More huge data breaches
The cyberattack on the Equifax credit reporting agency in 2017, which led to the theft of Social Security numbers, birth dates, and other data on almost half the U.S. population, was a stark reminder that hackers are thinking big when it comes to targets. Other companies that hold lots of sensitive information will be in their sights in 2018. Marc Goodman, a security expert and the author of Future Crimes, thinks data brokers who hold information about things such as people’s personal Web browsing habits will be especially popular targets. “These companies are unregulated, and when one leaks, all hell will break loose,” he says.
Ransomware in the cloud
The past 12 months have seen a plague of ransomware attacks, with targets including Britain’s National Health Service, San Francisco’s light-rail network, and big companies such as FedEx. Ransomware is a relatively simple form of malware that breaches defenses and locks down computer files using strong encryption. Hackers then demand money in exchange for digital keys to unlock the data. Victims will often pay, especially if the material encrypted hasn’t been backed up.
That’s made ransomware popular with criminal hackers, who often demand payment in hard-to-trace cryptocurrencies. Some particularly vicious strains, such as WannaCry, have compromised hundreds of thousands of computers (see “The WannaCry Ransomware Attack Could’ve Been a Lot Worse”). One big target in 2018 will be cloud computing businesses, which house mountains of data for companies. Some also run consumer services such as e-mail and photo libraries. The biggest cloud operators, like Google, Amazon, and IBM, have hired some of the brightest minds in digital security, so they won’t be easy to crack. But smaller companies are likely to be more vulnerable, and even a modest breach could lead to a big payday for the hackers involved.
The weaponization of AI
This year will see the emergence of an AI-driven arms race. Security firms and researchers have been using machine-learning models, neural networks, and other AI technologies for a while to better anticipate attacks, and to spot ones already under way. It’s highly likely that hackers are adopting the same technology to strike back. “AI unfortunately gives attackers the tools to get a much greater return on their investment,” explains Steve Grobman, chief technology officer at McAfee.
An example is spear phishing, which uses carefully targeted digital messages to trick people into installing malware or sharing sensitive data. Machine-learning models can now match humans at the art of crafting convincing fake messages, and they can churn out far more of them without tiring. Hackers will take advantage of this to drive more phishing attacks. They’re also likely to use AI to help design malware that’s even better at fooling “sandboxes,” or security programs that try to spot rogue code before it is deployed in companies’ systems.
Cyber-physical attacks
More hacks targeting electrical grids, transportation systems, and other parts of countries’ critical infrastructure are going to take place in 2018. Some will be designed to cause immediate disruption (see “A Hack Used to Plunge Ukraine into Darkness Could Still Do Far More Damage”), while others will involve ransomware that hijacks vital systems and threatens to wreak havoc unless owners pay swiftly to regain control of them. During the year, researchers—and hackers—are likely to uncover more chinks in the defenses of older planes, trains, ships, and other modes of transport that could leave them vulnerable.
Mining cryptocurrencies
Hackers, including some allegedly from North Korea, have been targeting holders of Bitcoin and other digital currencies. But the theft of cryptocurrency isn’t the biggest threat to worry about in 2018; instead, it’s the theft of computer processing power. Mining cryptocurrencies requires vast amounts of computing capacity to solve complex mathematical problems. As my colleague Mike Orcutt has noted, that’s encouraging hackers to compromise millions of computers in order to use them for such work (see “Hijacking Computers to Mine Cryptocurrency Is All the Rage”). Recent cases have ranged from the hacking of public Wi-Fi in a Starbucks in Argentina to a significant attack on computers at a Russian oil pipeline company. As currency mining grows, so will hackers’ temptation to breach many more computer networks. If they target hospital chains, airports, and other sensitive locations, the potential for collateral damage is deeply worrying.
Hacking elections (again!)
Fake news isn’t the only threat facing any country running an election. There’s also the risk of cyberattacks on the voting process itself. It’s now clear that Russian hackers targeted voting systems in numerous American states ahead of the 2016 presidential election (see “Latest NSA Leak Reveals Exactly the Kind of Cyberattack Experts Had Warned About”). With midterm elections looming in the U.S. in November, officials have been working hard to plug vulnerabilities. But determined attackers still have plenty of potential targets, from electronic voter rolls to voting machines and the software that’s used to collate and audit results.
As these and other risks grow in 2018, so will the penalties for companies that fail to address them effectively. On May 25, the General Data Protection Regulation will come into effect in Europe. The first big overhaul of the region’s data protection rules in more than two decades, the GDPR will require companies to report data breaches to regulators—and inform customers their data has been stolen—within 72 hours of discovering a breach. Failure to comply could lead to fines of up to 20 million euros or 4 percent of a company’s global revenues, whichever is greater.
The recent revelation that Uber covered up a big cyberattack last year has sparked calls for breach disclosure rules to be toughened in America too. All this means that lawyers as well as hackers will have a very busy 2018.