Four New Normals for 2017

Ransomware, insecure connected devices, bug bounties and governments buying bugs: All four ceased to be novelties in 2016; they’re all new normals for cybersecurity.

Let’s not talk about cybersecurity predictions for 2017. Let’s talk instead about new normals, things that have ceased to be novel because, well, they happen all the time and everywhere.

Let’s concede that things such as greedy ransomware, imposing IOT botnets, high-profile bug bounties and bug-buying-and-selling governments aren’t going away. They can’t be fixed; won’t be swayed; are part of the landscape; insert your favorite cliché here.

New normals.

All four dominated 2016 in some form, and each entrenched itself in your risk assessments, defensive strategies and budget decisions. In fact, we’re just about at the point where each fails to qualify as news, just like old-school viruses, data breaches and spam. They’re just there.


Why didn’t anyone think of this 10 years ago? Slammer, Conficker and every other worm in the early 2000s put everyone on edge, but exactly how much money were hackers making with worms that clog up SQL Servers? Zilch.

Crypto-ransomware flipped the cybercrime game on its head. This is the new normal for malware, a tidy package of malicious code that works by simply encrypting your files and folders, or your hard drive, and asks for money in return. Forget DDoS as your No. 1 extortion vehicle; it’s all about Cryptolocker, Locky, Petya and the dozens of other ransomware samples that popped up this year.

Ransomware certainly isn’t new, but it certainly hit critical mass this year. We had real-world impact where hospitals were forced to move patients to other health care facilities, law enforcement operations were unable to access records databases, and utilities wondering if they were next.

This is not good. And it’s fixable to a point. Just like with old-school malware, signatures catch up with new threats relatively quickly, but nothing has evolved as fast as ransomware. Nothing related to cybercrime has nudged the FBI into issuing nation-wide alerts or asking for victims to share relevant data about attacks.

IoT Botnets

Used to be that DDoS attacks required thousands of endpoints under the control of a central entity to take down a bank or Yahoo. But endpoints can—and do, for the most part—get patched. So are we a victim of our own success with botnets comprised of connected things?

Criminals have found something that can’t easily or readily be patched in IP-enabled closed-circuit TV cameras and DVRs. These devices are already in the wild, and connected, and accessible. Admin:Admin and 61 other crappy passwords opened Pandora’s box and cut loose the effects of the Mirai malware. Once the source code was posted on the Hackforums site by hacker Anna-Senpai, it was game over. Skilled hackers could take that code and build variants of Mirai to take down new targets and cause more worry.

The attacks on Dyn, Brian Krebs, OVH and others just showed the way. The Dyn attack in particular was worrisome because to a degree, it affected the stability of the Internet for a period of time on a particular day. For a few hours, a DNS provider went down and took Spotify, Twitter and more with it, primarily on the East Coast of the U.S. Was it a dry run for something bigger? Depends on whom you ask.

If you ask Bruce Schneier, he may tell you it was a basic DDoS attack. But bigger picture, Schneier told Congress, is that it’s time for regulation. There’s no wrangling this horse back into the barn. And even if it comes at the cost of innovation, the fact that the pace at which devices are being connected is outpacing our ability to properly secure them, it’s time for an intervention. Schneier and others are in the camp that the government has to step up and step in and demand that manufacturers follow a standard of care and protection that doesn’t harm consumers and core services.

Bug Bounties

Bug bounties should not be news anymore. And speaking as a newsperson, they really aren’t. And that’s a really good thing.

Not every company has a high-profile public bug bounty, but more companies than you realize have private ones that they’re running with the help of companies like HackerOne, Bugcrowd, Synack and others.

Bug bounties are about the reward on their public face. Hackers can legally poke around a company’s web properties, find holes, report them through an established channel and make some money. Some are making a lot of money, others like to see their name on a vulnerability advisory; it amounts to an intellectual exercise.

Ten years ago, there was the No More Free Bugs movement where researchers said enough to turning bugs over to Microsoft et al for nothing, all the while wondering if and when they were going to be sued.

Does every company have a bug bounty? No. But there are enough out there to demonstrate that it’s a worthwhile initiative, and that bugs get fixed, and the finders get paid. The Army has one, the Pentagon and General Motors too. Not all of them pay, and apparently, that’s OK with more researchers than we realize. If we’re to believe recent NTIA survey results, hackers prefer consistent and open communication with a vendor throughout the reporting and remediation process, more so than getting paid.

Bug bounties aren’t novel any more, and they’re not news. And that’s excellent.

Bug Buying

Governments buy vulnerabilities. Governments buy exploits. Governments keep said bugs. Said bugs don’t get fixed. And if you find out about a government-purchased bug in the wild, it’s because someone slipped up, or had a slip of the slip.

Governments have a different mission than business, and part of that mission is national security, and that involves gathering intelligence. To think that governments don’t spy—or at least collect—our internet activity is silly.

One way it’s done is by buying vulnerabilities, building exploits and using them to spy on adversaries. That’s been a reality for decades. James Bond found listening devices in lamps and behind paintings, today he’d be looking for a macOS rootkit. It’s the way the game is played and the buying power of governments enables espionage at this level.

Thankfully in the U.S., we at least have the illusion that there are checks and controls in place on those powers. The rampant abuses uncovered by outfits such as Citizen Lab are invaluable to shedding light on how abusive, oppressive regimes abuse these tools to spy on, and endanger, their citizens. These are the traps democratic nations hope to avoid. Calling for an all-out ban, or complete transparency, of the government’s bug-buying activities is just as silly and naïve as believing that this is a novelty. It’s been a new normal for a long, long time.

Suggested articles