The Cybersecurity Dive Outlook on 2021

About 10 months after the COVID-19 pandemic forced millions of U.S. employees into remote operation, a new threat landscape emerged as companies scramble to manage a hybrid workforce.

Companies are working to manage security risks from vulnerable endpoints and sophisticated criminal and nation-state actors. 

With a new financial year underway and vaccines rolling out, executives are taking a fresh look at how they will navigate a newly hybrid workforce in a secure business environment. 

"What we are seeing is firms putting their plans together for a hybrid workforce," Bhushan Sethi, Global People & Organization co-leader at PwC. 

About 24% of workers in the U.S. telecommuted due to COVID-19, according to the Bureau of Labor Statistics. Other data shows during parts of 2020, more than 50% of workers at major U.S. companies worked from home due to COVID-19 restrictions.  

About 75% of executives expect at least half of their workforces to be back in the office by July, according to survey data from PwC. 

Multiple hats

The task of organizing office returns will be a massive undertaking because for many companies the rapid changeover from corporate offices to remote operations left no time for planning. During the lockdown, remote employees scrambled to balance productivity with childcare, deteriorating mental health and logistical challenges of working in a secure environment.

"In response to sudden work from home orders, we saw many companies prioritize productivity above all else," Michael Covington, VP of product at Wandera, said. "Whether workers were forced to work from home, or IT was told to reduce security policies, job number one at most organizations was to keep the business operational while people were working remotely."

Companies abandoned traditional security protocols but are now taking a fresh look in order to phase operations into a long term recovery, according to a report by Wandera. The Wandera report contains proprietary corporate data using the Wandera Security Cloud, which is based on 425 million sensors. The data has been anonymized and normalized at organizations using the technology, ranging from 10 employees to hundreds of thousands of employees. 

The report shows a 41% increase in malware attacks on an annual basis, as 52% of organizations faced a malware attack in 2020, compared to only 37% in 2019. The malware installations that affected remote work the most last year were spread using social engineering, according to the report.

The apps were made more potent when users granted too much access to their devices, which allowed attackers to gain access to "sensitive data and in some cases capture live recordings from the compromised devices," Covington said.

Remote workers have exposed corporate networks to high-risk activities or content. Out of the devices previously compromised by mobile malware in 2020, about 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage.

Multiple devices, operating systems

Part of the difficulty with remote workers in the current landscape is their range of operating systems, including Windows 10, Android and iOS. They are bringing their own devices to access corporate networks through unsecure home-based workstations.

Traditional office rules have gone by the wayside as the Wandera report showed up to 100% increases in workers accessing inappropriate content during office hours. Remote workers, particularly those using Android operating systems, were using vulnerable apps to access content or conduct work. 

"The threat landscape remains fluid as attackers look to take advantage of disasters to phish and social engineer employees," Rick McElroy, principal security strategist at VMware Carbon Black, said via email. "Typically attackers target employees through email and attachments but have now started to use social media and texting as well."

Other threat actors have adjusted the way they use methods like ransomware to attack companies operating in remote environments, Vinay Pidathala, director of security research at Menlo Security said.

"What was old is now new," Pidathala said. "In 2019, ransomware was starting to decrease, but with COVID, attackers have pivoted back to ransomware, and they are having a lot of success with it."

More sophisticated actors are going after high value targets using web browser exploits, with Chrome being the browser of choice.  Four out of 10 browser exploits used in the wild are targeting that particular browser mainly due its dominant market share, according to Pidathala. Additonally, Microsoft Edge has based its underlying technology on Chromium since January 2020. 

In terms of specific threats, a large number of credential phishing attacks are targeting customers across various regions and business verticals, Pidathala said. There has also been a marked increase in web drive by downloads, with attackers using the SocGholish framework as their tool of choice. 

These attacks use social engineering toolkits disguised as either browser updates in Chrome or Firefox, Flash Player updates, or Microsoft Teams updates. 

In terms of security policy changes, Pidathala says that limiting administrative access, issuing corporate-owned laptops and application whitelisting are policies that usually pre-dated the COVID-19 outbreak. "More companies are moving their workloads and applications to the cloud," he said. "Given that shift, companies are strategizing around how to protect their data, web applications and users."

