Around this time every year, my inbox fills with the same repetitive junk.
“Would you consider putting [any random company] in your gift guide?”, “are you going to CES and if so can I pitch you [a gadget that literally won’t be around this time next year]?”, and, “do you want to cover [a company you’ve never hard of’s] predictions for next year?”
To which I always respond: “No,” “absolutely not” and “predictions are not news.”
The “predictions” emails piss me off. Most of the companies that offer predictions don’t seem to fully understand the security field outside their particular niche, or worse, have an agenda they’re trying to push. This year was no different. I trawled through my inbox, scanning literally dozens of emails pushing “predictions” for the coming year.
“Artificial intelligence will stop a data breach,” said one email. “The supply chain will face more attacks,” said another. And, my personal favorite, “bad actors will combine multiple attack types to create synergistic super threats.”
Hate to break it to you, but “super threats” are not a thing.
If you thought 2018 was a tough year for tech, 2019 is going to be so much worse. The groundwork we laid this year will roll over into the next, and that’s when things will start to hit hard, from new laws and political (in)decisions to privacy issues and how employees — not companies — will start to call the shots.
Here’s what you need to know for 2019 in security.
Expect more data leaks and exposures — but not just breaches
2018 saw a rising trend in data leaks and exposures — specifically data that’s not protected with even the most basic security, like a password.
We’ve seen a ton of sites and services exposed in the past year — from gym booking sites, anonymous social network Blind, Urban Massage, FedEx, Canadian internet provider Altima, Amazon and fitness app Polar, to name a few.
Exposed databases and user data can be easily found, yet are entirely preventable — often simply by setting a password. Breaches, where a hacker exploits a vulnerability, are more difficult and require some level of skill, making them less common. But human error, a lack of security smarts or just sheer laziness makes exposed data more discoverable, and yet there’s no sign of data exposures dying down any time soon.
California’s privacy rules will come to a head
After a long fight, California passed its consumer privacy law — set to go into effect at the end of 2019.
Think of the law as like GDPR for California, which will mandate that companies disclose how they collect user data and what they do with it. The law will allow authorities to impose fines on companies that don’t comply or which violate the rules. It’s particularly important for consumers, given most of the world’s largest tech companies have their headquarters in the state.
Tech companies opposed the law. After spending collectively billions of dollars to comply with GDPR, many didn’t want to face another hefty bill to comply with more privacy rules. Instead, many companies pushed for a federal law to overrule and upend California’s soon-to-be-enacted rules. With enough lobbying power in Washington, DC, tech companies and telcos want lawmakers to roll out weaker legislation.
With almost exactly a year to go before California’s rules are set to go into effect, expect to see Silicon Valley work together — for once — to get their own way at a federal level.
Brexit will hamper U.K. tech, startup growth
Brexit, the U.K.’s departure from the European Union, is set for March 29 — and all signs point to a “no deal” that will cause serious, if not as of yet untold problems with immigration, trade, and even intelligence sharing and security arrangements with the U.K.’s European partners.
Leaving the EU without any trade or immigration deals in place will hurt startups and the wider tech scene. Attracting good overseas talent will be difficult without knowing what the immigration rules will be. Even practical things like GPS will begin to struggle, as well as data transfers in and out of the U.K. without a deal in place once the U.K. goes over the cliff-edge. It’ll be a nightmare for companies trying to comply with what’s left of the EU data protection and privacy laws.
Certain technology industries will see more trouble than others, like the gaming industry, which contributes £2 billion ($2.5 billion) to the U.K. economy every year. And, startups won’t get off easy either.
Australia’s draconian encryption laws will begin to hurt
Following in the footsteps of the U.K., Australia passed an anti-encryption law that compels companies operating in the country to turn over encrypted data on request from several government departments.
Many U.S. tech companies, including Apple and Cisco, called on the Australian parliament to ditch the proposals for fear that the law could be abused or harm its customers’ privacy. That didn’t stop a bipartisan effort to pass the bill in time for the Christmas break.
