It’s been an active year in cybersecurity. Washington and Beijing reached a historic agreement around cooperation for curtailing digital espionage, the US government suffered its largest known data breach, and there was a seemingly endless string of breaches and hacks.

Looking ahead to 2016, there’s little indication from experts that online threats will be any less numerous or menacing. But there is optimism that groundwork laid this year could pay dividends in the year ahead. That’s especially the case regarding negotiations with China to thwart commercial hacking, said Ellen Nakashima, national security reporter at The Washington Post.

“It’s a combination of these tools and these measures by the US as well as expressions of concern by others – industry and academia – that could start to move the needle next year,” Ms. Nakashima said.

Nakashima joined a panel of cybersecurity and legal experts to discuss some of the most pressing trends in cybersecurity at an event hosted by the Atlantic Council think tank in Washington. Passcode was the exclusive media partner for this Cyber Risk Wednesday event. Here are three things we learned:

1. New norms emerged for reporting cyberthreats

Companies are going public much faster after breaches, according to Nakashima. For instance, she said, the way Home Depot notified customers about its 2014 breach – and quickly started looked for solutions to mediate the impact – influenced how other companies responded to breaches this year.

“There’s been a gradual shift away from blaming the victim,” Nakashima said. “Yes, people feel like companies should be responsible for cybersecurity, but they also understand this is such a widespread and pervasive problem that what company hasn’t been hacked?”

2. Cyberthreats are bigger problems for small businesses

More small companies are reaching out to the government for help with issues around cyberattacks, said Sean Newell, deputy chief for cyber, counterintelligence, and export control section at the Department of Justice. Unfortunately, he said, small firms don’t have the same capacity as large corporations to confront dangers online.

“I wonder if that’s going to push the threat down to mid- or smaller-sized companies,” Mr. Newell said. “I see that as an issue coming forth in the next year.”

3. Progress with China takes time

It’s a good sign that there hasn’t been another attack such as the Sony Pictures breach, said Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs. Even though the US blamed North Korea for the Sony hack, Obama administrations officials told The New York Times the government has sought China’s help to stop attacks coming from North Korea. Indeed, said Mr. Healey, success with the Chinese shouldn’t be measured only in terms of the recent cyberespionage deal. Instead, it should be seen as incrementally better than it was previously.

“Diplomacy isn’t binary, right? It’s not one or zero,” he said. “If this decreases Chinese espionage by 10 percent, it is quite possibly the most successful thing we’ve ever done to reduce Chinese espionage.”

Two notable quotes:

1. If the US decides it’s necessary to monitor smartphone apps for potential terrorist activity, Healey said, it is feasible that terrorists will attempt to stay ahead of that monitoring by switching apps frequently.

“What do we do when we have terrorists on Tinder?” Healey said. “How far does this go with the proliferation of technologies, that we’re going to continue to chase them down every hole? Does that scale?”

2. Looking forward at whether the US’s efforts with China have effectively stanched the country’s efforts to hack for economic gain, Nakashima said President Obama’s executive order this year might shed light on possible next steps. The order allows him to impose economic sanctions on either companies or individuals that conduct cyberattacks, including for economic gain.

“If China continues to conduct economic espionage and is essentially violating its pledge, I would expect the administration, before its term is out, to go forth and impose those sanctions,” she said.

Correction: This story was updated after publication to correctly identify the panel participant from the Department of Justice as Sean Newell, deputy chief for cyber, counterintelligence, and export control section of the National Security Division.