These include confirming access to cloud resources and assets are correctly configured and monitored, ensuring the security of cloud assets and ensuring the governance and protection of critical data. 

Looking further into 2021, tens of millions of corporate employees will continue to work from home.

However, companies plan to resume work environments to operate under a hybrid environment. "Some employees have started to work out of the office already and more will likely transition back to the office over the course of 2021," Rick Tracy, CSO at Telos Corporation, adding that the company will be flexible regarding remote work for the rest of the year and beyond. "Remote work due to COVID has proven that remote work can be effective and secure if managed properly."

Companies are expected to embrace zero trust in terms of how they deal with future threats in a pandemic-enabled threat environment, according to Adam Meyers, VP of intelligence at CrowdStrike. 

"I think the old castle kind of mentality around securing things to a certain extent will go away, as they embrace zero trust in the more modern way of thinking about security," he said. He expects more of a nuanced view of focusing on what needs to be secured and provisioning access appropriately. 

When the cybersecurity field emerged, experts were obviously rare. And with a widening talent gap, the same is true today.

Unfulfilled cybersecurity jobs will reach nearly 2 million globally by next year, according to the Center for Strategic & International Studies. Industry is aware of the looming talent gaps and for years has called on students to consider a career in cybersecurity. 

The outlook is promising, yet barriers to entry remain. Neatly-outlined paths into cybersecurity can produce experts with a narrow skillset, easily outdated as technology evolves.

Cyber is so fast-paced, even the most advanced technical skills can fall behind. 

"I can teach you modern cryptography today, but quantum computing will probably come out in the next five to 10 years," said Scott Howitt, CIO of McAfee. Because quantum computing will eventually break all of it, cryptography is "off the table." 

Howitt is on a cyber advisory board for the University of Nevada, Las Vegas where he frequently dismisses the idea of more technical classes. What's needed more in the field are soft skills, especially curiosity, he said. 

Today's cybersecurity workforce has diverse backgrounds, where education isn't always directly tied to security. 

"You can learn this business in a whole bunch of different ways, and we need every curious individual," said Teresa Shea, VP of cyber offense and defense experts for Raytheon Intelligence & Space. "Everybody's got cyber awareness inside them." She should know, she earned a degree in electrical engineering.

To IT or not to IT

No 100 cybersecurity professionals entered the field in the same way. Though IT has been the traditional gateway, it's no longer an IT-first world, said Dr. Bret Fund, head of cybersecurity at the Flatiron School. Altering network administrations without considering the security implications is a nonstarter.

Regardless of a job — development, application security, infrastructure security, engineering or forensics — "curiosity is what is really, really necessary in order to be able to move forward," said Gerald Beuchelt, CISO at LogMeIn. Applicants also need an adversarial mindset, operating as if they want to break a system as opposed to architecting one. 

The temptation to "break things" is a prerequisite echoed by other CISOs. Howitt, a CISO-turned-CIO, always asks candidates: "What do you do in your spare time?" Howitt wants their answers to indicate they're "ever-learning ... I love people that are building computers in their home."

Where cyber talent is derived varies. Nearly one-third of today's cybersecurity professionals were tapped from educational institutions, or as consultants and contractors, according to (ISC)²'s 2020 Cybersecurity Workforce Study. Twenty-eight percent transitioned from another department in their company. 

An environmental science major, Jon Check graduated from deskside IT support to cybersecurity. Check is now senior director of cyber protection solutions at Raytheon Intelligence & Space. 

Though IT is the obvious gateway to the "infinite game" of cybersecurity, cyber welcomes people with experience in finance, law, sociology, and so on, he said.

"I don't think we're going to be in a place where there'll be enough pure cyber individuals to fill all the roles anyway. So we need those people that in their second career decided they want to get into cyber," because they'll bring outside perspective, said Check. 

A future of cyber professionals without any other experience could unintentionally pigeon-hole people into security careers. They may not be able to grow outside of the SOC. 

"I think if you come from a cybersecurity background, you might be more likely to stay in that area and perhaps not be as likely to transition to some of those CIO roles," said Arve Kjoelen, CISO of McAfee. "I think with a very, very, very technical background, you were probably more likely to be a tactical operational CISO." Those kinds of CISOs stay in the weeds of tech. 

