- Data Will Continue to Be Weaponized in New and Inventive Ways
Between the ransomware attacks that plagued the healthcare industry in 2016, and the wave of politically motivated data leaks that occurred during the run up to the election, it’s clear that the value of information now goes far beyond its sticker price on the Dark Web. Cyber-attackers have evolved beyond simply selling information, and are now opting to leverage it for far more damaging attacks, including extortion attempts and sophisticated human engineering campaigns. Data that can be easily changed, such as credit card numbers, passwords and email addresses are becoming less valuable than information that stays with a user for life, such as DOB, SSN and healthcare records (the crown jewel of personally identifiable information). As hackers accumulate more of this information, traditional IT activities such as authentication and access management will become far more difficult, as the likelihood that a malicious actor is impersonating a user increases drastically.
- Security Incidents Will Have a Bigger Impact on Everyday People
By the end of 2016, most American consumers will have experienced some form of mild inconvenience due to a cybersecurity incident. Whether it’s Facebook going down due to a massive DDOS attack, or replacing a credit card because of a data breach, these incidents will produce a low-impact, fixable problem for the average person. But over the next year and beyond, hackers will take the weaponization of data to create deeper, more widespread attacks on the American people that will require complex solutions and policies to fix. We will see more cyberattacks on popular internet services, more complex cybersecurity legislation proposed in Congress, and more corporate fights regarding encryption technologies prop up over the next year. We hope that consumers will use these events to educate themselves on security policies and hygiene, but it may well result in a country-wide case of ‘security fatigue’.
- President Trump Will Set the Precedent for Responding to Cyberattacks
The last half of 2016 saw an increase in tension between the US and various nation-states and nonstate actors over how the administration should respond to cyberattacks. So far President Obama’s responses to data breaches and DDOS attacks have remained hidden from the public, but President-Elect Trump will be responsible for crafting the appropriate responses (and escalations) to any future incidents. Although the US has been reluctant to levy real-world penalties against cyber-attackers, Trump’s hawkish stance on foreign and military policies will likely influence a hardline approach to cybersecurity policy. Penalties could range from indictments of individuals, extradition attempts and sanctions.
- More Collaboration Between the Private and Public Sector to Create Effective Cybersecurity Legislation
Much has changed in the public landscape since the passage the Cybersecurity Act of 2015, but unfortunately, the legislation hasn’t done much to increase information sharing between the private sector and government organizations. Next year, we are likely to see a drastic overhaul of this intelligence sharing framework, with an increased emphasis on incentivizing participation among private parties (something that is sorely lacking from the initial draft). The government seems to be coming around to the realities that are stopping organizations from sharing threat intelligence, namely the fear of embarrassment, as well as worries surrounding the US’s willingness to exploit vulnerabilities discovered through the program. Measures will need to be put in place to assure that benefits flow both ways, with companies receiving clear cut protections when collaborating with government agencies.