Since the beginning of this millennium, cybercriminals have relentlessly seized upon security flaws exposed by our steadily increasing reliance on--and obsession with--Internet-centric services and devices.
Based upon what I have been seeing and hearing, 2017 doesn't promise to be any different. For those of us who obsess about cybersecurity (and cyber insecurity), it's easy to predict a steady advance of cyber-attacks in the coming year. Here's my assessment of how five substantive cybersecurity developments from 2016 are likely to reverberate through 2017 and beyond.
IoT becomes weaponized
About one million home Internet connections supplied by Germany's Duetsche Telekom were knocked off line in mid-November. This incident occurred a couple of weeks after British domain name service provider Dyn was knocked down for 12 hours, cutting off public access to scores of major websites like Twitter, Spotify, Amazon, Paypal, Netflix and many other popular services.
While both attacks received a fair amount of notice from mainstream news outlets, the latter received more than the former. Yet both pivoted off the hacking of hundreds of thousands of home routers, webcams and digital video recorders. In short, they demonstrated that it is now possible for an intruder to wrest control of vast numbers of Internet of Things devices, then herd them into expansive botnets, dutifully awaiting attack commands.
Brace yourself for a wave, dare I say tsunami, of high-profile denial-of-services disruptions, fueled by IoT botnets, in 2017. After that criminals will adapt IoT botnets to deliver spam, circulate phishing attacks and steal from online accounts.
Ransomware plague to worsen
Ransomware purveyors this year showed stunning efficiency at encrypting computer files, and then demanding an extortion payment to deliver a decryption key. In 2017, attacks designed to spread deep inside company networks and swiftly corrupt mission-critical systems will proliferate.
Early iterations of this type of go-deep attack proved successful in extracting five and six figure ransoms from healthcare companies. On a macro level, according to FBI statistics, the first Quarter of 2016 saw a 1000% increase in ransomware payments from Q1 2015 ($209 million v $24 million). So there is plenty of incentive to extend them to small financial services firms, regional retailers, manufacturing companies and SMBs. There's simply too much easy money to be made.
Brexit. President-elect Donald Trump. Allepo fallen. Geopolitical tensions are inflamed - and intertwined -- as we head into 2017. While it is, indeed, tough to predict the consequences of such events, it's safe to assume that the Cyber War has replaced the Cold War and that cyber warfare will be more pronounced.
No one should be surprised when impatient Brexit supporters and/or disillusioned American voters turn to hacktivism. This could very well tie in with more IoT botnets becoming available to deploy website defacements and denial of service attacks.
Meanwhile, expect nation state-backed hackers from the U.S. and China to make counter moves in response to Russia's interference in the U.S. presidential election.
States to the rescue
When it comes to compelling companies to make their networks less hackable, industry self-policing has been somewhat of an epic fail, and federal regulation is more uncertain than ever since Congress can't seem to agree on the day of the week. So the states must step in. While a number of them already have in one form or another, of late the New York State Department of Financial Services (NYDFS) has taken up that gauntlet.
The agency's Cybersecurity Requirements for Financial Services Companies, was originally set to take effect Jan. 1. But while recently agreeing to delay that start date to March 1, NYDFS Superintendent Maria T. Vullo stood her ground about requiring banks, insurance companies and other financial services firms to "establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State's financial services industry."
If Vullo can steer companies to implement first-class cybersecurity policies and practices, then hopefully even more states may follow her lead. And the bar finally will be raised for business network security.
The opportunity for small and medium sized businesses to acquire meaningful cyber liability coverage should make a great leap forward in 2017.
Expect cyber insurance carriers to step up the promotion of value-added services--tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.
As more businesses look to purchase cyber liability policies, insurance sellers will strive to dial up the right mix of such services.
It's clear that hackers with malicious intent will continue to roam the Internet free to innovate and exploit with near impunity for yet another year. It is also true that individuals and companies have more options (and hopefully more incentive) than ever to make themselves harder targets. Those that make the effort to proactively protect themselves are in a better position to succeed. It is imperative that more succeed.