrated additional vulnerabilities by compromising a Tesla key fob to steal a Tesla, unlocking and remotely starting cars with OnStar RemoteLink, and taking control of navigation systems in Volkswagen and Audi vehicles.^xii Cars and the services delivered to them will need to be designed with adequate security to protect the privacy and physical safety of occupants.

Medical Implants and Monitoring

A wide variety of medical devices help us treat chronic conditions and live fuller lives. Remote patient monitoring (RPM) technologies can be used for monitoring factors such as blood pressure and pulse, blood sugar levels for diabetes, and even heart function.^xiii Implanted cardiac devices, for example, connect to the heart and provide relief for several heart conditions including hearts that beat too slowly, too fast, or unevenly. A monitor often connects wirelessly to retrieve data from the device. Remote monitoring with implanted cardiac devices provides the ability for doctors to assess patients without physical visits and detect problems earlier. The technology designed to improve our health, however, could potentially be used against us if not adequately secured.

In March 2019, a security vulnerability was announced for Medtronic implantable cardiac devices (implantable cardioverter defibrillator).^xiv The devices rely on the Conexus protocol, which was not designed with any form of authentication, authorization, or encryption. Data was transmitted in the clear, potentially allowing an eavesdropper to gather information about a person’s condition. Most alarming, however, was the possibility that an attacker within 20 feet could reprogram the cardiac device. The small size of these devices means they may not have the memory or processing power to run some of the security protocols used in less-constrained environments. Further innovation and education will be needed to design and deploy efficient but lightweight security protocols on extremely small capacity devices.

Robots

Robots and industrial automation technologies are being designed for many industries and offer promises of efficiency, accuracy, scale, and performing tasks in environments dangerous to humans. Robots have been designed for surveillance, monitoring, routine chores such as vacuuming, disaster response, education, entertainment, manufacturing, medical applications, autonomous mobility, and research.^xv The breadth of applications for which robots have already been designed is incredible. However, security researchers have also demonstrated security vulnerabilities in several types of robots.

Security research firm IOActive described a worrying list of security issues in robots in a paper about a recent investigation they conducted.^xvi They evaluated robots used in homes, businesses, and industry settings, and despite it being a limited study, they found almost 50 vulnerabilities, including inadequate authentication and authorization, allowing unauthorized access to robots as well as the ability to install software on the robots. Communications involving sensitive data were not secured, and encryption of data was either missing or improperly implemented. The devices were often not secure by default, and best practices such as changing default administrative passwords were difficult.

Given the likely widespread use of robots in the future, this should be fairly alarming. Microphones and cameras in robots can be taken over for cyber espionage purposes to steal personal information or proprietary corporate information. The security of a network can be threatened by vulnerable devices attached to the network, meaning inadequately secured robots could potentially provide a conduit for attackers. Robots could also be taken over and weaponized, disabled, or held for ransom. Significant damage could be done if robotic technology is not hardened.

Erosion of Perimeter Protection

The computing infrastructure used to deliver services to consumers and businesses alike has been moving from individual data centers to cloud services and involves logic running on myriad new types of devices and edge computing servers. This has bypassed the layer of security once provided by enterprise network perimeters. As a result, identity management services have become more important to protect the access to individual infrastructure components. Organizations utilizing many services will need efficient solutions to provision and manage identities and access privileges across a widening portfolio of services and devices.

The combination of ongoing threats, evolving targets, a widening circle of actors and motives, and the bypassing of traditional network perimeter protections result in an increased need for effective identity management. At the same time, we’re seeing an explosion in the number and types of entities which need an identity in order to securely participate on the Internet and access services.

Personal Agents

Virtual personal assistants, customer assistants, and employee assistants will become more capable and connected. Applications on smartphones can use virtual personal assistants such as Siri or Google Assistant through APIs, enabling users to access app features and shortcuts from the lock screen or in hands-free mode. Users will be able to go beyond having assistants do simple tasks like taking notes, setting alarms, and calling friends to enabling them to perform tasks in applications on their behalf, such as making purchases or sending payments. Concierge applications might use information about our habits and preferences to help with tasks like making dinner reservations or purchasing airline tickets. Without requiring our interaction, smart applications could help with routine chores like making preventive doctor appointments, regular purchases, or texting a friend with whom we have a meeting to let them know we’re running late. In corporate settings, virtual employee assistants could help with tasks such as scheduling meetings, diagnosing problems, or analyzing data. As virtual personal assistants act more autonomously, they may need to be authenticated and authorized just like a human user to ensure they perform authorized tasks and not those of a hacker. They’ll also need to be capable of authenticating the services with which they interact, to avoid disclosing sensitive information to incorrect parties.

Autonomous Vehicles

Autonomous vehicles will significantly change transportation, but lack of a driver will shift some identity requirements from drivers to other entities. Humans may need to identify and authenticate autonomous vehicles that give them a ride as part of mobility as a service. Entrance gates to secured facilities may need reliable mechanisms to authenticate autonomous vehicles, rather than drivers, when goods are delivered. Smart cities may want to authenticate and monitor autonomous vehicles on bridges, in tunnels, or near critical infrastructure. Autonomous vehicles may even need to identify and authenticate each other and validate the integrity of software controlling a nearby car, especially in tight spaces or at high speeds. Just as some networks only allow managed devices with validated configuration to connect, cities or highways may want to only allow authenticated and properly secured autonomous vehicles in sensitive areas.

