What the government infosec landscape will look this year
The information security landscape seems to evolve at a faster clip each year. The deluge of ever-changing threats, attack techniques and new breaches making headlines can be challenging to track and assess. That’s why each year the WatchGuard Threat Lab takes a step back to assess the world of cyber security and develop a series of predictions for what emerging trends will have the biggest impact.
Following the worldwide controversy over hacking that influenced the 2016 presidential election and the many widely publicized privacy and security incidents that have taken place since, we believe the government information security sphere is the stage upon which we’ll see two major security developments play out in 2020.
The first is that bad actors will target voter registration systems with the intent to generate voting havoc and trigger voter fraud alerts. The second is that we’ll see multiple states enact privacy regulations inspired by GDPR and the CCPA. Let’s take a look at how these two issues will unfold in 2020 and what you need to know to be prepared.
Impending voter registration systems hacks
Security researchers have proven many times over that voting machines are hackable, but most of them don’t expect threat actors to expend the vast amount of time and resources needed to successfully hack the 2020 presidential election voting results directly. Instead, these online adversaries will use subtler tactics in the coming months to tamper with the voting process at the state and local level.
The culprits behind previous election-related attacks are state-sponsored actors that are happy to execute highly effective, politically motivated misinformation campaigns across social media platforms, but appear to draw the line at actually altering the voting results themselves. In 2020, they’ll seek to build on the success they achieved in 2016. We believe they will target US voter registration systems to make it more difficult for legitimate voters to cast their ballot and attempt to cause widespread mistrust in the validity of vote counts. Indirectly influencing the election by creating confusion, fear, uncertainty and doubt will be their MO.
What can we do about it? For state and local government departments managing voter registration systems it will be important to perform security audits and find and fix potential vulnerabilities before the bad guys have a chance to exploit them.
While there’s not a tremendous amount the average voter can do to ward off election hacking attempts by state-sponsored cyber criminals, there are some basic things you should keep in mind to make sure your voice is heard on election day. First, double-check the status of your voter registration at least a week before the election. Monitor the news for any updates about voter registration database hacks leading up to the election and be sure to contact your local state voter authority if you’re concerned. Lastly, bring a printed confirmation of your completed voter registration and multiple forms of ID on election day (just in case).
An upsurge in state-level privacy legislation
The European Union made a global splash when it implemented the GDPR. Designed to provide better privacy for its citizens’ data (regardless of the location of the organizations with access to it), the historic law was initially met with cynicism and uncertainty (and even panic in some cases) due to its stringent criteria and heavy penalties for noncompliance.
That said, since its inception, the level of privacy the law provides for individuals has been well-received. People welcome the comfort of knowing that organizations are finally being incentivized to protect their privacy and held accountable for mishandling their data. It goes a long way to inspire confidence in the public when organizations like Google and Marriott are fined millions of euros for GDPR violations.
Massive organizations like Facebook continue to neglect their obligation to safeguard user data and America’s appetite for privacy seems to be growing with each passing data breach and scandal involving the sale of user data. That’s why in 2020 you should expect to see 10 or more states to enact privacy laws similar to GDPR.
In fact, California has already passed its own CCPA and will begin rolling out fines for violations by mid-year. Given that most states passed mandatory data breach disclosure laws in the mid-2000s and lawmakers still haven’t been able to pass a federal version to date, it’s unlikely that the movement to enact a federal privacy law will gain enough steam to pass in the near term. That said, the rising public outcry for data privacy makes it highly likely that individual states will take it upon themselves to follow in California’s footsteps and pass privacy acts of their own.
This momentum will grow in 2020, so it will be critical for businesses across the country to carefully study the CCPA requirements and prepare to make adjustments. Other states will use the CCPA as a reference point for developing similar regulations of their own. If you’re concerned with your own personal data privacy, contact your local representatives to push for state-level legislation and federal action as well.
The road ahead
The changing conditions within the government information security landscape impact every American business and individual in one way or another. We simply can’t afford to be ignorant or apathetic when it comes to matters of public privacy and security.
Whether it be state-sponsored attempts to interfere with the next election, emerging security and privacy regulations, or some other development, we should all strive to become more informed about and engaged in these issues.