As businesses enter the second year of the COVID-19 pandemic, what kind of impact will this major societal event have on emerging security threats in 2021 and how will identity play a key role in the shift back to pre-pandemic “normal”?
Providing predictions for the year ahead for Digital Journal is Ben Goodman, CISSP and SVP at ForgeRock. Goodman considers security and the future of identity.
Domestic cyber terrorism on the rise in 2021
While we’ve seen an increase in international cyber terrorism in recent years, the outcome of the 2020 election may lead to domestic cyber terrorism attacks as an emerging threat. Due to the volatile political climate from the election, plus the spread of false information, it could be the perfect storm for domestic cyber warfare between hacking groups. While we’ve seen for-profit cyberattacks from foreign actors, security teams should be weary of cyber terrorism from domestic groups as well.
Hacker groups like Anonymous have gained a great deal of notoriety over the last decade, linked to numerous high-profile incidents including Internet attacks on governments, major corporations, financial institutions and religious groups. This year, a right-wing conspiracy-theory group known as QAnon has grown in popularity and spread from fringe message boards to mainstream platforms and has become a growing political issue. With all of the reddit and subreddit message boards, and white supremacy groups using the internet to spread their influence, extreme political groups can use the Dark Web and may attempt to instigate cyber warfare in reaction to the 2020 election results.
Identity will be a key technology for helping people return to work in 2021
Digital identity technology will be a critical component for managing health checks, vaccine distribution and information related to virus exposure and citizens’ requirement to quarantine. Medical professionals, employers and employees must have transparent, but private ways of sharing this kind of data to help enable the return to work in person.
For example, businesses may require health checks or proof of vaccination when people enter an office building or other crowded space. Identity will be key in managing this health history information and keeping everyone safe, while preserving individuals’ privacy. The COVID-19 Credentials Initiative already exists, which is a working group that aims to help deploy privacy-preserving verifiable credential projects in order to mitigate the spread of COVID-19 and strengthen our societies and economies.
Their goal is to use Verifiable Credentials, an issued assertion containing a set of claims about an individual or organization, similar to a physical credential like the cards in one’s wallet. The unique value of Verifiable Credentials is that they are digitally native and cryptographically secure, making them a great privacy-preserving alternative to other types of credentials, if used responsibly.
Now that AI is more widely used, bad actors will try to “poison” the data
In 2021, we will see an increased number of “data poisoning” attacks occurring as more organizations are deploying AI platforms across their systems. In previous years, malicious hackers had already discovered that they can attack AI and machine learning software by feeding the AI illegitimate data to cause it to produce negative and/or inaccurate results. This will become a more prominent issue in 2021 and the following years. Bad actors can feed the AI software an image with another image inside that does the opposite of what the AI is supposed to do so it will poison the AI algorithm.
For example, when AI is used for detecting fraud, fraudsters can submit bad data that makes the software unable to detect the fraudulent activity. Many security platforms use AI and machine learning data to detect cyberattacks by identifying anomalies in existing data, so this is a considerable threat that could potentially throw off their detection methods. In 2021, it may be necessary to use separate AI to do integrity and security checks on data collected by the initial AI software.
2021 will be the year of ambient identification methods as organizations shift to “zero login”
Now that passwordless technology, such as biometrics, are widely used, we will see a shift toward a “zero login” process which doesn’t require any friction for the user unless there is an issue with the initial authentication. This means that there will be no credentials to remember and multifactor authentication (MFA) will be silent on the back end. Zero login will be more secure than using a password, username or MFA because it can use factors, such as device enrolment and device reputation, fingerprints, keyboard typing patterns, the way the phone/device is held, etc., to verify identity in the background while the user has frictionless experience.
For zero login to be successful, all these identity verification factors must be measured and combined in a transparent way, so consumers don’t feel like their privacy is being compromised. Organizations should also have the option to introduce authentication steps into the process if they prefer to introduce more friction for bigger or more risky actions, for example. Similar to how Amazon doesn’t allow customers to use “buy in one-click” for purchases over a certain amount. Rather than only authenticating at the “front door” with passwords or MFA, extra security steps will be added right at the point of potential fraud during the transaction to create a better digital experience for users. Essentially, zero login enables smarter authentication that adjusts as necessary for a more seamless login experience across an individual’s devices.