Like death and taxes, there are only two safe predictions about cybersecurity in 2018: There will be more spectacular data breaches and the EU General Data Protection Regulation (GDPR) will go into effect on May 25. But as the continuing digital transformation of our lives entails the ongoing digital transformation of crime, vandalism and warfare, 2018 could also bring a lot of new takes on old vulnerabilities, some completely new types of cyber attacks, and successful new defences.
The following list of 60 predictions starts with three general observations and moves to a wide range of cybersecurity topics: Attacks on the US government and critical infrastructure, determining authenticity in the age of fake news, consumer privacy and the GDPR, the Internet of Things (IoT), Artificial Intelligence (AI) as a new tool in the hands of both attackers and defenders, cryptocurrencies and biometrics, the deployment of enterprise IT and cybersecurity, and the persistent cybersecurity skills shortage.
IoT vulnerabilities will get more critical and more dangerous. Despite this, there will be no real changes in US law to regulate these devices. This isn’t a very risky prediction; Congress is currently incapable of passing even uncontroversial laws, and any IoT regulation faces powerful industry lobbies that are fundamentally opposed to government involvement. More interesting is what’s happening in Europe. GDPR takes effect next year, and European regulators will begin to enforce it. The regulation has provisions on security as well as privacy, but it remains to be seen how they will be enforced. If Europe starts enforcing Internet security regulations with penalties that make a difference, we might start seeing IoT security improve. If not, the risks will continue to increase—Bruce Schneier, Schneier on Security
Sophisticated adversaries will leverage the granular metadata stolen from breaches like Equifax, OPM, and Anthem, in precision targeted attacks that rely on demographic and psychographic Big Data algorithms powered by machine-learning and artificial intelligence. Attackers will deploy armies of bots to propagate the false narratives used to weaponize malicious fake news, inflate partisan debates, and undermine democratic institutions; meanwhile, they will launch multi-vector DDoS, ransomware, and malware campaigns to impede critical infrastructure cybersecurity and national security. The demographic and psychographic metadata will enable advanced spear-phishing operations against privileged critical infrastructure executives and pervasive Influence Operations against populations—James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
We’re going to see more attacks that attempt to subvert two-factor authentication, as sophisticated attackers set their sights on two factor authentication-protected accounts and use flaws in SS7 to redirect SMS text messages. In addition, software supply chain attacks like the Medocs compromise with NotPetya will be more prominent—Paul Roberts, The Security Ledger
A nation-state sponsored group will commence a 5-day long DDoS attack against a critical US government (non-DoD) agency, shutting it down in order to show their strength—The Cyber Avengers