Here’s How Cyber (In)security Rocked 2016

Maksim Kabakou/

Much more than election hacks and encryption showdowns went down this year.

There will be little debate about the two cybersecurity stories that dominated headlines in 2016.

The year opened with a standoff between Apple and the FBI over encryption, pitting law enforcement’s ability to investigate an Islamic State-inspired mass shooting against the security of Americans' information.

It’s closing with government in a scramble to respond to Russian data breaches at Democratic political organizations aimed, at the very least, at sowing chaos during the 2016 election and possibly at giving a boost to the electoral winner.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The effects of the election hacking are bound to last well into 2017. Outgoing President Barack Obama has ordered a full review of election-linked hacking to be delivered before he leaves office and has promised to strike back at Russia in ways both visible and obscured.

Meanwhile, President-elect Donald Trump has refused to accept the overwhelming conclusion of intelligence agencies that Russia was responsible for the breaches, setting him up for an early conflict with hawks in Congress, many of them members of his own party.

The battle between industry and law enforcement over encryption is also likely to return in 2017 with House Homeland Security Chairman Michael McCaul, R-Texas, pledging to re-introduce compromise legislation that would assign an independent commission to study the issue. The issue could also be slingshotted back into the spotlight by another shooting or terrorist attack in which information is stored on an encrypted device.

The past year was chock-full of lower-profile cyber events, however, that are sure to produce effects well into 2017. Here are 10 big ones:

Hacking indictments against Iran: The Justice Department indicted seven Iranians working for the nation’s Islamic Revolutionary Guard Corps for hacking U.S. financial institutions in March and charged one of them with hacking into the control system of a dam in upstate New York. The indictments marked the second time DOJ has brought charges against members of an adversary nation-state. The first time was when the department indicted five members of China’s People’s Liberation Army in 2014, ratcheting up tensions between the nations.

China commercial hacking agreement pays off: Most cyber watchers gave long odds to the 2015 agreement between U.S. President Barack Obama and Chinese President Xi Jinping pledging their governments would not support hacking for commercial gain. However, Chinese commercial hacking has dropped by more than two-thirds since the agreement, cybersecurity firms said in 2016.

Presidential commission releases long-range cyber plan: Formed in the wake of the Office of Personnel Management breach, the president’s Commission on Enhancing National Cybersecurity was initially tasked with making recommendations as far as a decade out. They didn’t find anything that wasn’t worth fixing in two years, though. Top line conclusions include beefing up cyber education, moving security “up the food chain” to manufacturers and incentivizing good cybersecurity from companies rather than regulating it.

Who’s on first? DOJ and DHS: Obama issued a policy directive in July establishing a clear chain of command when cyberattacks hit the U.S. Top line items: DOJ is in charge of responding to attacks, but the Department of Homeland Security will assist federal agencies in repelling attacks and recovering.

Cyber Command reaches initial operating capability: Six years after its launch, U.S. Cyber Command reached initial operating capability in 2016 and is slated to reach full operating capability of roughly 6,200 cyber troops in 2018. Congress also passed legislation this year raising CYBERCOM to a full combatant command on the level of U.S. Central Command rather than a subdivision of Strategic Command.

FBI hacking powers expand: What sounds like a pretty banal change, an update to rule 41 of the Federal Rules of Criminal Procedure, could greatly expand the FBI’s ability to hack into zombie computer armies that include the computers and connected devices of innocent bystanders. The rule allows a single judge to issue a warrant for law enforcement to hack into computers in multiple jurisdictions. A bipartisan group of lawmakers launched a last-ditch effort to delay the rule or to force DOJ to disclose any procedures or safeguards on its hacking operations but to no avail.

No change to weapons export rules: U.S. negotiators failed in December to rejigger language in the Wassenaar Arrangement, a voluntary international pact controlling the exports of weapons and things—such as software—that can sometimes be used as weapons. The language as written could prohibit sharing of cyber research tools, internet security researchers said.

DMCA exception for white hat hackers takes effect: On the plus side for internet security researchers, a new rule that took effect in October makes it much more difficult for companies to sue ethical hackers under the Digital Millennium Copyright Act when they reveal vulnerabilities in those companies’ computer code. The exception is only temporary and will have to be renewed in two years.

The first federal CISO: The administration that appointed the first-ever federal chief information officer in 2009 appointed its first chief information security officer in September, another post-OPM effort to bring government cybersecurity under control.

Government deals with IoT: The internet is creeping into everything from refrigerators to cars to heart monitors with major security implications. The government began to respond this year with new policies from the National Highway Traffic Safety Administration, a lexicon from the National Institute of Standards and Technology and strategic principles from the DHS. This year also saw the launch of the Mirai botnet, a zombie army of connected devices that took offline Netflix, The New York Times and other sites. The attack was a lesson, officials said, that insecure devices that pose little danger on their own can wreak havoc in aggregate.