My first inclination for predictions was to say, "See last year's predictions." They were for the most part on the money, and I think we'll see more of the same. Here's what I see happening next year:
- Specifically, 2003 will not be billed as the "year for PKI" simply because nobody believes it anymore, and PKI rollouts will continue at a snail's pace.
- There will continue to be many virus and worm attacks, and many people and companies will be affected due to continued poor operating practices (not stopping certain types of e-mail attachments, not updating antivirus signatures, etc.).
- National Security Telecommunications and Information Systems Security Policy No. 11, the National Information Assurance Acquisition Policy, became effective July 1, 2002. It requires that the acquisition of all Commercial Off-the-Shelf Information Assurance (IA) and IA-enabled IT products be limited to those evaluated in accordance with either the Common Criteria, National Information Assurance Partnership Evaluation Program or the Federal Information Processing Standards' validation program. Despite this policy, almost no acquisitions are requiring products to meet these requirements, and that will continue in 2003, rendering this policy moot, much as the policy for "C2 by '92" became a non-issue. (see last year's predictions for the links).
- Despite the formation of the Department of Homeland Defense, spending for IT security will not significantly increase, if it increases at all.
- Corporate managers will continue to insist that security spending show a return on investment (ROI) instead of thinking of it in the same sense as liability insurance. As a result, many corporate networks will still be riddled with security holes.
About Stephen Mencik: Stephen is a Senior Infosec Engineer for ACS Defense, Inc. He has worked in computer and network security since 1981, and was a charter member of the Department of Defense Computer Security Center. He helped to evaluate and design the security for many major Defense Department systems including the Defense Data Network, Defense Messaging System and the NSA's Electronic Key Management System. He is trained in NSA's INFOSEC Assessment Methodology and is a Certified Information Systems Security Professional.
Stephen is also an active member of our .qM5DakN0w0g.0@.ee84076!viewtype=&skip=&expand=>forums and frequently answers reader questions in our Ask the Expert program.