Thanks For Nothing, 2017



2017 was marked by global ransomware outbreaks, seemingly countless data breaches, and little legislative movement from Congress.

Let’s be honest: 2017 was a pretty miserable year for the Internet. If you have an Internet connection, you probably already know that. If you do not have an Internet connection, congratulations. (Also, how are you reading this?)

Ransomware kicked the Internet in the teeth for much of the last year, with outbreaks such as WannaCry, Petya, NotPetya, BadRabbit, and many others infecting enterprises and consumers around the world. Major companies, including Maersk and FedEx, saw major effects on their businesses from ransomware, with FedEx reportedly losing about $300 million from a NotPetya infection at one of its subsidiaries. Even for a global enterprise with the size and resources of FedEx, that’s a significant amount of money to lose. And it wasn’t just criminal ransomware gangs running these operations. Some ransomware campaigns--specifically WannaCry--were used as cover for other kinds of operations.

2017 also gave us the repeal of the Net Neutrality regulations, a move that could radically change the way many people are able to access some Internet content and services. This is how things work in some countries where the government has complete control of network content and services, and it’s not a pretty picture.

“It paves the way for an Internet that works more like cable television, where wealthy insiders decide which speakers can reach a broad audience. A pay-to-play Internet means that smaller sites and apps, or startups without major funding, will be forced to negotiate with multiple ISPs to avoid their content being buried, degraded, or even blocked,” EFF staffers wrote about the change.

There were also dozens of breaches at companies across dozens of industries, capped off by the granddaddy of them all, the Equifax breach. That one affected more than 145 million people, which is quite a lot of people. To think about it another way, that’s essentially all of the adult humans in the United States. It’s difficult to do much worse than that, though there will likely be an incident sometime soon that somehow affects the personal information of future humans. You know it’s coming.

You know what’s not coming? Any sort of meaningful response to the data breach problem from Congress. It’s been about 15 years since data breaches emerged as a serious issue and in that time, the legislatures in most states have found a way to enact a breach-notification law to give consumers some baseline level of information whenever a company or government agency experiences a data breach. California was the first to address the problem, and as breaches became more common and more serious, other states followed suit. But Congress has never found the time to get it done on a national level, something that some lawmakers have been pushing for for many years.

Not that a national breach-notification law would make much of a practical difference at this point. There are enough state laws and industry regulations now that consumers affected by a breach will be informed. At some point. But it would be nice to have some tangible evidence that the folks we sent to Washington are actually paying attention to this. They’ve certainly had a lot of hearings about it, no question about that. After the Equifax breach, there were many outrage-fueled hearings, and those hearings have gone where a lot of hearings go: exactly nowhere. The legislators were able to vent their anger about the compromise, shake some fists, and then adjourn for lunch. Good work if you can get it. Some members of Congress apparently are becoming frustrated with the lack of movement, too.

“Every time another shoe falls, I think, ‘Ah, this is it. This will get us galvanized and pull together and march in the same direction.’ Hasn’t happened yet,” Sen. Tom Carper (D-Del.), told Politico this week.

“Hasn’t happened yet” is a pretty apt description of Congress’s response to many security issues, with the data breach problem just being the most visible one. That could change in 2018, but we have precious little evidence to support that assertion.

Dennis Fisher

ANALYST REPORTS

451 Research Paper: A Data-Centric Approach to Endpoint Security

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.