Discussions about cybersecurity overwhelmingly focus on the recent, which are our responses to the design and engineering decisions of the past. We are right to deal with what is in front of us, but that myopia ensures that we exercise little effort towards crafting our future. We want things to be “better” but what does that mean? Just as important: better for whom? Envisioning a world where cybersecurity problems are solved allows us to assess what potential futures are worth striving for, understand what it takes to realize those futures, and identify the signals that indicate either forward progress, or being led astray.

Everyone wants to know what the future holds. How successful are we going to be? How long will we live? How amazing are our kids going to be? To help answer those questions we do things like complete higher education, work hard to win promotions and raises, work out, change zip codes so our kids can get into the best schools. None of that guarantees success, but rare is the person who achieves their goals by ambling aimlessly. 

Yet in cybersecurity[1] the path towards a brighter future is rarely discussed. Outside of fiction and pure research, cybersecurity literature tends to fall into one of three categories; instruction manuals, works of politics or policy, and histories of significant events, groups, or personalities. All have value, but all also deal with the past, or the here and now. Thoughts on how to achieve a more secure future are largely limited to reiterating the same recommendations that have been made in policy papers, studies, and reports going back several decades.

Given the rate at which technology changes and is becoming more pervasive in our lives, not envisioning a beter future and understanding what it will take to achieve that vision is the security equivalent of ‘thoughts and prayers.’ By and large we have left the vision-thing in the hands of authors of fiction, and they’ve provided us with what sells: dystopia. 

  • In William Gibson’s Snow Crash “Gargoyles” constantly record what is going on around them, in the hopes of selling content.
  • The Party in George Orwell’s 1984 relied on mass surveillance to obtain and maintain power.
  • Daniel Suarez wrote of swarms of militarized drones in his novel Daemon.

Entertaining reading? Yes. Disturbing parallels to the world we live in today as evidenced by recent events? Certainly. This is not to say that the world needs more feel-good literature about technology, but to point out that if we don’t communicate a positive vision of the future, we are ceding that future to the worst ideas we can imagine.

This post is an intellectual “minimum viable product” that captures the thoughts of a small but diverse set of subject matter experts who were asked to consider three forecasts of the future; to identify what pros, cons, drawbacks, or trade-offs we might have to deal with in order to achieve – or avoid – that future, and what signals would indicate that we were on the right path.

Forecast One: Credentials No More

By 2030, the convergence of commodity IT and IoT technology has eliminated the need for login credentials. There are enough devices in use by the average person – in their homes, offices, and in and on their bodies – that can produce data with sufficient accuracy, that one’s ability to impersonate another is improbable enough that most service providers have eliminated the traditional login process. Access is no longer a function of what you have (ID) and what you know (password), it is all the things you have and what all those things know about you: your whole pattern of life.  

The death of passwords has been predicted several times over the years.[2]  We can rest assured that in the wake of a sufficiently large or infamous data breach that the disdain for strong passwords – as documented via services like Have I Been Pwnd [3]  – will be reiterated, followed closely by calls to make two-factor authentication mandatory, followed by how two-factor authentication is (at least via SMS) broken,[4] etc.

Apocryphal stories like retailer Target using data about buying habits to predict that someone is pregnant are illustrative of the power of what is possible.[5] There is only one “Alice” who owns X computers that have Y IP addresses in Z geographic location. Who also has a mobile phone and a smart watch, and a Bluetooth®  enabled pacemaker. Who regularly visits retailer A and shops online at sites Q and T. All the logs those devices generate are a much more accurate and reliable picture of “who” is sitting at the keyboard than a pair of alpha-numeric words. Internet companies depend on the same data (and more) to make billions of dollars, which is as good a sign as any that the general model is sound, or at least sound enough.  What is not to like about a password-free future?

