The four big stories that defined cybersecurity in 2018
Cybersecurity played a role in most major conflicts of 2018, from U.S. efforts to hold Russia accountable for its attempts to undermine the 2016 election to U.S.-China clashes over trade and technology to the midterm election contest held under a cloud of uncertainty about whether foreign powers were attempting to influence the vote.
There was positive news, especially the Homeland Security Department's successful work with state and local officials to vastly improve the cybersecurity of election infrastructure in advance of the midterms.
Most of the stories raised red flags, however. China, which reduced its digital theft of U.S. companies' intellectual property after a 2015 detente, is ramping up again. Sophisticated, possibly nation-state-linked hacking groups also stole personal information from up to 500 million customers at Marriott's Starwood hotel chain and internal emails from the National Republican Campaign Committee.
The master narrative, according to cyber experts, is this: The United States is getting better at cyber defense, but our adversaries are hitting us as hard as ever in cyberspace and U.S. officials haven't imposed consequences that will convince them to stop.
That narrative is clearest when it comes to Russia. With uncertainty still swirling about how much the Kremlin's efforts undermined the 2016 presidential election, Russia could still feel emboldened to sow more chaos in 2020 or earlier, and other U.S. adversaries may follow suit.
"The kind of activity Russia was involved in was way beyond anyone's idea of what's permissible, but there have not been significant consequences," Chris Painter, a former State Department cyber coordinator under President Barack Obama, said.
"Yes, there were some sanctions and expulsions [of Russian diplomats], but they were a little late and not really strong enough," Painter said. Those efforts were also "continually undercut" by President Donald Trump's wavering on whether Russia was responsible for the hacking and influence operation, Painter said.
Here are four big stories that defined cybersecurity in 2018:
Consequences, consequences, consequences
The Trump administration made some efforts to get tough on cyber adversaries this year.
The White House rolled back an Obama-era directive, loosening checks on the military before it launches offensive cyber operations. As he unveiled a national cyber strategy, national security adviser John Bolton promised: "Our hands are not tied as they were in the Obama administration."
U.S. officials also helped ride herd on coordinated action by the U.S., British and European governments to publicly name and shame Russia for cyber mischief, including the NotPetya cyberattack that wreaked havoc on banks around the world.
Those collective campaigns are a good first step toward an international effort to hold rogue nations responsible for bad actions in cyberspace, Jim Lewis, a former U.S. government official who organized numerous international cyber negotiations, told me. But they're just a start, Lewis said.
"The one thing that would make a real difference is pushing back on the Russians, and that's the one thing we've been unable to do," Lewis said. "Neither the Obama nor the Trump administration figured out how to respond to Russia."
One step forward, one step back
Domestic cyber policy was also defined by alternating progress and retrenchment this year.
On the positive side, Congress approved legislation to elevate the Homeland Security Department's cyber and infrastructure protection division into a more operational role and to put congressional authority behind many of its cross-government cyber protection activities.
DHS also launched a National Risk Management Center to tackle longer-range cyber projects, such as studying cyberthreats to national technology supply lines and creating a list of important U.S. shared assets, such as GPS and cellphone networks, that are vulnerable to cyberattacks.
That progress has been offset by other actions, however, such as Bolton's decision to eliminate the position of White House cybersecurity coordinator, which used to be the administration's public face on cybersecurity, responsible for balancing all the government's competing cyber priorities.
"The loss of a cyber coordinator at the White House has made us all less safe," Suzanne Spaulding, the top DHS cyber official during the Obama administration, told me. "Bolton and his deputy simply don't have time to be cyber coordinators and to make sure people are talking across all the government stovepipes in a way that's essential to protect critical infrastructure."
It's about the election, stupid
The good election security news this year: Officials assert there was no successful effort by Russia or anyone else to hack U.S. election systems. Congress also allocated $380 million to states to improve cyber protections before the 2020 elections.
The bad news: Despite bipartisan support, Congress failed to pass an election security bill that would require states to follow basic cyber best practices.
That could cause big problems if Russia ramps up its hacking efforts before the 2020 presidential contest, which is bound to be more divisive.
"The electoral system as a whole remains vulnerable," Michael Daniel, who was White House cybersecurity coordinator during the Obama administration, told me. "Just because we didn't see a lot of that activity in 2018 doesn't mean we should become complacent about 2020."
Breach fatigue
One oddity of 2018 is that, despite major data breaches at the National Republican Congressional Committee, Marriott, Facebook and Google, there's not a single breach that defines the year in the same way as the 2013 Target breach, the 2014 Sony hack, the 2015 Office of Personnel Management breach and the 2016 Russian hacks of the Democratic National Committee and Clinton campaign.
That's partly because, unlike those previous breaches, this year lacked a high-profile hack that fundamentally changed how the public thinks about cybersecurity. The Target breach, by comparison, was the first to bump a big corporate CEO from his job. The Sony breach amounted to a North Korean attempt to interfere with a U.S. company's First Amendment rights and it was among the first attacks in which an assailant destroyed some data rather than simply stealing it. The DNC breach, of course, upended a U.S. presidential campaign and helped launch Special Counsel Robert Mueller's probe.
Because of the constant stream of breaches, however, it's also become harder and harder for each individual break-in to make an impression, Allison Berke, executive director of the Stanford University Cyber Initiative, told me.
Also, banks mostly cover the individual costs of breaches, such as phony credit card charges, and then spread that cost among consumers in the form of higher fees. So, individuals tend not to suffer much more than irritation from any individual breach, no matter how big it is, she said.
"Particularly after Equifax, there's more fatigue from the average person," Berke told me. "Their information is out there and it's going to be breached, and we don't have the ability to secure it ... Every subsequent breach seems like something you can deal with. It's the same story every time."