Thick skin? Versatile? Please apply

The publicity of large-scale security incidents can lead to finger-pointing, but successful cyber practitioners are able to disassociate from what the public might conclude is their failure. 

"A lot of things in cybersecurity are brutal. It's like a meat grinder. But the industry shouldn't be that way in order to fix the problems in cybersecurity," said David "Moose" Wolpoff, CTO and co-founder of Randori. 

"The organizations that are successful, are probably the ones where you can get hacked, and not have to be afraid that everybody can get fired," said Wolpoff. 

Analyzing expected employer demands between 2021 and 2025, job-growth analytics firm Burning Glass Technologies found the top-growing skills shift from retroactive security strategies to proactive security strategies. The firm used a database of more than 1 billion job records and 17,000 skillsets related to cybersecurity. 

In application development security, the firm expects a 174% increase in abilities related to DevSecOps, 155% increase in container security, and 113% increase in microservices security over the next five years. 

Information security analysts are expected to outgrow any other occupation in the next 10 years, according to the U.S. Bureau of Labor Statistics. Between 2019 and 2029, BLS estimates a 31% growth in the profession compared to the average occupational growth rate of 4%. 

With AI woven into security analytics, analysts will transition from "investigating flags and potential incidents to analyzing data and making hypotheses about where threats will be," said Fund. The prospective changes in analyst expectations are "exciting and daunting" because it requires mass upskilling. 

(ISC)² estimates there will be at least 10,300 cybersecurity professionals for every 100,000 U.S.-based businesses. But the firm estimates the U.S. has a cybersecurity workforce of just over 879,000 people, and a widening 3.12 million gap in the global workforce. 

Hiring shouldn't necessarily be done in the same way security is performed — dictated by patch goals, or weedy security sprints. Instead, holistic security organizations with lateral abilities will likely be the most successful at preventing attacks.  

Cyber is crashing college

Of the cybersecurity professionals with secondary education, 49% studied computer and information sciences, 20% pursued engineering and 10% majored in business, according to (ISC)². Eight percent of the cybersecurity workforce only have their high school diploma. 

Cyber is multidisciplinary, combining computer science, law, management and political science, said Fund. Because of this, it's going to take a very long time before a cyber-exclusive workforce emerges. 

"My daughter's actually going through a pure cybersecurity education as we speak right," said Beuchelt, whereas he pursued secondary education in physics. But educational programs dedicated to security practices in mission assurance, for example, would not be ideal for a lot of today's security practitioners, he said. They belong to a "non-vanishing" group of cybersecurity talent. 

Boomers (ages 55 to 73 as of 2019) account for only 13% of cybersecurity professionals, according to (ISC)². Millennials (ages 23 to 38) and Gen X (ages 39 to 54) make up the majority of cybersecurity professionals, 44% and 39%, respectively. 

Only 1% of Gen Z, or those just entering the workforce or secondary education, make up cybersecurity professionals. It's a generation that could directly go to school for cyber, as opposed to making a career change later on. 

Certifications are an avenue 63% of the world's cybersecurity workforce pursue because it permits them an ongoing education, according to (ISC)². Vendor-specific and vendor-neutral certificate programs are evenly split between employer requirements, 49% and 47%, respectively. 

Because of the opportunities certifications extend to security and non-security professionals, people with exclusively cyber backgrounds is unlikely anytime soon. 

"Weirdly, the collegiate cybersecurity community has a strong overlap with DEFCON Hacker," in order to appeal to natural hackers, said Wolpoff. But "I don't like the idea of a pure cyber background, because I think myopic experiences are kind of the problem of technologists," leading them to make poor business decisions. 

When it comes to risk-based decision making, security professionals need to be able to overlay the technical details with the business' bottom line — communication outside of technical details is not just a skill CISOs need. 

Business skills are also becoming non-negotiable prerequisites for CISOs of today, which require the executives to: 

• Read balance sheets
• Present risk and threat assessments before a board
• Translate advanced persistent threats (APTs) into monetary risk

These areas are where technical-prone security workers struggle. "You might want to go get a finance MBA, or a management MBA," said Howitt. "I'm a physics major. I didn't go to school to become a cybersecurity guy." 