Subject Matter Expert Input

To parahprase William Gibson, this cybersecurity future is already here, it is just not evenly distributed. The signals that support it include companies like Apple, Microsoft, and Google allowing you to use your finger, your face, or a PIN to access devices and services, not a password, much less a 14 character one that you have to change on a regular basis.

This is a great scenario for both individuals, the government, and corporations, but for different reasons. From the perspective of the individual, the risk of social engineering or reusing passwords drops significantly, while the usabilty of devices and services rises. The risk has shifted from the user’s device to the IoT devices they depend on for authentication. That doesn’t seem like a very high bar given the state of IoT security, but it is still higher than reusing passwords and phishing.

From the government’s perspective the increase in the use of IoT sensors will be a surveillance boon. It makes China’s current surveillance regime seem quaint by comparison.[6] But from the perspective of agencies themselves (and sufficiently large corporations) how this plays out is a little more messy. Corporate IT security starategies are plodding beasts. It would take some truly visionary and powerful executives to require the gander to follow the goose with regards to authentication.

The bad news is that if there is a flaw in an authenticating algorithm, or if someone puts in the effort to steal your identity – by re-training the machine learning algorithm that’s supposed to identify you as an example – you’re locked out of everything and have almost no way to remedy the situation. In this new world, you would need to get an army of humans to accompany you to an “Identity Services Office” and convince an AI that the machine that identifies you needs to be reset. Any fundamental change to your life; a radical new diet, moving, switching computing platforms, reducing your technology usage, means you are not you as far as the algorithm is concerned.

As convenient and more secure as this new future is, it runs smack-dab into issues related to privacy. If online products and services cannot make money off of your identity then they are going to be disinclined to grant you the convenience of frictionless utility.[7] If you demand a “right to be forgotten” you’ll have to cede that right in order to engage in modern society.

FORECAST TWO: SOX REDUX

The Rapid Data Recovery Act of 2028 requires the mandatory implementation of backup schemes by publicly traded companies, government agencies, and critical infrastructure. CEOs are liable for failure to comply. This is the result of the ransomware epidemic reaching its peak in the early part of the decade, resulting in a record negative impact on businesses, government agencies, and individuals worldwide. Thousands of lives were lost, along with billions of financial transactions. The inability to govern reliably led to frequent violent protests worldwide.

Ransomware as a technique is not new.[8] Ransomware as a phenomenon has steadily been picking up steam for the better part of a decade. Perhaps no other blight on the online world more clearly illustrates the nature and scale of the problems we face, how inappropriately we face them, and the extent to which things could go horribly wrong but for the will of a higher power.

The most effective countermeasure to ransomware is a sound backup scheme that stores copies off-line where ransomware cannot reach it. Who is responsible for backups? That is actually IT’s job, not security. Such a fundamental, almost pedestrian task takes on supreme importance depending on context. Yet the leading “solutions” promoted to counter ransomware are not backup drives but security products.

The original SOX or Sarbanes-Oxley Act of 2002[9] was a response to corporate accounting shenanigans. Since its passage very few executives have ever been charged with violations of the law, and fewer still have ever been convicted, but that number is not zero. While we can and should question statistics around just how many enterprises are no longer in business due to ransomware, we know that number is not zero either.[10] Given the state of cybersecurity in all but the largest enterprises, damages and losses from ransomware would likely be worse if an accountability mechanism were not put in place at some point.

Subject Matter Expert Input

Legislation along these lines is actually not a terrible idea because it really addresses a more important issue (resilience) not a tactic (ransomware). The drawback is that it still puts a burden on the victims, not the perpetrators.

Ironically, some of the most vulnerable insitutions (governments) are the ones who would be passing such regulation, which calls into question how likely it is that such an effort would be ratified. If ratified, how likely it would actually be implemented in a meaningful timeframe and with sufficient teeth.[11]

From a consumer or citizen perspective, the implementation of backup and recovery schemes means that services become more reliable and government more trustworthy. From a corporate or governmental perspective it means that the damages due to data-ransom loss are more managable.

