Technological innovation promises to reshape the world in ways society can’t even imagine. As it continuous to integrate and reshape the lives of 7.8 billion of people that are living on this planet, new unforeseen challenges are bound to occur. One of the main challenges will be associated with cybersecurity: an area that works towards fighting cybercrime which has cost the world $3 trillions in 2015 alone and is expected to hit the $6 trillions mark by 2021, according to Herjavec Group. To become better positioned for this challenge and lessen its impact, this article will look at the future of cybersecurity in the decade to come.
The Internet of Things (IoT) will continue to evolve and further integrate digital solutions and applications to businesses, people’s lives, houses, and communities. This integration will create complex ecosystems that are challenging from a cybersecurity standpoint, as the weakest links and new unearthed vulnerabilities will prove to be a continuous threat to the IoT environment. IoT will also raise concerns over government, corporate and individual interference with the aim of using the technology to infiltrate interest groups and adversaries at a wider scale.
Further integration of IoT will pose challenges regarding a company’s liability towards the continuous development of cybersecurity even after the technology becomes obsolete from a product cycle point of view. This is likely to be further exacerbated by the potential risk of a major IoT manufacturers going bankrupt, leading to the potential automatic default of key updates.
Concerns over a consumer’s ability to tinker with a purchased product will be reinvigorated as anxieties over its interconnectivity and cyber-risk will become a forefront challenge to companies and government. Who is liable when an individual tinker with a Tesla autopilot system and causes a crash? What about a cellphone that is integrated to an IoT environment?
Companies that fail to create a cybersecurity focused curriculum and continue to follow a reactive approach will see an increase in cyberattacks with direct impact on Intellectual Property, consumer/ employee / employer data and many more. It won’t be enough to sit down with the cybersecurity team for approval or send a 10-page list of ‘To dos and not to dos’ or provide a laborious ‘checkmark’ based mandatory training. To decrease cybersecurity risks, companies will need to embark in a cultural and strategic transformation to drive measurable cybersecurity improvements.
Leaders of publicly traded companies will likely see a direct impact to their share prices if cybersecurity is not considered to be a major part of its business strategy. It will no longer be enough to not be on the list of companies that have faced a cybersecurity breach that year, as investors and analysts will begin pricing cybersecurity risk into the market. Expect the word cybersecurity to show up more often in a company’s annual and quarterly reports alongside the CEO’s statements.
As resources are poured into insulating key assets in a company, threat actors will move down the supply-chain by targeting less sophisticated supplier companies that can serve as a conduit to an attack on their target. This will serve as a persistent threat to the more sophisticated organization. To diminish such risk, establishments will need to require stronger cybersecurity strategies from their suppliers which will lead to a premium for the product with varying levels of implementation success.
Bluetooth and its wireless derivatives will continue to see consumer demand growth. Unfortunately, this type of technology is full of cybersecurity related concerns with bluebugging, bluejacking, and cases dating back to examples such as Armis’ disclosure of Blueborne in 2017 which had the risk of impacting over 8.2 billion devices. This growth in consumer demand will put pressure on cybersecurity departments to balance the need of satisfying executive and personnel interests with the overall security of the organization. Further pressure will also be put on leaders and executives who need to balance potential reputational damage followed by a security breach with customer demand for such products and proactive spending on R&D to make such products safer.
The private sector will increasingly realize that they will not be able to fight certain types of cybersecurity threats alone. This will lead to a partial shift in the mindset of certain organizations, leading to increased cooperation, albeit at an arm’s length, with the public sector.
New associations and organizations will be created to enhance cybersecurity, both on a private sector level and at intra/ intergovernmental levels. Stronger intergovernmental regulations will be considered and some will be adapted; however, it will be extremely difficult to oversee, manage, and enforce.
For those in their early stages of a cybersecurity cultural shift or are simply looking for a refresher, please refer to publicly available cybersecurity awareness training such as US-NICCS, Canada-CSAToolkit and EU-ECSM.
Data breaches will start to show its true potential to cause damage in an even more radical way. As sophisticated actors will advance their interests by connecting the dots from a variety of breaches and publicly available data to create a bigger picture of their victims and adversaries. Interference in the 2016 United States election will prove to have been just the prototype to much larger scale interferences in the public and private sectors.
