As we wind down 2024, some of our Nexus contributors have looked back on the challenges and wins the cybersecurity industry has achieved, and provided their take on what lies ahead next year within their industries and specialty areas. Today, Attorney Cristin Flynn Goodwin, founder of Advanced Cyber Law and a leader in cybersecurity and technology law, identifies key trends that emerged this year, and what we can anticipate for 2025.
The European Union (EU) remains the world’s cybersecurity and artificial intelligence (AI) regulator—although the US started to show some impact in 2024 through the implementation of the Securities and Exchange Commission's rules on disclosing material cybersecurity incidents—and will continue to be the leader in cyber and AI regulation in 2025.
When customers use third-party resources, it is important to think about the practices of those vendors as a part of the company’s risk profile. 2024 had two massive examples of incidents that proved third party risk as a critical part of a company’s supply chain profile.
Criminal and nation state attackers are always opportunistic, and the attack against Snowflake in May 2024—with at least 156 customers impacted—shows that any place where customer data is aggregated will be a target of interest for attackers, and that security process weaknesses will be exploited.
CrowdStrike’s outage in July 2024 surprised the world and showed the consequences of supply chain vulnerabilities and critical dependencies on those suppliers. The takeaway from these two incidents is a reminder that supply chain risk management remains critical, and vendors—even expert vendors—can trigger major incidents for unsuspecting customers.
Major Nation-State Attack Starts Impacting Citizens, and Nothing Happens: The November 2024 attack by China against U.S. telecommunications companies, impacting communications from a small number of individuals from government and individuals in the political process, customer call records, and lawful intercept data stolen by Chinese actors. CISA and the FBI advised all US citizens to stop texting and to use encrypted messaging apps—to no avail. The attack was described by Sen. Mark Warner as “the worst telecom hack in our nation’s history—by far.” The U.S. must confront this reality on two levels:
First, our current “best practices” approach is not working;
Second, foreign regulators will be receiving information about these attacks if they impact their citizens or their data, maybe even before US officials.
The Attacks Won’t Stop, That Much is Certain. Customers and regulators will continue to expect companies will deploy AI and cybersecurity in a responsible and thoughtful way that protects customer data and interests. Having clear AI governance, risk management, and incident response plans that integrate into company plans for cybersecurity and privacy will be essential to managing AI risk when attacks begin to impact AI deployments.
Cristin is the managing partner of Advanced Cyber Law, a boutique law firm focused on cybersecurity, incident response, threat intelligence, and artificial intelligence. She and her team leverage Cristin’s 17 years as lead cybersecurity counsel at Microsoft, where she was head lawyer for the Microsoft Security Response Center, the Microsoft Threat Intelligence Center, the Government Security Program, cybersecurity law and compliance, and built Microsoft’s Digital Security Unit, fusing threat intelligence with geopolitical analysis, including Microsoft’s seminal Ukraine Report in April 2022. Cristin is also the founder and CEO of Advancing Cyber, a regulatory technology startup.