No industry or business is immune to cyberthreats. Yet there are some industries that do a much better job at addressing cybersecurity and mitigation efforts than others. 

Industry verticals including finance and healthcare had a head start when it comes to security. These industries were among the earliest targets of cybercrime because of the value of their assets. 

Malware and viruses were designed to steal money from banks and insurance data from healthcare. They are also the most heavily regulated industries, which help motivate security control and measurement. 

Education, on the other hand, has lagged behind other industries in instituting best cybersecurity practices due to constricting budgets and aging infrastructures. The security problem across all levels of education was highlighted as schools moved from the classroom to the dining room, and most learning began taking place through video.

"Schools, such as the Hartford Public School system, which became victim to a ransomware attack in September, struggled with security due to the speed at which they needed to adapt to remote learning," said Heather Paunet, senior vice president of product and marketing at Untangle, a provider of comprehensive network security. 

Threats go beyond industry and target organizations depending on business size. Companies in the SMB category tend to be vulnerable; they may not have the budget for a dedicated IT or IT security staff to put the right protections in place for the business.

However, Paunet said, just because some industries appear safer than others, 2020 showed weaknesses emerge across verticals. 

"In 2020, as businesses and educational institutions quickly adapted their IT systems to allow for remote working and remote learning, the speed at which they had to adapt often led to security policies and security solutions coming later," Paunet said. "This left temporary holes in security that IT departments had to fix with VPN technologies, and access policies that they applied later."

Opposite sides of the threat spectrum

The need for cybersecurity isn't equal across industries. While one industry looks like it has a strong system in place, it may not be targeted like other industries. 

"The organizations that do best at security are on the opposite sides of the risk or attack surface spectrum," said Brandon Hoffman, chief information security officer and head of security strategy at NetEnrich, a provider of IT, cloud, and cybersecurity operations and services. "By that I mean looking at availability to attack an organization and the benefit for doing so."

For example, manufacturing has a smaller attack surface, and until recently, there was little benefit for hackers to attack factories. 

Financial services, on the other hand, has a large attack surface and a high payoff for a successful attack, so this industry has placed a higher priority on security than any other industry.

How industries can improve their security posture

While some industries, by virtue of the assets they hold, are more favorable targets for cybercriminals than others, businesses within every type of industry vertical are at risk of an attack, especially smaller businesses. 

A large healthcare conglomerate has the infrastructure in place for high levels of security; they can staff cybersecurity and IT professionals and deploy the latest security tools. A small independent healthcare clinic, on the other hand, can't implement the type of security it needs. 

Hackers don't care about the size of the business; they just want the access to the assets and will go after the most vulnerable businesses. That's increasingly SMBs. 

Organizations in any industry and of any size can improve their security posture with a simple step: determine what needs protection. But because every industry has its unique assets, there is no one-size-fits-all solution that will work for everybody.

Once you know what assets need to be a high security priority, then investigate what systems others within your industry use. 

"This can help companies who don't have big budgets avoid making investments in technology too soon," said Hoffman. 

Industries that have blazed a successful trail with security implementation and management are an example to those who are in the early stages of their security system. Sharing that information with others across their industry vertical and with others with similar goals will improve security for organizations as a whole.

Gone are the days of a tidy perimeter and an orderly firewall. In a cloud-based world, every digital endpoint poses a vulnerability. Security leaders are left to adapt and respond. 

The scale of the threat proves daunting. Cybersecurity Ventures estimates cybercrime damages could reach $6 trillion next year, making cybercrime equivalent to the third-largest economy in the world. 

There's more at risk. By 2025, the WEF anticipates there will be more than 42 billion IoT devices deployed around the world, representing a vast technology landscape to target and exploit. Each device serves as a potential access point to a system or an intrusion into the physical. 

"Cyber is starting to impact the physical world," said Peter Firstbrook, research analyst at Gartner, speaking during the Gartner IT Symposium/Xpo Americas last week. "Security is starting to become more about safety than it is just about information security, which most people have been thinking about in the past."

The Department of Defense, for example, is concerned about CAD drawings and information stored on factory floor machines, according to Firstbrook. Malicious actors can also toy with building infrastructure, locking people out or messing with the HVAC system. 

