Casey Ellis, Bugcrowd: Govs Around the World Will Continue To Adopt Vulnerability Disclosure in 2021
This is part of an ongoing 2021 predictions series. We’ve asked top cyber experts to contribute their insights and expertise to provide a look ahead at what the new year may bring to cybersecurity.
Casey Ellis, CTO, founder, and chairman of Bugcrowd:
Ethical hackers will play a key role in securing future elections
In 2021 and beyond, all organizations with a stake in the voting process will collaborate with ethical hackers to ensure the integrity of voting systems and processes, therefore assuring the general public that the election process is as secure and trustworthy as possible. The reality is that security researchers can test voting systems just as an adversary would to uncover exploitable vulnerabilities, and then relay that feedback to the appropriate personnel for remediation on a prioritized basis.
Previously, voting equipment manufacturers looked down upon security researchers that would proactively test their equipment, but we saw major leaps this year as major providers like Election Systems & Software (ES&S) announced policies to work more closely with researchers to find bugs in their networks and websites, as well as support from the DHS and CISA to enable states like Ohio and Iowa to implement VDP as a state level.
What’s needed next is cooperation from the U.S. government, specifically with clarification around the Defending the Integrity of Voting Systems Act and the Computer Fraud and Abuse Act (CFAA). These laws currently serve as barriers for security researchers to do their jobs and test voting systems in good-faith, as ethical researchers fear being prosecuted for doing their jobs. Looking ahead, as government officials start to pay closer attention to cybersecurity, it’s possible we may see these laws revised for the betterment of our democracy.
Governments around the world will continue to adopt vulnerability disclosure as a default
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense.
Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence in their constituents (neighborhood watch for the internet). The added confidence, ease of explanation, and the fact that security research and incidental discovery of security issues happen whether there is an invitation or not is making this an increasingly easy decision for governments to make.
State-sponsored attackers will use false flag attacks more often in their cyberwarfare efforts
A false flag attack is when an adversary attempts to make their attack appear to originate from another entity. This category of attack made major headlines when Russian attackers used this tactic against the 2018 Winter Olympic Games in Pyeongchang, South Korea, and attempted to make their intrusion look as if it were carried out by North Korean actors. Given the already severely strained relationship between North and South Korea, this is a good demonstration of the low cost and ease of misattribution - as well as the potentially devastating consequences.
Since then, there has not been a major attack that was discovered to be a false flag operation. But, there has been ample time for state-sponsored cyber groups to improve their tactics in order to successfully launch more advanced false flag campaigns. 2020 has also seen an increasing burden of proof around the effectiveness of cyber-enabled disinformation and misinformation as a tool in the hands of both foreign and domestic actors with a political goal.
Looking ahead, governments should expect state-sponsored attackers to launch false flag campaigns more frequently. As such, governments must consider information warfare and cyberwarfare to have merged in their execution and outcomes, and be very focused on clear and clean attribution when an attack takes place.
The life or death nature of ransomware in healthcare will increase pressure to pay ransoms
Historically, hospitals have been a lucrative target for ransomware attacks, as the need to access computer systems and patients’ protected health information (PHI) creates a sense of urgency that leads to victims likely paying their extortionists. However, this year showed that ransomware attacks can now have fatal implications, further driving the urgency to combat ransomware in the healthcare sector.
In September 2020, adversaries hit a German hospital with ransomware that led to a patient not being able to receive life-saving treatment and passing away, the first known death that was directly caused by a cyberattack. Looking ahead, it’s likely that other attackers will prioritize ransomware attacks on strained healthcare facilities’ critical life support systems as the urgency to save a patient’s life would put great pressure on any hospital to pay a ransom.
To prepare for potentially fatal ransomware campaigns, the healthcare sector needs to identify its critical systems and determine which are most business critical. Then, each healthcare organization can prioritize those critical systems for upgrades to ensure proper security for patient well-being.
As ransomware becomes more a question of "when it will happen" than "if it will happen", legislators and the cybersecurity industry itself will be pressured to find ways to solve the ransomware problem without needing to reduce the choice to "pay or not pay".