Connecting the data from different departments to gain further insights and drive innovation will be key to an organization’s success in the era of AI and machine learning. At the same time, connecting such data will pose enhanced risk to cybersecurity and the protection of such data and IP.
Cyber militias, a group who is willing and able to conduct cyber-attacks for the benefit or interest of a larger organization, will gain prominence and continue to grow at a fast pace, spreading to a larger portion of the cyber environment. These groups and individuals will serve as proxies both directly and indirectly to more sophisticated actors, helping to build a multi-pronged effort to weaken their adversaries economically, politically, sociologically and culturally, driving an increase in resources spent to try to thwart such attacks.
More actors both in the private and public sector will look for new, innovative ways to use an attack to their assets as an opportunity to infiltrate the attacker. This will be a divisive topic in certain groups as they may start to become, willingly or as a byproduct, part of a cyber militia. There are also concerns over the potential risk that a malicious actor uses an unaware middleman to drive their attacks, leading to an extra layer of complexity not only to the parties involved, but to governmental law. Is a company liable for snooping on an unaware personal laptop that has been manipulated by a malicious actor?
Machine learning, AI and its clusters will be essential to the advancement of cybersecurity firewalls. At the same time, this area will continue to play catch-up as malicious actors will evolve their threat vectors and capabilities at a faster pace than cybersecurity departments can follow while also making use of such technologies to their advantage.
Data from prior breaches, both from the company and its satellite partners, will prove to be even more valuable to malicious actors to use in advanced phishing scams. This trend will give way to more sophisticated persistent threats towards even cybersecurity minded personnel.
Advancement in data access and information process capabilities will evolve into direct and indirect social credit creation in societies all around the world with different shapes, albeit with similar overall trends. The interest in creating an environment with stronger data privacy will grow in some countries, but it will be hampered by the global trend on social credit and its cost-benefit analysis. Some nations will realize that they require the ability to gather such data in order to not fall behind their peers and be blindsided by their actions and know-hows of their own population. Threat actors will target social credit institutions to gain further insight on the community and governmental perspectives of it. This information will be used to create more sophisticated, targeted attacks.
Sophisticated and well financed threat actors will advance their attacks on bug hunting prize providers and bug hunters to gain insight on the most prolific bug hunters. This information will serve to contact and provide incentives for these individuals/ groups to delay or annul their bug submission so that the bug can be abused.
Implementation of 5G technology will prove to be a powerful tool to drive technological innovation. It will allow for increased connectivity, larger numbers of devices, more capable IoT and many more. This will power a boom for technological innovation, however, in cybersecurity terms, all the items listed above are simply an exponential increase in threat vectors raising the alarms in cybersecurity departments.
There will be a heightened interest for sophisticated actors to infiltrate cloud providers and its suppliers to gain direct access to data. Issues with improper installation and management of cloud services will continue to be a major cybersecurity issue to many cloud users. RiskBasedSecurity has noted that within the first semester of 2019, there have been over 3,813 breaches exposing over 4.1 billion records with 3 breaches considered to be at the top largest breaches of all time.
The utilization of AI and Machine Learning solutions to drive cybersecurity advances will go head-to-head against company policies and governmental regulations, drawing increased regulatory compliance scrutiny at all organizational sizes.
Public and internal corporate scrutiny will force cybersecurity leaders to re-emphasize their commitment to regulatory compliances and socially accepted practices. Concerns of this nature will grow in all areas, including HR, Finance, Sales and others. For example, AI augmented cybersecurity may create biases towards the HR hiring process towards or against societal groups.
The uncertainty over whether an employee has acted in bad faith when it comes to cybersecurity incidents will become more prominent and its repercussions will resonate and raise concerns throughout societies.
A lack of AI and Machine learning explainability towards cybersecurity processes and responses will raise red flags at all levels of society. Concerns over its ability to explain its actions or decisions in relation to its successes and failures will grow exponentially. This will limit cyber security expert’s ability to understand the ins and outs of the tools used and the results provided.
