The Internet will look very different in 2020. Internet users will double from the number in 2010 to total of 4 billion in 2020, and that’s just the beginning – there will be 50 billion connected devices, 50 times the amount of information and Internet usage will be more geographically diverse than it is today. The most growth in Internet adoption will be seen in countries like China, India, Russia, and Nigeria.
Looking at the pictures of the Internet that is now just seven years into the future, you can see where the business opportunities lie, says Angela McKay, director of cyber security policy and strategy for Microsoft and an advisor to U.S. President Barack Obama. But it will also mean a lot of cultural and behaviour differences and an entrenched reliance that means more risk.
“We’ve moved from Internet adoption to Internet dependence,” she said at yesterday’s Techicity event, co-hosted by IT World Canada and the City of Toronto. “As the money has moved online, so have the bad guys.”
Cultural change and regulatory hurdles
As the online population shifts, so too will the values and norms of what’s acceptable behaviour on the Internet, McKay says. What might be considered economic espionage in one country could be the norm in another. For example, the United States and Canada practices strong intellectual property laws to protect original content creators, but in France it is not the case.
“The idea of where there are agreements about what’s acceptable or unacceptable highlights area for collaboration,” she says.
Working out those issues will mean that companies doing business on the Internet will be exposed to many more regulators interested in ensuring security. The European Union Network and Information Security Directive for example is not just focused on protecting critical infrastructure, but Internet consumer services from Pinterest to World of Warcraft. In the process of being drafted, the policy will define acceptable security practices and reporting requirements that go beyond breach reporting into incident reporting. Complicating the EU regulatory picture are the 28 member states that will adopt the directive, but may apply some variations to it.
“What’s going on will affect how businesses operate across borders,” she says.
The U.S. Executive Order and Presidential Policy Directive, an initiative led by McKay at Microsoft, is a government initiative that is currently trying to create incentives for volunteers to adopt a baseline of security standard. Right now it’s providing grants for small organizations and liability protection to those whom meet the standards, but expect it to become a requirement in the near future.
The year 2020 will see online businesses dealing with new regulators, new controls and operational requirements, new cloud certification regimes, and “continued uncertainty,” McKay says.
Security goes mainstream
It’s time to move IT security out of its niche corner with the geeks and move it into the boardroom, McKay says. Customers expect and require secure products and that means businesses must put the topic front and centre.
Discussions around exchange of information, whether its customer data or software vulnerabilities, must focus on the desired outcome instead of just around how to share information. Knowing the goal will help to answer questions about who needs to be involved and what the right types of information are to exchange in the first place.
McKay points to examples at Microsoft – if it were to share information about its vulnerabilities with the government to satisfy some sort of regulatory requirement, then it would actually increase the chance of an exploit because the government wouldn’t be working to fix the vulnerabilities. Instead, more people that could do something nefarious with the information are now involved. But if Microsoft shares its vulnerabilities with a team of trusted developer partners then a fix can be devised and a patch issued on the next software update cycle.
“In Microsoft, we do something called secure development,” she says. “When you are buying form a vendor you should be asking if that product comes with a security development lifecycle… you don’t want something with a bunch of holes.”
There’s an industry standard, ISO 27034-1, that details how to build a comprehensive applications with flexible controls and management.
A new approach to cyber-security
Sometimes the best defence is a good offence. Microsoft is already actively working with law enforcement to bring down botnets, McKay says. The threat posed by a large number of computers that can be organized into action at the flip of a switch by hacker goes beyond spam and into distributed denial of service concerns. That is an activity Microsoft feels it must disrupt.
In other cases, an adaptive security strategy may be appropriate. “We have to deal with the fact there are targeted and persistent threats,” McKay says.
Organizations should also be working on a policy environment that will allow machine-to-machine communications to trigger actions when threats are presented to a network and remove the latency of human decision making and reaction speed from the equation. Countering security threats requires moving at machine speed and Internet scale, she says.
Most of all, companies must be willing to work together to improve industry security.
“The bad guys are collaborating,” McKay says. “We’ve got to collaborate as well.”