Cybersecurity predictions for 2018

As the clock moves inexorably to a new year (and our look back at the past year is complete), it is time to pick up our crystal ball and predict what 2018 will bring. In the field of cybersecurity there are some verities and some uncertainties. Here are our predictions for the year:

• There will be at least one large-scale data breach, if not more. Just as 2017 brought us the Yahoo breach and the massive Equifax losses, there is no reason at all – none – to think 2018 will be any safer. While we can’t say exactly who will be the victim, we can say with confidence that data breaches don’t fundamentally change anything. Corporate behavior is unaffected and consumers quickly internalize the costs.
• The U.S. Department of Homeland Security will finally get a cybersecurity leader for the National Protection and Programs Directorate. It’s only been a year.
• No significant federal effort will be made to protect the cybersecurity of the 2018 election. As long as executive branch leadership holds the official view that no Russian interference occurred in 2016, there is little reason to expect the federal government will take action. As a result, there will be serious questions about the integrity of the 2018 elections.
• There will be a significant disruption of internet traffic caused by a botnet attack. Service will be blacked out and messages will be diverted. The disruption will last more than an hour.
• Pressure on social media organizations to monitor content will grow significantly. The restrictions will start with efforts to protect against sex trafficking. Silicon Valley’s obtuseness to the nature of their influence will leads to calls for regulation. In response, they will engage in much greater self-censorship. Free speech will suffer.
• The U.S. Justice Department will find a case where encryption is used to protect a putative terrorist. The case will create great pressure to legislate a mandatory decryption “back door.” By the end of the year, decryption legislation will be considered in Congress.
• Distracted by other matters (like the pending midterms) Congress will not, however, pass any significant cybersecurity legislation at all.  They may fiddle a bit, but Rome will continue to burn.
• The European roll-out of the General Data Protection Regulation in May 2018 will have substantial negative impacts on cross-Atlantic data flows. When the European courts rule against the US-EU Privacy Shield agreement, a full-scale data trade war will erupt.
• The data trade war will be exacerbated by the Supreme Court’s decision in the United States v. Microsoft overseas data storage case. The court will force Microsoft to repatriate data held in Ireland to America. In response, Europeans will adopt reciprocal restrictions.
• The most significant regulatory push in the United States will involve the internet of things.  Regulatory agencies like the Food and Drug Administration and the National Highway Traffic Safety Administration will use existing authorities to impose security and privacy requirements on consumer goods – hopefully in the form of standards but possibly in the form of mandates.
• The Supreme Court will decide in the Carpenter v. United States case that Americans have a privacy interest in their locational information. Carpenter will win, but the court won’t have a single opinion. Law enforcement will be confused. Congress will posture but not fix the problem.
• More Chinese hackers will be indicted for the theft of trade secrets from American companies. None will, of course, ever come to trial.
• Kaspersky Labs, having sued the government to get back into the federal procurement system, will win their suit because the government won’t be able to disclose publicly precisely why it thinks there is a risk.