As the center of Cybersecurity Policy & Law staff get ready to celebrate the holiday season and take some time off, it’s time to look ahead to 2024 and offer some predictions on what we may see. 

Ari Schwartz:  CISA will release the final version of its software security self-attestation form for OMB to provide to agencies to use with companies selling software to the U.S. government.  This type of self-attestation will also catch on with several other countries as it provides a direct way for governments to hold software companies accountable for security of what they sell.

Jeremy Grant:  The world will finally make progress in supplanting the seemingly unkillable password, as passkeys powered by the FIDO standards start to supplant other forms of authentication. Passkeys will stop phishing attacks and force adversaries to invest in more resource-intensive attack vectors. It’s not a 2024 prediction, but I think passkey adoption gets enough momentum over the next few years that by 2027, we’ll finally have a year where compromised identities are not the number one attack vector exploited in breaches.  

Alex Botting: The EU and U.S. launched a Joint CyberSafe Products Action Plan to “achieve mutual recognition of their respective government-backed cybersecurity labeling programs and regulations for Internet of Things (IoT) devices.” I’m typically a skeptic of EU-U.S. efforts at regulatory alignment, given our experiences in the High-Level Regulatory Cooperation Forum and TTIP. I’m optimistic, however, about the potential for progress on this initiative. I think that the two governments will make substantial progress towards, and possibly even finalize, a mutual recognition agreement for their respective cyber labeling/regulatory schemes – the Cyber Resilience Act and the U.S. Cyber Trust Mark – in 2024.

Heather West: AI will continue to hold our fascination, with policymakers and legislators spending even more time thinking about what they may want to do. The impact of AI on cybersecurity will become more clear, with focus on how these technologies are shifting the balance of cybersecurity. Legislators worldwide will consider whether comprehensive regulation or sector/use specific rules are appropriate - and, I hope, focus on effective ways to judge and manage risk. We’ll see a whirlwind of testing, evaluation, and standards work around AI development and safety. Of course, all of this remains to be seen - the constant in 2023 was that AI technology and the policy discussion moved and changed quickly - and that isn’t going to change soon.

Grant Schneider:  The Securities and Exchange Commission will drive some enforcement actions related to their new cybersecurity regulations in order to incentivize companies to increase disclosure of cyber incidents.

Dan Wolf: We will continue to see executive actions from governors around the country as state policymakers debate how to integrate generative AI into digital government services. We will see dozens of additional task forces formed around the country as state governments fill the void left by the federal government in the regulation of AI technology.

Zack Martin: Sadly, I predict we will continue to see a lack of focus on a comprehensive digital identity strategy from U.S. law and policymakers. A handful of projects out of the National Institute of Standards and Technology, the National Cybersecurity Center of Excellence, and Department of Homeland Security Science & Technology Directorate will make progress on identity standards, mobile driver licenses, and identity proofing technologies. A larger holistic solution for digital identity that would stop fraud, prevent identity theft, and improve privacy isn’t going to happen anytime soon. 

Ivy Orecchio: I am cautiously optimistic about the passage of a federal privacy law in 2024. While the road ahead may pose challenges, the silver lining lies in the increased awareness among consumers about data privacy and the protection of personal information. In 2023, we saw growing momentum among states working to pass privacy legislation and empowering individuals with greater privacy rights. 

Alexis Steffaro: In 2024, I anticipate sustained initiatives at enhancing diversity, equity, and inclusion within the cybersecurity workforce. I look forward to seeing greater collaboration among government entities, industry stakeholders, and academic institutions to foster a broader more diverse pool of individuals expressing interest in entering the cybersecurity field!

Luke O’Grady: Tech companies will increasingly integrate AI into defensive cybersecurity solutions. This integration will help defenders to analyze vast amounts of data in real time and enable quicker and more effective threat detection. 

For more predictions make sure to check out the season finale of the Distilling Cyber Policy podcast that can be found on Apple Podcasts and Spotify.