Involved in information and physical security alike, cybersecurity is evolving into a broader discipline. Businesses need strong centralized leaders who can influence stakeholders across departments, while reporting risk to CEOs and the board. Throughout, it requires close collaboration with the CIO regardless of reporting structure. 

Through the end of 2020 and into 2021, here are five trends in cybersecurity and risk management to watch: 

Rapid modernization, a new perimeter and the need for zero trust

The pandemic accelerated the adoption of cloud- and SaaS-based service models, which shifts technology access outside the corporate network and neatly-defined perimeter. 

"The elephant in the room this year has been COVID[-19]," Firstbrook said. "Organizations are really struggling with 100% remote access and everybody moving off the LAN."

It becomes even more of a challenge when legacy processes, tools and procedures are involved. Companies that had modernized their IT infrastructure were not as dramatically impacted by the remote technology requirements the pandemic highlighted, according to Firtstbrook. 

The rapid shift to working remotely had businesses scaling processes overnight, transitions unthinkable without access to cloud-based systems. Now, a company's technology stack is accessible from anywhere, which is good for a remote workforce — and for those trying to exploit it. 

No matter the perimeter, IT hygiene remains imperative, said James Carder, CSO and VP of labs at LogRhythm. If businesses were previously bad at configurations, locking systems down, managing privileges and protecting sensitive data, they've pushed everything to the cloud and made it internet-accessible.

Businesses basically multiplied their risk by an order of magnitude, Carder said. It increases the risk of having a breach or a compromise. 

Risk is something businesses are becoming intimately familiar with. There is no avoiding the multiple attack vectors and threats businesses face. Maturity of a security organization is defined by how it can respond. 

The risks of digital transformation, the pandemic and a rearchitected perimeter have enforced the need for zero trust. 

The methodology dictates companies not "trust anything or anybody," whether a person or a laptop, until they can validate that trust, Carder said. "It is picture perfect to deal with a pandemic and riddle workforce as a way to maintain security." 

The dark side of digital transformation

As IT modernizes and the security function adapts, attack vectors are changing. More than half of cyberattacks now use a victim's digital infrastructure to island hop, according to VMware's Global Incident Response Threat Report. Island hopping leverages a company's supply chain to launch attacks once access is gained. 

A business's "digital transformation has been commandeered and the adversary turns the burglary into a home invasion," said Tom Kellermann, head of cybersecurity strategy at VMware and global fellow at the Wilson Center. 

The threats should shift how businesses defend, Kellermann said. "The island hopping fact really should be a wakeup call for CIOs because CIOs need to realize now that this amazing digital transformation that they have ushered in — that they have nurtured, that they have pioneered in that organization — it can and will be used to attack the customers now."

The threats highlight the size of the cybercrime economy. With resources readily available, malicious actors can strategize and plan attacks, testing what works, what doesn't and what can be repeatedly deployed. 

It leaves security organizations with little recourse. Total prevention is unattainable — improved response is required. 

"The board needs to recognize now that the brand of the organization will be used to attack their customers, it's the dark side of digital transformation," said Kellermann. "Cybersecurity governance must be improved."  

Evolving role of the security function

Outright defense is a pipe dream placing pressure on security to evolve, meet and respond to risks head on. 

"I think, for too long, people have cobbled together security," Kellermann said. 

Whether it was for the purposes of perimeter defense or compliance with standards, businesses purchased and failed to integrate products, many of which required humans to monitor and manage. It put a strain on the already limited workforce, he said.  

Now, security is taking on more responsibility and needs to operate in a strategic way. Businesses require security advice in context, without the department stonewalling progress. In the same way, security needs to become more knowledgeable about the business and its priorities. 

From contracts to technical configurations, security has its hands in everything, Carder said. IT's responsibilities and involvement lessons once they make digital transformation happen or cloud deployments are executed. That's when security moves forward, even into the spotlight of the board. 

"Even if you're buried under the CIO or chief technology officer, you generally still present to the board nowadays," Carder said. The key is communicating from a perspective of risk and outlining recommendations. 

Moving away from security jargon, CISOs should mostly communicate the ramifications on what makes businesses money or impacts operations, he said. 

The new architecture order

Cyberattacks against businesses have a certain amount of inevitability. What's evolved is the need for intrusion suppression, not prevention. 

