Industry executives and experts share their predictions for 2020. Read them in this 12th annual VMblog.com series exclusive.
By Jacob Olcott, Vice President, Communications & Government Affairs, BitSight
Where Cyber Risk Enters the Mainstream
The 2020 U.S. Election will be Compromised
During the 2020 U.S. election,
nation states will attempt to tamper with the voting infrastructure. But due to
limited oversight, the voting systems' outdated technology, and minimum
security controls, it will be impossible for the U.S. government or security
professionals to determine if the actual vote count was tampered with. Election
officials will work closely with federal agencies and security firms to
continuously monitor vulnerabilities and threats that could impact these
interconnected systems, and ultimately, the final vote. However, most will lack
visibility into the infrastructure because it is outsourced or reliant on third
party systems to operate.
Beyond targeting voting machines,
malicious actors will also launch disinformation campaigns, including on
Secretary of State websites that provide election results, causing confusion
throughout election night about which candidates are leading in each state. Local election infrastructure is particularly vulnerable as state
and local officials have limited resources to monitor and protect the systems
related to elections. While this will not impact the actual ballots themselves,
it will cause massive turmoil and uncertainty in the voting process and the
election results. Tactics will likely be pulled from the 2014 Ukraine disinformation campaigns. Months of
investigations will delay certifying the results of the election as a result of
this activity.
The year that cyber risk enters the
financial mainstream
In 2020, several publicly traded,
Fortune 1000 companies will face the same fate as Equifax. Due to holes in
their security posture and in their third party business partners' (and lack of
visibility into these issues), data breaches will plague these organizations.
Corporate reputations will be jeopardized, and execs and boards alike will face
severe legal and financial ramifications. Additionally, the same lack of
continuous monitoring for potential security issues will lead to data breaches
that threaten major M&A activity, given last year's Marriott/Starwood
debacle.
In turn, fed up with the breaches,
attacks, and frauds impacting revenue, shareholder suits targeting board
members will gain traction - forcing boards to take a larger, more informed
role in cyber. As the role of cybersecurity becomes ever more important,
investors will keep a closer eye on how companies perform in this area, going
so far as to incorporate cyber into their ESG analysis.
A Western government will be forced
to quell looting and rioting when a cyber attack disrupts their electric
grid
Despite years of warning,
governments still haven't invested in the cybersecurity of critical
infrastructure, as highlighted during the March 2019 attack on the U.S. energy grid. In 2020,
a foreign adversary will take advantage of the neglected infrastructure and
create the first monumental disruption in a Western government's electrical
grid. When citizens riot due to the sustained outage, law enforcement will be
called to quell the physical disruption as it hurries to fix the electrical
one.
This will force virtually all large
enterprises to have some type of cyber insurance policy in the coming year, and
it will focus them on modeling catastrophic cyber incidents surrounding third-,
fourth- and fifth-party risk, supply chain disruption, and financial
losses.
2020 will be the return to
cybersecurity basics rather than a breathless discussion of zero days
Zero-day vulnerabilities receive
the most attention from the media, but in 2020, hackers won't bother with these
highly publicized attacks. Instead, they will hone in on simple strategies,
like gaining access to a network through an org's vendor or third-party or
through lack of patching (i.e. BlueKeep). The NSA reports that it responds to intrusions from zero-day vulnerabilities very
rarely - instead its time is taken up with incidents where unpatched
hardware and software have been exploited.
This will serve as a wake
up call for businesses to go back to the basics and focus on building a strong
security base. This includes continuously monitoring for threats and new
vulnerabilities, implementing security ratings to make data-driven decisions to
reduce cyber risk, having consistent visibility into the security posture of
your third-party partners, and more.
##
About the Author
Jake Olcott is Vice President at BitSight Technologies, where he helps organizations benchmark their cybersecurity programs using quantitative metrics. Olcott speaks and writes about the role of directors, officers and executives in cyber-risk management. He served as Cybersecurity Attorney to the Senate Commerce Committee and House Homeland Security Committee. He also managed a cybersecurity consulting practice. He is an Adjunct Professor at Georgetown University. He holds degrees from the University of Texas at Austin and the University of Virginia School of Law.