A major cyberattack next year will target a U.S. election, security expert Bruce Schneier predicts.
The attack won't hit the voting system and may not involve the presidential election, but the temptation for hackers is too great, even in state and local races, said Schneier, a computer security pioneer and longtime commentator.
"There are going to be hacks that affect politics in the United States," Schneier said. Attackers may break into candidates' websites, e-mail or social media accounts to uncover material the campaigns don't want public, he said.
Schneier gave the prediction Thursday on a webcast from incident response company Resilient Systems, where he is chief technology officer.
He sees data security and privacy increasingly entering the political realm, both in terms of hackers' targets and motives and in growing policy differences across borders.
He includes attacks like the massive capture and leak of internal Sony e-mails, which the U.S. government has linked to North Korea, and the revelation this year that Saudi Arabia's foreign affairs ministry had been a target in attacks blamed on Iranian hackers. Those kinds of crimes have turned a corner as attackers see the impact they can have, Schneier said.
Meanwhile, the U.S. and Europe are moving in opposite directions on data privacy. In October, the European Union rejected the Safe Harbor agreement on offshore data storage as not strong enough. This week, the U.S. Congress is expected to pass the Cybersecurity Information Sharing Act with most of its privacy protections removed.
Legal and public-relations risks are making some enterprises rethink the value of data itself, Schneier said. It's now starting to be called a "toxic asset," bringing headaches like compliance with a patchwork of privacy laws and protections against breaches. Some companies are deciding it's better not to have some data in the first place.
"A little bit of data about your customers is useful, and a lot more just doesn't help you at all," he said.
Still, at least one thing is improving. More data is getting encrypted, invisibly to the user, one connection at a time. For example, it helps to have Gmail traffic encrypted from the user's device to Google servers and separately between Google's and other companies' data centers, Schneier said.
"That's much more powerful than trying and failing to get end-to-end again and again," he said. There are ways to break the encryption, but not all attackers can carry them out everywhere, all the time. "We get a lot of security because of this."