IoT Devices

The potential applications for Internet of Things (IoT) devices are enormous. Smart thermostats, cameras, TVs, lighting, appliances, toys, medical devices, and a fascinating diversity of data-collecting sensors are just a few examples. IoT devices that have an IP address with which to communicate on the Internet, will also need to authenticate themselves to remote servers and use adequate transmission encryption before transferring data to protect sensitive data as well as the integrity of uploaded remote datasets. They will also need to authenticate requests coming from administrative applications to mitigate the risk of malicious commands and software upload to the devices. Without identity management and security measures, IoT devices can potentially be used to spy on their environment and corrupt datasets or, worse, be hijacked or rendered inoperable for malicious purposes.

Robots

Robots will need identities for the same reason as other IoT devices. They will need to authenticate themselves to services with which they interact, and they will need to authenticate incoming requests to prevent the robot from being taken over for unauthorized purposes. Robots will, in general, have significantly more capabilities and processing power, and therefore the potential for how they can be turned to malicious purposes may be greater than with smaller, simpler IoT devices like sensors. In addition to being used for espionage, robots can potentially be taken over and weaponized to cause physical harm.

e-Identity

We expect to see more electronic identity initiatives around the world. Governments face the same pressures as businesses to deliver services more efficiently to distributed populations, which typically drives pursuit of online delivery for services. At the same time, many government services must be protected against fraud, which means their online delivery requires well-validated electronic identity information and stronger forms of authentication than simple passwords. This is likely to increase interest by governments in government-issued electronic identities (e-identity) or public-private sector collaboration for e-identities.

Several governments have already embarked on national e-identity initiatives. Estonia has a well-established e-identity program that issues a digital identity to citizens and residents and is used to streamline functions such as accessing government services, paying taxes, coordinating healthcare, and voting.^xvii Estonia is even working on expanding this to create a digital nation, offering select services to remote e-residents.^xviii Belgium has issued a national digital identity which can be used for identification, digital signature, and access with public services online.^xix A consortium of mobile phone network providers and banks in Belgium, called Belgian Mobile ID, have created a mobile application called itsme that enables those with a Belgian e-identity (eID) and mobile phone to register at participating web sites, authenticate, confirm payment transactions, and digitally sign documents.^xx In yet another model, Sweden offers access to some public services via electronic identities issued by banks.^xxi

Electronic identity programs will face some adoption challenges. Cultural distrust of governments or the banking industry in some countries may hinder e-identity initiatives. Privacy and security concerns will also need to be addressed. The constitutional validity of India’s ambitious Aadhaar electronic identity program, for example, faced a lengthy Supreme Court challenge which hinged on security and privacy concerns.^xxii However, the need for governments to deliver public services efficiently and securely, the desire by some businesses to leverage more strongly validated identities, and the preference by citizens and customers to conduct more transactions online will likely drive continued efforts by governments and private sector consortiums for citizen/consumer-facing e-identities. In addition to validated identity information, such identities will need to support stronger forms of authentication.

Stronger Authentication

We will doubtless see increased adoption of stronger forms of authentication to mitigate the risks associated with static passwords. The recently finalized W3C Web Authentication (webauthn) specification creates a more standardized level of abstraction between applications and specific authenticators. Developers will be able to implement authenticator-agnostic strong authentication, and users will gain the ability to use authenticators of their own choosing, whether hardware security tokens or biometric factors collected by their device. This standard is likely to facilitate the adoption of stronger forms of authentication and reduce the use of passwords as a sole authentication factor.

Solutions for Smaller Devices

We anticipate ongoing evolution in solutions and protocols to support smaller, constrained IoT devices that need protections such as authentication, authorization, message integrity validation, and encryption. Devices with small amounts of RAM and which need to minimize power consumption to conserve battery life need protocols that are lightweight and use techniques such as minimizing round trips and overhead as well as using cryptographic algorithms that enable the use of smaller keys and/or certificates. Entities which need to validate the likes of security messages and certificates depend on having accurate time as well as solutions for detecting certificate revocations, but existing solutions may not work on constrained devices. The Constrained Application Protocol (CoAP),^xxiii Transport Layer Security (TLS) 1.3,^xxiv and Datagram Transport Layer Security (DTLS) 1.3^xxv may prove useful for solutions involving such devices.

Easier Adoption

We need better resources created to make correct implementation of identity management easier for developers. The specifications we have discussed total over 800 pages. This is a lot for developers to absorb especially when you consider the number of specifications involved, requiring developers to go back and forth between multiple documents to coalesce advice and figure out how to apply the technology correctly in their application and environment. Libraries will be needed that are well documented, support a good user experience, and help developers implement the protocols/frameworks correctly. To be successful, this will require collaboration between parties creating or promoting specifications, platform/device vendors, user agent vendors (for devices with browsers or other user agents), security analysts, and those creating libraries and SDKs. A sentiment from John Dickinson’s 1768 “The Liberty Song” says it best: “By uniting we stand, by dividing we fall.”^xxvi

Key Points