The Experian Data Breach Resolution team welcomed 2018 with five predictions of this year’s top data breach trends. Nine months into 2018, we take a look to see how the predictions have played out.
Trend Prediction 1: The United States may experience its first large-scale attack on critical infrastructure, causing chaos for governments, companies and private citizens.
Update: It was reported in July that Russian hackers had infiltrated U.S. utility control rooms in 2017, and the Department of Homeland Security admitted that our critical infrastructure, including energy, nuclear and commercial facilities, have been targeted since early 2016. Joel Brenner, head of counterintelligence under the Director of National Intelligence in the Obama administration, told NPR, “They were placing the tools that they would have to place in order to turn off the power. That’s a serious vulnerability for us, and we’re not anywhere near ready to deal with it.”
The Russians aren’t the only ones looking to compromise our critical infrastructure. China and Iran are also considered cyber threats. Every country has their offensive capability and are playing around. They’re laying land mines out in various places, which may or may not detonate. With the upcoming elections, we can only speculate there will be more attempts at attacking the critical infrastructure, including the voting infrastructure.
As of today, however, while we know the critical infrastructure has been hacked, there has not been any outages known to be caused by these intruders.
Trend Prediction 2: Failure to comply with new European Union regulations will result in large penalties for U.S. companies.
Update: Google was fined $5 billion by the EU for violating anti-trust laws involving Android devices and a requirement that they all install Chrome and other Google apps by default.
GDPR took effect on May 25, and as of this writing, there are no known penalties issued to U.S. companies. However, an Austrian lawyer named Max Schrems has filed lawsuits totaling $8.8 billion against Google and Facebook, complaining that the way the companies ask for data use consent violates GDPR.
It is still too early to see how the new privacy regulations will affect U.S. companies and how fines will be doled out.
Trend Prediction 3: Perpetrators of cyberattacks will continue to zero in on governments, which could lead to a shift in world power.
Update: The 2018 midterm elections are being targeted. At least one U.S. Senator has said there were attempts to infiltrate her senate computer network through spearphishing attacks (the attempt was unsuccessful). At least two other senators have been targeted, as well. Attempts to hack into voter systems have also been discovered over the past months.
Russia also used similar tactics to affect the Brexit vote, and now German elections are the target. The Pentagon is taking steps to shift its approach in its cyber defense, which, the New York Times stated, “could increase the risk of conflict with the foreign states that sponsor malicious hacking groups.”
The next major war will be fought in cyberspace, but countries like North Korea are trying to divert attention to nuclear arsenals. This could be a tactic used to lull attention away from cyberattacks.
We are seeing a lot of action involving cyberattacks targeting government entities.
Trend Prediction 4: Attackers will use artificial intelligence (AI) to render traditional multifactor authentication methods useless.
Update: The capabilities are there, but we haven’t seen if there has been an actual attack through this vector – yet. It’s only a matter of time. Spearphishing attacks against C-level executives and board members have been ramping up. AI is used to find those people with administrative credentials. And AI, with its sophisticated algorithms, is being used to execute attacks on that level.
Trend Prediction 5: Vulnerabilities in internet of things (IoT) devices will create mass confusion, leading to new security regulations.
Update: We’re seeing more attacks against the vulnerabilities in IoT devices, and it doesn’t appear that manufacturers are doing much to fix those problems. As Wired pointed out, “known weaknesses and flaws can hang around for years after their initial discovery. Even decades.” In response, we’ve seen some governments take action to step up IoT security. The UK government released a report “Security by Design” with policies meant to put the onus of burden on manufacturers rather than end users, and that includes getting rid of default passwords and instituting improved transparency surrounding vulnerabilities. Canada introduced The Personal Information Protection and Electronic Documents Act (PIPEDA) surrounding the collection of personal data and appears to cover the information collected from IoT devices. The EU’s ePrivacy Regulation addresses electronic communications and privacy, including data shared through IoT devices. And while the California Consumer Privacy Act, passed this year but not scheduled to go into effect until 2020, covers many of the same data collection concerns as GDPR, it is unknown at this time if that will include electronic communications and IoT.
Overall, we’re seeing some activity in each of these trends with five months to go in the year, so the predictions all have some level of accuracy.