2017 in cybersecurity and privacy news
From rampant ransomware to the Equifax breach to geopolitical machinations, it’s hard not to be a cynic about the past 12 months of security and privacy news. But a few important highlights might help convince you not to throw your phone and laptop into the nearest trash fire.
The biggest story anywhere this year was the aftermath of Donald Trump’s successful campaign for the highest office in the land. We attended his inauguration and several protests of it, including the monumental Women’s March on Washington, and dug into the meaning of subsequent controversial policy changes.
After spending much of his campaign blasting what he described (without proof) as a “rigged” election system, Trump spent much of his post-inauguration year denying reports of Russian election interference, which included alleged data breaches targeting his leading opponent, Hillary Clinton, social-media interference, and voting-machine hacking. Those reports blossomed into a Department of Justice investigation, led by former FBI director Robert Mueller as a special counsel, to uncover the truth about Trump’s ties to Russia. Trump continues to deny connections between Moscow and the White House.
And although his administration took part in banning from U.S. government computers Kaspersky Lab security software, developed in Russia, it took months longer than its predecessors to publicly unveil a computer security stance.
This stance thus far has included targeting consumer privacy at the border, which raised fears of increased government surveillance in just about everyone from immigrants to legal experts to journalists to activists.
“It’s quite invasive,” Fred Jennings, a digital-rights attorney at New York City law firm Tor Ekeland, told The Parallax in February of a new policy to more heavily scrutinize even U.S. citizens entering the country. Customs and Border Protection officers have searched travelers’ devices, or asked them “to divulge their passwords, or log into their accounts, and show what’s on there,” Jennings said.
Ironically enough, Congress struggled throughout the year to renew the NSA’s favorite legal shield for foreign surveillance, and it’s not clear if it’ll be able to get it done in 2018. The Spanish government, on the other hand, seems to have figured out how to use the Internet against its citizens.
Beyond the White House, the FCC decided to ignore anti-Net neutrality comments made from stolen email accounts, and experts worried about the government’s penchant for attributing hacks in ways they say carries risks of their own.
And not all federal cybersecurity decisions this year were necessarily harmful to consumers. The U.S. contingent renegotiating the Wassenaar Arrangement, for one, made major strides toward better protecting cybersecurity researchers. The Department of Justice revealed guidance for how private entities and government agencies should responsibly handle vulnerability disclosures, endorsing bug bounties as an important element of modern computer security. And for the first time ever, sitting members of Congress appeared on stage at DefCon, the biggest hacker conference in the world, to plead for better communication between hackers and government officials.
Ransomware, a particularly nasty form of malware that locks your computer until you pay off your attackers and has been around for decades, continued to wreak havoc in 2017. The two most notable attacks used a Microsoft Windows exploit to access targeted systems—one that was leaked to the public when the Shadow Brokers hacking group stole it from the CIA.
WannaCry, which the NSA just last week attributed to North Korea, made hash of critical computer infrastructure in hospitals, power plants, oil companies, and financial firms around the globe. And NotPetya cost pharmaceutical giant Merck more than $310 million, FedEx more than $300 million, and shipping company Maersk more than $200 million.
“Critical infrastructure is vulnerable and prone,” and hospitals don’t always know which computer operating system is running on a particular piece of technology, Beau Woods, former deputy director of the Cyber Statecraft Initiative at the Atlantic Council, told us in May. “And if you don’t even know it’s running Windows, and you don’t know it’s exposed, you can’t patch it.”
Data breaches this year also continued to exasperate consumers and security experts. Hackers broke into Equifax’s computers, stealing personal information about more than 143 million Americans—basically all adults in the country, and then some. The situation was compounded by the revelation of a series of company mistakes, ranging from the promotion of a scam help site that looked better than its official one, to the failure to install a security patch that would have prevented the hack.
The risks of connecting every dang gadget possible to the Internet, broadening the scope of the so-called Internet of Things, also grew worse this year. Suzanne Schwartz, associate director for science and strategic partnerships at the Food and Drug Administration, told The Parallax that patients were put at risk by financial shenanigans during a major pacemaker recall. Hacks of connected door locks and cars, meanwhile, demonstrated that with IoT, much more is at stake than data.
While most of the tech world focused on updating older technology by connecting it to the Internet, Apple took a newer concept—facial recognition—and made it the central security feature of the iPhone X. But despite many reviewers swooning over the feature as “magical,” experts said biometric authentication like Face ID is no silver bullet for security.
Vulnerabilities in the software supply chain also came under increasing scrutiny, as hackers chiseled into myriad software pieces that make up today’s major programs. In one particularly egregious case, weeks after antivirus software maker Avast (which sponsors this site) acquired a Windows-cleaning utility used by more than 100 million people, the company discovered a massive breach on the utility’s servers.
The CCleaner hack, Avast researchers discovered, had targeted only 40 people. It nevertheless highlighted challenges in securing smaller components of larger software. Many components, security experts say, are used in hundreds or even thousands of products, and some are not updatable.
“This is going to be a worldwide problem. We have a systemic problem with how we update software, and we don’t have a good solution to this yet,” Jeremiah Grossman, chief of security strategy at security software maker SentinelOne, said in September.
At the end of the year, cryptocurrency became a household term, as the public glommed onto the financial promise of bitcoin. It was only earlier this month that the cryptographically secured method of paying peaked just short of $20,000 per bitcoin (before plummeting around $4,500 to today’s valuation).
Also closing out the year, which began with spirited protests of alleged sexual harassment and assault at the hands of the newly inaugurated president, were a stream of public allegations against powerful men from women (and men) across various industries, leading to a bevy of high-profile ousters. Within the cybersecurity community, a number of people came forward with stories of sexual assault by famous hackers Morgan “Mayhem” Marquis-Boire and John “Captain Crunch” Draper.
If there’s any silver lining, it’s that the repeal of Net neutrality in the United States isn’t expected to harm consumers’ online security or privacy—in part because it’s going to be harder to use the Internet as freely as before.