Think cyberthreats are bad now? They'll get worse in 2017 with 'spear phishing,' etc.

Once again, I will preface my cybersecurity predictions for the new year by quoting the late, great sage and Hall of Fame baseball player Yogi Berra, who once noted, 

“It’s tough to make predictions, especially about the future" — those words of baseball great Yogi Berra prefaced my predictions last year for 2016, and I use them again in looking ahead at 2017. 

However, looking back at my predictions of a year ago for 2016 (as well as my previous yearly forecast), they were pretty much on target. They included predictions about the hacking of presidential candidates and security dangers posed by the Internet of Things, ransomware, complex malware being sold by cybercriminals to less sophisticated cybercriminals, data breaches in the health care industry and the explosion of "spear phishing" as a method of initiating cybercrimes. 

Continuing on that theme, 2017 will bring dramatic events in cybersecurity.  Forewarned is forearmed, so here goes:

1.  Domestic and international corporate espionage through hacking will increase as companies raid the intellectual property and trade secrets of other companies for profit.  The theft hacking of the plans of Lockheed Martin’s advanced F-22 fighter plane by Chinese hackers is an example of this trend.  Chinese national Su Bin was convicted for his part in the stealing of the plans for the plane.

2.  Expect growth of the business model in which criminal cybergeniuses use the Dark Web to sell and lease malware — ransomware, botnets and the tech support necessary to effectively perpetrate massive cybercrimes. — to less savvy cybercriminals. The Dark Web is that part of the Internet where cybercriminals buy and sell illegal products and stolen data.

3.  Law firms will become increasingly targeted and victimized by data breaches.  The massive data breach of what became known as the Panama Papers, in which 11.5 million files were stolen from the Law Firm of Mossack Fonseca is far from an isolated incident.  In some instances, law firms will be targeted for private information about the companies that they represent that can be used for insider trading.

4.  Ransomware attacks will increase and evolve to include taking control of companies’ computer-operated systems.

5.  ATMs and gas pumps will have increased credit card fraud through skimmers that steal magnetic strip information from credit and debit cards.  While the greater use of EMV chip cards has resulted in decreased credit card fraud in retail stores that switched to EMV cards, few ATMs have been adapted for the EMV system. That's despite the fact that the deadline for banks and others to switch over to avoid liability has already passed for ATMs using MasterCard.  Meanwhile, the deadline for gas stations to avoid liability by switching over to EMV processing equipment has been extended by both Visa and MasterCard to 2020.

6.  Medical information data breaches, which according to the Government Accountability Office (GAO) in 2015 involved more than 113 million records, will become an even bigger problem.

7.  Distributed Denial of Service (DDoS) attacks such as we saw in October that temporarily took down Amazon, Twitter, Netflix and others will increase, fueled by botnets of infected computers.

8.  The security weaknesses of the Internet of Things will be increasingly exploited in many ways. These will include threats from hackers of attacks against companies manufacturing IoT products, unless the companies pay a ransom.  The rush of many companies to develop Internet-connected devices without building in stronger security as an initial component of the products will result in significant problems. These include the use of these products in DDoS attacks, as we saw in the October DDos attacks.

Cybersecurity of cars and medical devices in particular will become major issues in 2017.

9.  Banks will be increasingly victimized by devastating cyberattacks.  This year’s hacking of Tesco Bank, the Bangladesh Bank and Russia’s Central Bank were just the tip of the iceberg of attacks on banks around the world that have been successfully perpetrated by groups such as the Carbanak gang for years.  The problem will get worse before it gets better.

10.  Consumers will increasingly bring class-action suits against companies who fail to protect the security of their personal information, including credit and debit card data.  The Federal Trade Commission will become more active in bringing legal action against companies failing to meet their obligations regarding data security, as it did in 2015 against Wyndham Hotels.   Even mergers and acquisitions of companies involved in significant data breaches will become affected by data breaches as we are just seeing in regard to the proposed purchase by Verizon of Yahoo.

11.  Mobile devices will be increasingly targeted by cybercriminals as increasingly companies and individuals utilize smartphones and other mobile devices for sensitive activities with many companies and individuals not utilizing proper security precautions.  Critical Infrastructure will be increasingly targeted by criminals extorting money and nation states attacking for political reasons.  The massive attack of a year ago against the Ukrainian power grid, most likely by Russia, that plunged 103 Ukrainian cities into darkness is a good example of the vulnerabilities of the computerized infrastructure of countries around the world including the United States.

12.  Sophisticated, state-sponsored cyberattacks, particularly from Russia and Iran, will increase against government and private industry targets.  Terrorist groups will also make greater use of cybercrime attacks.

13.  Secretary of Homeland Security Jeh Johnson has said that the most devastating attacks by the most sophisticated attackers almost always begin with spear phishing emails.  These are emails with malware-infected links that lure victims into clicking on them.  What distinguishes spear phishing emails from ordinary phishing emails is the sophisticated tailoring of spear phishing emails to the intended victims which makes them more likely to trust the email and click on the link.   Spear phishing will continue to be the Achilles’ heel of cybersecurity in 2017.

While this list, at first viewing, may be a bit daunting, it is not intended to be a prophecy of doom, but rather, a warning.  Fortunately, there are many things that can be done  and are being done to dramatically increase our cybersecurity including the increased use of big data analytics which offer tremendous promise.  In my next column, two weeks from today, I will describe the precise steps that can be taken to achieve much greater cybersecurity for us all in 2017.

Steve Weisman, an expert in preventing cyberscams and identity theft, is a lawyer and professor at Bentley University. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.