"Intrusion suppression is really, can you detect, deceive, divert, contain and hunt an adversary unbeknownst to an adversary in your environment," Kellermann said. "If you can get there, which is all about decreasing dwell time and assuring that your infrastructure is not used to island hop, that is success nowadays. And I know that's sad."

As the perimeter falls away, businesses require modern tools to detect and respond. According to Kellermann, the most important security controls include: 

• Endpoint protection platforms

• Microsegmentation

• Application control

• Multifactor authentication

Tool suites layered atop IT infrastructures allow businesses to adapt but as with other technology functions they require orchestration. 

That network of tools has led to the emergence of extended detection response architecture, according to Firstbrook.

Extended detection response architecture unites all security tools into a common data format in one location, allowing business to start making correlations between related events. One of the advantages is it improves event detection and security automation. 

"We're starting to see a lot more vendors invest in process automation to address the skills gap and to make it easier to get repetitive tasks done," Firstbrook said. 

From LAN to WAN

Digital transformation has more workloads running in the cloud, introducing more APIs. 

Businesses are "changing the technology landscape for where security is going from where it came," Carder said. A lot of those traditional security controls and tools may not carry over into this new cloud-centric model. 

Rather than repurpose on-premise security, businesses need to rethink their architecture for the cloud. That means doing away with legacy security investments. 

"A lot of the investments we've made in LAN-based security really aren't showing any value today because everything's moving to the WAN," Firstbrook said. 

Businesses have to undergo a mindset shift when it comes to the cloud, one where they understand what falls under their control or the vendor's. 

"Look, not all clouds are equal," Kellermann said. "People need to understand when you move to a public cloud environment, it's like you're moving to a luxury apartment building in a tough neighborhood and the building is responsible for the security of the lobby and the perimeter of the building. That's it." 

Businesses have to secure their apartment while being situationally aware of the elevator or the hallway, he said.  

At a minimum it is businesses' responsibility when moving to the public cloud to secure endpoints, applications, access and have the capacity to respond and hunt for cyber anomalies in internal systems in real time. 

In part, companies are adopting secure access service edge tools to modernize their security standards. The tool secures WAN architecture to look and operate more like LAN architecture, Firstbrook said.

Democrats cemented control of federal executive and legislative branches after two Democrats won run-off Senate elections in Georgia. The transition creates the potential for a federal privacy law to make it out of chambers of Congress, though no one is holding their breath. 

Partisan and bipartisan data privacy proposals get caught up most frequently in differences between a citizen's right to sue a company for data infringement and a federal law's ability to overrule existing state laws. Even with a Democratic majority, the path toward federal data privacy legislation is a little muddy. 

"I see three potential paths forward," said Daniel Castro, VP of ITIF and director of the Center for Data Innovation, including: 

• The Senate Committee on Commerce, Science and Transportation quickly resolves the "outstanding issues" of preemption and private right of action. "Given how long the process has been so far, I'm not very optimistic on the likelihood of this option," said Castro. 
• A bipartisan group lands on a more centrist bill. 
• Or a Democrat-led Congress could "start with a clean slate," he said. 

The Biden administration has already signaled a push for national privacy rules. "We should be setting standards not unlike the Europeans are doing relative to privacy," President-elect Joe Biden said to The New York Times last year. 

Now that he has a Congress leaning in his favor, it's up to members to meet at the privacy crossroads.

"Right now it's about how much is changing on Capitol Hill. In the end both chambers are almost exactly divided on privacy legislation," said Bartlett Cleland, senior fellow for Technology and Innovation at Pacific Research Institute, in an email. "Perhaps now that environment is present in Congress, but I think it's a bit too early to really know."

Both parties favor data privacy

Ahead of the next legislative session, here are a number of leaders in Congress with a platform prioritizing privacy including Sen. Kirsten Gillibrand, D-NY; Rep. Suzan DelBene D-WA; Sen. Maria Cantwell, D-WA; Sen. Jerry Moran, R-KS; and Sen. Roger Wicker, R-MS. 

Each congressperson's bill never made it beyond its introduction on their respective chamber's floors. With Democratic control, "perhaps they'll actually make it to the floor in 2021," said Daniel Barber, CEO of DataGrail. 

