Our world is changing, and with it, the cybersecurity challenges that we all face in securing that world. The coming of a new year is, of course, just another day in the calendar, but it’s also a chance to take stock and wonder just what the next few years may bring.
So I thought I would offer 10 predictions for the future—with the first 5 now, and the second 5 to follow. So here goes.
- The creativity of organized crime continues to challenge us
Extortion through ransomware makes money with losses increasing as criminals become more careful in selecting their targets, spend longer working out how to extort money most effectively and ratchet up their ransom demands into the hundreds of thousands or even millions of dollars. Companies increasingly look to the cyber insurance sector to cover those payments. Expect insurers nursing growing losses to become more selective in just what and who they’re prepared to insure as cyber insurance comes of age. With regulatory penalties rising for cyber incidents, also expect criminals to be creative in encouraging clients into paying ransoms rather than risk public disclosure of sensitive data or security weaknesses. I suspect criminals will also have an eye to the potential for deep fakes, which makes it harder to distinguish truth from fiction and open up new avenues for reputational harm and blackmail.
- The speed and scale of exploitation increases
While the old staples of CEO fraud and business email compromise are still with us, criminals have found new opportunities in poorly configured cloud services, web sites and content delivery networks. Quickly spotting those vulnerable systems using automated tooling has opened the door to attacks at speed and scale, leading to data breaches, installation of payment skimmers and system disruption. And of course, organized crime has an eye to the attack surfaces offered by 5G and interconnected internet of things devices. For their part, law enforcement and tech companies are getting much better at taking down and disrupting criminal infrastructure, with some big and high profile successes recently. Expect digital combat to continue, with more sophisticated analytics and rapid interventions to disrupt criminal infrastructure, as active defense becomes commonplace.
- The global commons will vanish
The dream of a global commons in cyberspace is dying. Countries are increasingly regulating to create walled gardens and national fortresses to defend their corner of the internet. Some countries demand that personal data be processed in-country. Others seek to limit the use of overseas technologies, yet more erect increasingly sophisticated national firewalls to control and limit access by their citizens to the internet or protect their national networks against malicious activity, however defined. Businesses are being forced to adapt their global models to create in-country or in-region data centers or cloud instances. The extra-territorial ambition of many national legislative instruments on privacy, cybercrime and national security is creating a complex and conflicting network of obligations requiring firms to pay increasing attention to the origin and nature of the data they process and handle. Metadata matters more than ever.
- The lawyers are moving in
Regulatory sanctions are increasing as many countries implement stricter privacy regimes and also impose greater penalties for service disruption and data breaches. There’s an inevitability around the litigation, which follows as companies seek to challenge fines running into the hundreds of millions of dollars. Just what's good practice, and what represents negligence on the part of a breached organization? A single line in the General Data Protection Regulation states that personal data shall be “processed in a manner that ensures appropriate security.” Who’s the arbiter of appropriate? Separately the class action suits continue post data security breaches in the US, often taking years to conclude, while other nations establish the norms around group litigation to protect consumer interests, including around the internet of things. Will courts accept expert testimony, or will we see recourse to standards as the only means of organizations providing comfort around their security controls, and will that really make us more secure?
- The death of anonymity
Countries are demanding the policing of content on social media. But where do we draw the line between free speech and content which is harmful, libelous, subversive or immoral? Every nation will have its views. It’ll look to social media giants to police their content in line with those ill-defined norms demanding takedown of content nationally and blocking of content from overseas. Content filtering is becoming a massive industry increasingly reliant on artificial intelligence systems to screen bulk data. The censor bots are arriving. Long-standing debates on end-end encryption will continue as nations demand access to digital platforms for national security and law enforcement reasons, and the tensions between individual rights and those of the state become starker. Fragmentation of the internet seems more and more likely. Amongst all of this, the ability to stay anonymous is disappearing as nations mandate stricter sign-up conditions and authentication mechanisms for access to internet resources.
So that covers the geopolitics and the changing nature of power in cyberspace. These predictions, of course, will have implications for all of us. But I remain an optimist, and I again look to the Internet as providing the heart of our modern world. The technology is neutral—what we do with it is our choice.
In the next installment I’ll be looking at what this means for business, and how security as a profession and practice is changing.