It’s no secret that I hate predictions — not least because the security field changes rapidly, making it difficult to know what’s next. But given what we know about the past year, we can make some best-guesses at what’s to come.
Ransomware will get worse, and local governments will feel the heat
File-encrypting malware that demands money for the decryption key, known as ransomware, has plagued local and state governments in the past year. There have been a near-constant stream of attacks in the past year — Pensacola, Florida and Jackson County, Georgia to name a few. Governments and local authorities are particularly vulnerable as they’re often underfunded, unresourced and unable to protect their systems from many major threats. Worse, many are without cybersecurity insurance, which often doesn’t pay out anyway.
Sen. Mark Warner (D-VA), who sits on the Senate Intelligence Committee, said ransomware is designed to “inflict fear and uncertainty, disrupt vital services, and sow distrust in public institutions.”
“While often viewed as basic digital extortion, ransomware has had materially adverse impacts on markets, social services like education, water, and power, and on healthcare delivery, as we have seen in a number of states and municipalities across the United States,” he said earlier this year.
As these kinds of cyberattacks increase and victims feel compelled to pay to get their files back, expect hackers to continue to carry on attacking smaller, less prepared targets.
California’s privacy law will take effect — but its repercussions won’t be immediately known
On January 1, California’s Consumer Privacy Act (CCPA) began protecting the state’s 40 million residents. The law, which has similarities to Europe’s GDPR, aims to put much of a consumer’s data back in their control. The law gives consumers a right to know what information companies have on them, a right to have that information deleted and the right to opt-out of the sale of that information.
But many companies are worried — so much so that they’re lobbying for a weaker but overarching federal law to supersede California’s new privacy law. The CCPA’s enforcement provisions will kick in some six months later, starting in July. Many companies are not prepared and it’s unclear exactly what impact the CCPA will have.
One thing is clear: expect penalties. Under GDPR, companies can be fined up to 4% of their global annual revenue. California’s law works on a sliding scale of fines, but the law also allows class action suits that could range into the high millions against infringing companies.
More data exposures to be expected as human error takes control
If you’ve read any of my stories over the past year, you’ll know that data exposures are as bad, if not worse than data breaches. Exposures, where people or companies inadvertently leave unsecured information online rather than an external breach by a hacker, are often caused by human error.
The problem became so bad that Amazon has tried to stem the flow of leaks by providing tools that detect inadvertently public data. Those tools will only go so far. Education and awareness can go far further. Expect more data exposures over the next year, as companies — and staff — continue to make mistakes with their users’ data.
Voter databases and election websites are the next target
The U.S. previously reported disinformation campaigns and disruption efforts during the last presidential campaign in 2016, conducted largely by hacker and online trolls linked to the Russian government. Although the 2018 midterms were largely quiet, it’s anticipated that Russia will try again to sow discord for the second presidential election cycle in a row.
Although the security of voting machines and other election infrastructure is paramount — and there have been valid concerns about the risks they face — the government isn’t particularly worried about hackers actively manipulating cast ballots. Instead, U.S. officials remain concerned about foreign-led disinformation — or “fake news” — that could alter the outcome of the vote. Some officials, including the outgoing Homeland Security cybersecurity chief Jeanette Manfra, said at TechCrunch Disrupt SF that attackers may target election websites to dissuade or disenfranchise voters from casting their ballot — or even stealing voter data.
This election year will be one to watch. Where foreign actors will try to exploit vulnerabilities in U.S. systems, they may not be using the same playbook as they did in 2016.
Companies will face greater pressure to combat illegal content
Tech giants large and small have shown they are incapable of fully moderating the platforms and services they’ve created. Companies like Microsoft and Giphy have struggled to rid their sites of online harmful materials, child abuse imagery and other exploitative materials. That’s prompted lawmakers in both the U.S. and the U.K. to try to take action against the platforms to prevent online harms.
Though there has been some recognition that the situation is getting marginally better, but we’re still a long way away.
Lawmakers are not likely to take their foot off the accelerator in wanting to take action. In other words, if the companies cannot — or will not — take action, lawmakers will make them.
IoT devices will face their security reckoning
And finally, the Internet of Things could be the biggest security hot mess of all. Almost everything today is internet-connected. But companies — including white-label manufacturers who provide unbranded technologies and gadgets to other device makers — have spent their efforts on features and functionality and not enough time on security.
That lack of attitude towards security has led to an explosion of insecure and vulnerable devices, many of which can be directly accessed from the internet. Not only does that give hackers a way into your home or business network, they have contributed to mass hacking efforts to ensnare vulnerable devices and turn their collective internet firepower to target website and services. These so-called botnets are getting more and more powerful, thanks to millions of vulnerable internet-connected devices on the internet. It’s become such a problem that the U.K. and the state of California have stepped in to try to curb the amount of vulnerable devices manufactured in the first place by mandating better security from the beginning.
The laws are set to take effect starting in 2020. Will that have a negative effect on the Internet of Things industry? Perhaps, but these legislative efforts will only compel device makers to work harder to build secure devices from the beginning.