Apple sets a security challenge for 2023

Given Apple’s big moves this week to roll out new data protection tools for iMessage and allow users to encrypt more of their data in iCloud, it seems obvious that security is going to be a major Apple priority in the year ahead.

Stamping out surveillance

The Biden administration’s decision to blacklist the mercenary hackers at NSO Group was a welcome move, but it hasn’t stopped the “surveillance-as-a-service” industry. Instead, it’s atomized it, which means we now have more companies offering such “services” than ever before.

The danger is that, just as with any other technology, the attacks used by these services are proliferating and mutating. And as more entities offer them, the cost of mounting state-level surveillance attacks of this kind will fall. This has always been predictable.

Apple introduced three powerful new data protection tools this week: iMessage Contact Key Verification, Security Keys for Apple ID, and Advanced Data Protection for iCloud. The aim is to protect users against such attacks.

While most privacy advocates welcomed the move, some governments and the FBI are aghast, claiming that more tech-driven privacy will make their work harder.

That may be true, but the cost of not having these protections in place is likely so much greater — if governments could be trusted with surveillance tech of this type, then it would not be proliferating, right? And once that particular genie is outside the proverbial bottle, it’s going to be very hard to decant it again. Already in the UK, the government claims 40% of businesses were attacked last year.

Why it matters to business

When it comes to business, the significance is clear. What Apple is offering its own users should surely become the minimum expectation enterprises will make of their own cloud service providers.

That means more security, enhanced security tools, and the highest possible degree of encryption around company data, inevitably including sensitive information like patient and financial data.

We know enterprises need to take security seriously. A rising tide of ransomware and scary statistics show this:

• Veracode claims 24% of apps used in the tech sector have security flaws.
• Orange Cyberdefense’s 2022 Security Navigator report confirms ransomware has become the biggest security threat. It also observed attackers are directly targeting security technologies, seeking vulnerabilities that can be exploited.
• Verizon’s annual Threat Monitor report tells us 62% of System Intrusion incidents involved threat actors compromising partners. This should be seen as a warning to everyone, as it implies every business and every employee (or family member of an employee) can become part of a complex intrusion. In other words, no one is safe until everyone is safe.
• Released this week, Apple’s own report says the total number of data breaches more than tripled between 2013 and 2021, exposing 1.1 billion personal records in 2021.

The ecosystem is gearing up for war

Apple has been heavily engaged in security enhancement this year. Lockdown Mode, Declarative Device Management and numerous improvements in the APIs it offers to MDM providers to protect devices testify to this. In October, it launched a security portal and increased bounties offered to security researchers identifying vulnerabilities.

The company’s work is being echoed by partners. Jamf, for example, has invested in advanced security telemetry solutions provider, ZecOps, and is financing innovative security startups.

The work extends to partners. Competitors are working together across the industry to create a secure password-free security model for the online world. Work to limit tracking technologies and to ensure user privacy also feeds into this.

Looking ahead to 2023, I anticipate we will see this work intensify.

Why? Because in the current geopolitical environment, the scale of state-sponsored security attacks is accelerating, which means every platform provider, government, and enterprise will need to get as tightly locked down as possible.

Apple has already flagged this direction of travel. “We have much more planned for the coming year, including an expanded research scope for Apple Security Bounty and other program enhancements,” Apple said in October.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.