Attacks on computer systems and networks dominated the headlines in 2016, and in many ways the issue of cybersecurity had its first coming out party on the national stage. As many as 18 million tweets were sent about cybersecurity during the election season, lagging behind only foreign affairs, terrorism, the U.S. economy, and guns. 2016 also saw potentially the largest cyber breach to date – the Yahoo hacks impacted more than 1 billion users – and the massive Dyn botnet weaponized Internet-of-Things devices for the first time to bring down websites including Twitter, the Guardian, Netflix, Reddit, CNN and many others. It is no surprise that cybersecurity has become top of mind for corporate executives, internet users and policymakers.

In the coming days or weeks, we expect the Trump administration to release its executive order on cybersecurity. In the meantime, the U.S. Congress will stay engaged on cybersecurity, regardless of how a Trump cybersecurity agenda evolves. Legislators will continue to use their oversight, investigations, budget and policymaking powers to focus attention and resources on stronger protections for both public- and private-sector computer systems. And more broadly, in light of the cyber attacks reportedly directed at influencing the U.S. elections, there will be keen interest on ensuring that investigations into these recent events inform the foreign policy of the United States.   

Recently proposed cybersecurity policy reforms have included: 1) a major reorganization and consolidation of domestic cybersecurity efforts into a single cybersecurity agency at the Department of Homeland Security; 2) establishing a new joint Department of Homeland Security/director of national intelligence program offering cybersecurity guidance to owners of vital national infrastructure; and 3) the creation of special panels to investigate Russia's election-season hacking and other cybersecurity threats. Congress and the administration also likely will focus on the security of IoT devices, the persistent issue of phishing attacks, and the growing problem of ransomware.  

Additionally, in the coming year, Congress likely will again take up data breach notification legislation to create a unifying framework for most private organizations to notify consumers and employees if their personal information has been exposed due to a security breach. The states, too, will work on amending the data breach notification laws that are in place in 47 states, with some states potentially following California’s lead to require reporting when certain encryption keys are stolen. 

2017 will also bring implementation of New York’s cybersecurity regulations for financial institutions and insurance companies – the first of their kind and possibly a model for other states and the federal government – and global companies will start gearing up for implementation of Europe’s Directive on the Security of Network and Information Systems, which will be a key security regulation to watch going forward.

Finally, the Trump Administration and Congress will remain focused on the oversight of Obama-era cybersecurity reforms, including the implementation of the Cybersecurity National Action Plan and the Cybersecurity Information Sharing Act. 

If 2016 was the coming out party for cybersecurity on the national stage, 2017 is looking to be the year when legislators and policymakers at all levels of government place cybersecurity at the top of their agenda.