The lack of understanding of cybersecurity in both governmental and commercial halls of power is something that would accelerate us towards a similar future: pushing responsibility for data storage and recovery to service providers willing to meet more rigorous standards on behalf of the affected entities. Increased outsourcing would be a positive signal.

Unfortunately, none of this impacts other data-related attacks like extortion. We may eliminate the value of ransomware as a tactic, but at an increased cost to potential victims in the form of unplanned expenditures, which economically speaking is kind of what recovering from ransomware is like.

FORECAST THREE: IT’S THE PEOPLE, STUPID

In 2030 cyberattacks have never been more prolific or severe despite the rapid growth of cybersecurity products and services. Cybersecurity had long been a field with negative unemployment, but even with employers hiring those with non-traditional backgrounds (no degree, no credentials, self-taught) it was not enough. The result was an explosion in the sale of black boxes and as-a-Service offerings; if companies couldn’t hire the people they needed, they would off-load the problem to something or someone else. Sturgeon’s Law[12] applied to these offerings just as it did to commodity IT products, providing attackers with an increased, and increasingly valuable, attack surface to exploit: and they did.

The alure of a blinky box that solves your cybersecurity problems has been in our collective conscious since the dawn of the commercial firewall.[13] The arrival date of the “next-generation” product that guarantees to cure what ails you can be predicted like clockwork: just after the first report describing some new malicious scheme, although not before said scheme is anointed with a sufficiently entertaining nickname.

Automation is certainly an answer, but as this paper was in the final stages of editing, the Solar Winds incident[14] illustrated painfully that it isn’t necessarily the answer. No matter how many robot defenders come off the assembly line, the need for people to adequately address security problems – including those with the robots – shows no sign of abating. The advent of the automobile meant that you had the power of multiple horses, not just one, at your command. Yet for every security box you buy you need at least one and usually more than one human to keep it up and running. The economic machinations behind such approaches are transparent enough, but the rate at which we’re producing both general purpose and specialty boxes and connecting them to the network exceeds by orders of magnitude the number of security boxes we’re making to keep an eye on those other boxes. 

It also does not help that security devices and services are no more secure than what they purport to protect.[15] The introduction of a security product should not introduce new conditions that make the network or enterprise less secure. Doing so gives support to the premise that no one is really in the cybersecurity business, even cybersecurity companies, they’re just in business.

Subject Matter Expert Input

Defense has always had an advantage over offense, but defense has rarely been property staffed, organized, trained, equipped, or led to exploit those advantages. This leads organizations to make decisions based on fear, uncertainty, and doubt (FUD). The earliest discussions in academic papers on “risk management in internet security” go back to 2001, and 20 years later we’re only beginning to see the reasonably widespread adoption of risk management principles. This means that the momentum of the FUD and silver bullet security market will easily carry on for another 10 years.

This is bad because it means both large enterprises and SMBs will continue to overspend on security solutions at a rate that greatly exceeds their likely damages, and the weight of this cybersecurity spend will begin to slow down innovation in other spaces.

Simply framing this as a people vs. technology issue only makes sense if you ignore the fact that we have yet to fully exploit the entirety of the human capital we have available to us. But the fact of the matter is that people don’t scale. There is a good deal of wisdom behind efforts to automate as much as possible. The problem is not automation per se, but poor implementation and the lack of standards. Standards are not a guarantee of reduced risk, but they serve as a metric and in certain circumstances, a cudgel.

One signal that may indicate forward progress is a shift in the thinking of security practitioners as they transition to a risk-managed school of thought, and as CISOs shift their focus away from technology and towards business. Organizations where this next generation of professionals reside will achieve successful security outcomes at a fraction of the current cost.