Wicker has been particularly relentless in data privacy pursuits, proposing a draft in December 2019, a COVID-19-specific bill in May 2020, and the SAFE DATA Act in September 2020. 

The SAFE DATA Act was derived from a previous draft by Wicker in December 2019, just after Cantwell presented the Consumer Online Privacy Rights Act (COPRA). In the year since, neither senator has done much to reconcile opposing issues, though they align on protecting consumers from inappropriate data use by companies — the means to do so, however, remain partisan. 

"New committee leadership, particularly in the Senate, may decide to scrap Sen. Wicker's draft bill and put forth something new that incorporates other Democratic priorities," said Castro. 

Cantwell's bill, introduced in 2019, more closely aligns with Europe's General Data Protection Regulation (GDPR) than Wicker's, as it does more to protect consumers. "There is a silver lining that something may get passed but how much of a game changing law it would be, analogous to GDPR in Europe, I still remain somewhat of a cynic," said Heather Federman, VP of Privacy & Policy at BigID. 

Congress has motives to act fast though, given Privacy Shield's overruling in July. The decision jeopardized and limited supplier opportunities for U.S.-based businesses, and impacted about 5,000 organizations. The European Union effectively said U.S. data transfer and protection standards are insufficient. 

Along with the EU's Digital Services Act and Digital Markets Act new rules, "selling to European customers is going to become even more burdensome from a compliance perspective," said Federman. 

National rules are influenced by advancements in privacy legislation in California. In November, California voters passed the California Privacy Rights Act (CPRA), effectively making the CCPA stricter, which Wicker might have to bend to in the SAFE DATA Act. 

The CPRA establishes the California Privacy Protection Agency, which will tag-team with the state's Department of Justice. Vice President-elect Kamala Harris played a role in establishing a privacy enforcement unit within the state's DOJ in 2012 when she served as the state's attorney general. The formation of the unit was years ahead of the CCPA, in which other states are mirroring their data privacy efforts. 

"With Democrats controlling both the House and Senate, it's more likely all the talk of a federal privacy bill to finally take shape," said Barber. Evidence is in the bill introduced by Rep. Anna Eshoo, D-CA and Rep. Zoe Lofgren, D-CA last year. 

Where's the focus

The role the FTC will play in a future privacy law is also dependent on the political party crafting it, and it's currently a diverging factor. 

During the Trump presidency, the FTC was engaged in pursuing high-level privacy issues concerning tech companies unlike ever before. The FTC recently settled with Zoom for privacy concerns uncovered in March and in 2019 the Commission issued a record $5 billion fine with Facebook for its role in Cambridge Analytica data misuse. 

"The FTC became politicized over the Cambridge analytic scandal," said Jim Halpert, partner at DLA Piper, speaking on a virtual panel by Pacific Research Institute in December. "That created a feeling among the privacy advocates and consumer advocates that the FTC was too weak." 

While Dan Caprio disagrees with Halpert's politicization assessment of the FTC, he said the Facebook settlement likely changed the landscape for companies in- and outside of big tech. It "elevated risk" because it folded personal liability for company leadership into the legalities, said Caprio, co-founder and executive chairman of The Providence Group, during the panel. 

The FTC has been clamoring for more data privacy authority for years and if there is a federal law implemented,"the FTC will almost certainly get enforcement authority for that privacy bill," according to Halpert. "I think we can expect if that happens under the Biden administration, for them to take that enforcement role pretty seriously." 

The Facebook settlement is a nod to perhaps other big tech policing concerns. "More broadly, there will also be a push for antitrust cases, though those could take years," said Federman.

FTC Chairman Joe Simons has a background in antitrust and will likely continue its pursuit. In February, the Commission announced it was looking into all non-reportable acquisitions made by big tech since Jan. 1, 2010 through Dec. 31, 2019. 

"I think a new chairman will be equally focused on competition and consumer protection. That's going to make a huge difference in the way that the regulator perceives corporate interest," said Caprio. 

The FTC's focus on areas of big tech like antitrust or Section 230 is the "key question," said Cleland. If Congressional attention shifts too drastically to those issues, privacy legislation will suffer. "If the air is sucked out of the room on those issues I don't see privacy going anywhere. Also there are a measly 18 months until Senate and House campaigns are in full swing."