Some companies have already said they can’t — and therefore won’t comply. Signal, the encrypted messaging app, said in a blog post that it “can’t include a backdoor in Signal,” despite the mandate from the country’s capitol. Other companies will find themselves facing the same dilemma. It might force companies to think about their presence in the country altogether.
Facebook’s privacy woes will spread to other Silicon Valley giants
Silicon Valley is split largely into two camps: your data for money, or your data doesn’t make money. You have Facebook, Google and to a lesser degree Twitter and Snap in the first bucket — then you have mostly hardware makers, like Apple, chip manufacturers like AMD and Intel and computer makers like HP and Dell in the other.
Facebook had scandal after scandal this year, after years of playing fast and loose with users’ data. Facebook claims it doesn’t sell your data, but it made money from it at every opportunity. And when it wasn’t actually selling access to your data, it was giving it away.
Many have wondered why other data-hungry, ad-focused companies haven’t had their reckoning yet — and many are asking the same questions. Facebook may be one of the biggest consumers of user data going, but it’s not the only one in the game. In making some of the world’s largest social networks and ad platforms, these companies have inadvertently become mass surveillance tools — either for governments with access already, or hackers and nation states that punch their way through the company’s defenses.
Their time will come — and hot on the heels of Facebook’s slew of scandals, expect it to be sooner rather than later.
Employees, not companies, will dictate how the technology they build is used
This year saw a resurgence of tech employees rising up against their employers for — in their eyes — misusing the products, services and technologies they made for uses outside their moral parameters.
Amazon employees complained that the company’s facial “Rekognition” shouldn’t be sold to law enforcement after the technology was found to racially discriminate against African-Americans. Microsoft staff complained that the company had a $19 million contract to serve U.S. Immigration and Customs Enforcement, during a time where the agency was separating children from their asylum-seeking parents at the border. And Google employees complained when they found that the technology they helped to build would go on to serve Chinese users that enables state surveillance.
Now it’s employees who are trying to call the shots. So far, they’ve had mixed success. Amazon executives didn’t care; neither did Microsoft’s — but Google buckled. Given it’s the talented folk at the companies that make the products, they believe they have a right to say how their products are used and who gets them.
This isn’t something likely to change in the new year, as the government continues to rely on tech companies for enforcement and surveillance. Whether they will be successful, however, will be something to watch.
One incident away from sparking another Apple v. FBI crypto-war
Two years ago, the Apple v. FBI dispute could have taken a completely different path. The FBI was pushing a legal challenge that would forever undermine encryption protections — making it easier for the government to compel companies into complying with orders to undermine their own software security. This year, we saw the government approach Facebook to force the company to rewrite its Messenger app to allow federal agents to wiretap calls. It was all in secret — and only became public thanks to leaks.
We’re still dangerously close to another “crypto-war” (that’s “crypto” for cryptography) that could result in heavy-handed legislation or a legal precedent.
Nobody wants a mass casualty event. But as with San Bernardino and the apparent threat from MS-13 — whether inflated or not, lawmakers and prosecutors use bodies as a bargaining chip to push for more access to our data under the guise of preventing another national crisis.
Gloves are off for U.S. and China in cyberspace — again
The 2015 pact between the U.S. and China that promised to curb each others’ cyberespionage efforts amid rising tensions and escalating attacks between the two nations was delicate and frail, but it was almost inevitable that it would fall apart someday.
In December, when the Justice Department accused two Chinese spies of conducting state-backed hacking on dozens of U.S. companies and government departments, including the Navy, the gloves were off, and the pact was over. The writing was on the wall for a while. Security firm FireEye said in its look-ahead at 2019 that China’s reorganization of its offensive cyber operations units “will inform the growth and geographic expansion of Chinese cyber espionage activity through 2020 and beyond.”
In other words, expect the U.S. and China to begin sparring in cyberspace again.