The good news is that select large corporations will crack this nut for large numbers of users. Microsoft’s push to cloud services will get “secure by default” settings to individual users and businesses alike. AWS and Google will help achieve a “reasonable default” from a security perspective, which means new businesses, and individuals (notoriously unreliable when it comes to implementing security measures) will get to a better place without having to take any action on their own behalf.

BACK TO THE FUTURE

We began this effort with the recognition that we work in a field that spends it’s days dealing with yesterdays design and engineering decisions. That myopia ensures the future of cybersecurity is pre-ordained to be more of the same because we’re not working on the possible, but responding to what has been done to us.

Failing to reorient our gaze ensures that by 2030 we will be dealing with problems far worse than we are today, and in greater volume. The last 30 years has basically been us connecting random devices to a global network without regard for security. Our relationship with such devices is only getting more intimate.[16] Forget trusting your toaster:[17] when you cannot trust your insulin pump[18] or pacemaker[19] cyber-insecurity becomes an existential threat.

Having said that, the jury is still out with regards to the true demand for a more secure cyberspace. No matter how big the breach, or how substantial the loss, the pain linked to cybersecurity failures is still less than the net benefit the Internet has had on our lives. It is entirely possible that we have reached statis: things are secure enough. Risk is distributed widely and appropriately enough. Threats do not endanger the vast majority. In such a world, forecasts of “better” are a waste of time because it does not get any better than this. It is a fairly disturbing consideration that adds fuel to the fire of the idea that if we do not envision and actively work towards the future we want, we will most assuredly end up with the one we deserve.   

WHAT’S NEXT?

This post is an intellectual “minimum viable product” submitted for your review and constructive comment. Sufficiently positive feedback may result in a more substantial effort being carried out. Those interested in participating are welcome to introduce themselves to the author.

ACKNOWLEDGEMENTS

This work would not have been possible without the contributions of several  subject matter experts in various disciplines currently working in senior technologist, managerial, and executive roles in industry.


[1] For the purposes of this work “cybersecurity” includes the disciplines of computer security, information security, and their primarily technical sub-disciplines; it does not include deception, misinformation, disinformation and the like. 

[2] CNET: Gates Predicts Death of the Password, https://www.cnet.com/news/gates-predicts-death-of-the-password/

[3]  https://haveibeenpwned.com/

[4] https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess

[5] https://www.forbes.com/sites/kashmirhill/2012/02/16/ how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/; https://medium.com/@colin.fraser/target-didnt-figure-out-a-teen-girl-was-pregnant-before-her-father-did-a6be13b973a5

[6] https://www.theatlantic.com/international/archive/ 2018/02/china-surveillance/552203/; https://www.wired.co.uk/article/china-social-credit-system-explained

[7] If the service is free, you’re the product.

[8] https://en.wikipedia.org/wiki/Ransomware

[9] Sarbanes-Oxley Act of 2002: https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act

[10] https://www.cnet.com/news/malwarebytes-state-of-ransomware-shutting-down-1-in-5-affected-small-businesses/

[11] https://www.nextgov.com/it-modernization/2021/01/10-15-dods-major-it-projects-are-behind-schedule-gao-found/171155/

[12] https://en.wikipedia.org/wiki/Sturgeon%27s_law

[13] https://www.darkreading.com/who-invented-the-firewall/d/d-id/1129238

[14] https://www.cnet.com/news/solarwinds-hack-officially-blamed-on-russia-what-you-need-to-know/

[15] https://www.zdnet.com/article/googles-project-zero-uncovers-critical-flaw-in-fireeye-products/; https://www.crn.com/news/security/palo-alto-networks-vulnerability-could-be-exploited-by-foreign-hackers-feds; https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/

[16] https://nextgenexecsearch.com/iot-medical-devices-transforming-healthcare/

[17] https://www.devost.net/projects/information-terrorism-can-you-trust-your-toaster/

[18] https://www.wired.com/story/medtronic-insulin-pump-hack-app/

[19] https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-affecting-medtronic-implantable-cardiac-devices-programmers-and-home