Industry executives and experts share their predictions for 2020.  Read them in this 12th annual VMblog.com series exclusive.

By Jacob Olcott, Vice President, Communications & Government Affairs, BitSight

Where Cyber Risk Enters the Mainstream

The 2020 U.S. Election will be Compromised

During the 2020 U.S. election, nation states will attempt to tamper with the voting infrastructure. But due to limited oversight, the voting systems' outdated technology, and minimum security controls, it will be impossible for the U.S. government or security professionals to determine if the actual vote count was tampered with. Election officials will work closely with federal agencies and security firms to continuously monitor vulnerabilities and threats that could impact these interconnected systems, and ultimately, the final vote. However, most will lack visibility into the infrastructure because it is outsourced or reliant on third party systems to operate. 

Beyond targeting voting machines, malicious actors will also launch disinformation campaigns, including on Secretary of State websites that provide election results, causing confusion throughout election night about which candidates are leading in each state. Local election infrastructure is particularly vulnerable as state and local officials have limited resources to monitor and protect the systems related to elections. While this will not impact the actual ballots themselves, it will cause massive turmoil and uncertainty in the voting process and the election results. Tactics will likely be pulled from the 2014 Ukraine disinformation campaigns. Months of investigations will delay certifying the results of the election as a result of this activity.

The year that cyber risk enters the financial mainstream

In 2020, several publicly traded, Fortune 1000 companies will face the same fate as Equifax. Due to holes in their security posture and in their third party business partners' (and lack of visibility into these issues), data breaches will plague these organizations. Corporate reputations will be jeopardized, and execs and boards alike will face severe legal and financial ramifications. Additionally, the same lack of continuous monitoring for potential security issues will lead to data breaches that threaten major M&A activity, given last year's Marriott/Starwood debacle.

In turn, fed up with the breaches, attacks, and frauds impacting revenue, shareholder suits targeting board members will gain traction - forcing boards to take a larger, more informed role in cyber. As the role of cybersecurity becomes ever more important, investors will keep a closer eye on how companies perform in this area, going so far as to incorporate cyber into their ESG analysis. 

A Western government will be forced to quell looting and rioting when a cyber attack disrupts their electric grid 

Despite years of warning, governments still haven't invested in the cybersecurity of critical infrastructure, as highlighted during the March 2019 attack on the U.S. energy grid. In 2020, a foreign adversary will take advantage of the neglected infrastructure and create the first monumental disruption in a Western government's electrical grid. When citizens riot due to the sustained outage, law enforcement will be called to quell the physical disruption as it hurries to fix the electrical one.  

This will force virtually all large enterprises to have some type of cyber insurance policy in the coming year, and it will focus them on modeling catastrophic cyber incidents surrounding third-, fourth- and fifth-party risk, supply chain disruption, and financial losses. 

2020 will be the return to cybersecurity basics rather than a breathless discussion of zero days 

Zero-day vulnerabilities receive the most attention from the media, but in 2020, hackers won't bother with these highly publicized attacks. Instead, they will hone in on simple strategies, like gaining access to a network through an org's vendor or third-party or through lack of patching (i.e. BlueKeep). The NSA reports that it responds to intrusions from zero-day vulnerabilities very rarely - instead its time is taken up with incidents where unpatched hardware and software have been exploited. 

This will serve as a wake up call for businesses to go back to the basics and focus on building a strong security base. This includes continuously monitoring for threats and new vulnerabilities, implementing security ratings to make data-driven decisions to reduce cyber risk, having consistent visibility into the security posture of your third-party partners, and more.

##

About the Author

 

Jake Olcott is Vice President at BitSight Technologies, where he helps organizations benchmark their cybersecurity programs using quantitative metrics. Olcott speaks and writes about the role of directors, officers and executives in cyber-risk management. He served as Cybersecurity Attorney to the Senate Commerce Committee and House Homeland Security Committee. He also managed a cybersecurity consulting practice. He is an Adjunct Professor at Georgetown University. He holds degrees from the University of Texas at Austin and the University of Virginia School of Law.