Data and IP theft will become even more pervasive, directly impacting workforce displacement in all industries. These cybersecurity thefts are expected to serve as the backbone to the creation of new business adversaries at local and global levels, causing drastic impacts to the competitiveness of the private and public sector in different countries. Following such events, major business losses related to such cyber crimes will lead to some business failure followed by workforce displacement.
A perceived lack of action and support from government to protect the data and IP of private corporations and individuals may partially stifle research & development investments and innovation. Financial incentives in the form of cybersecurity rebates and other derivatives will likely come to fruition in some countries, although concerns over implementation and societal backlash will be at the minds of politicians and regulators.
Cybersecurity breaches will continue to stain the reputation of organizations around the world. Some breaches will be engineered by sophisticated actors or their respective governments to drive their adversaries out of business or diminish their market share. Publicly traded companies that have been through a cyber breach have on average, underperformed the NASDAQ according to Comparitech.
Concerns over country of origin and supply chain for both goods & services will be exacerbated in the upcoming years due to increased threat of it being a potential conduit for cybersecurity and business disruption.
Cybersecurity attacks to critical infrastructure will become more common in both developed and developing nations. Cases such as New Orleans and its decision to declare a state of emergency due to a cyber attack will propagate further. The odds of a cyberattack miscalculation will be heightened throughout the decade, leading to an increase in cyber skirmishes which will serve as the spark to a full-fledged conflict.
A single or a few major incidents associated with data breach and advanced malicious attacks with clear physical implications will be a catalyst that pushes certain governments towards policies that are considered to be unacceptable in today’s environment.
The infiltration of hardware and software into certain governments and societies will be further used by sophisticated actors as a tool to put their adversaries to their knees or receive extraordinary concessions (E.g. blackmailing & ransomwares). Expect the infiltration of adversaries into public and private institutions to continue. A combination of data breach, social engineering, blackmailing and perceived socio and economic movements in society will be used as tools.
Many nations will deem cybersecurity attacks as an act of war; however, they will find it challenging to react. That is specially the case in countries that are dependent directly or indirectly on critical goods & services provided by their aggressor. The means and capabilities of the aggressor will also act as a detractor to escalation, further frustrating governmental and societal apparatus.
Some societies and clusters may find themselves becoming ‘mentally exhausted’ to the concerns of cybersecurity as the assumption that their data is widely available becomes prominent and that they feel powerless to it. Other societies will find themselves fighting tooth and nail and wanting ‘heads-to-roll’ for the failure to secure their data. The actions of society coupled with governmental reinforcement of its beliefs will be a major driver as to whether private organizations will hide a cyber breach, increase/ decrease cybersecurity budget and work with peers to decrease potential risks.
The world is currently generating over 2.5 quintillion bytes of data per day, according to Domo. This number is expected to rise exponentially in the next decade. With the growth in data, the potential for threat actors to use such information to drive the narrative, extort, blackmail among other activities will magnify exponentially. This will have a direct impact on societal standards and expectations.
As individuals begin using technology in their bodies for treatment, monitoring of diseases, enhancements and more, concerns over a malicious actor’s ability to infiltrate such technology and lead to physical harm will increase exponentially. That is specially the case for those in position of power as they are perceived to be valuable targets to sophisticated threat actors.
The evolution of deepfake and its derivatives will continue and with that, it will be used for new, more advanced malicious attacks. Deepfake will likely be used as a way to extort and blackmail individuals, families and organizations. Deepfake is expected to be used as a social engineering tool to disclose secrets by impersonating individuals and groups. The material gathered in social media apparatus such as TikTok, Twitter and Instagram will likely be used as data to the creation of individualized deepfakes. Increased awareness of deepfake will likely increase the mistrust of society in the media and societal/ governmental apparatus. The first case of someone being indicted and imprisoned in part due to deepfake evidence is expected to occur.
Publicly, quantum computing and its derivatives remain in its infancy, however, its long-term prospects have the potential to shake the foundations of cryptography and it may very well begin in the decade of 2020. Cryptography has been used as a means to secure communication between parties, a foundation in cybersecurity that helps to keep third parties from intercepting it. When this secure communication is broken, adversaries may gain insight not only on the communication occurring at this moment, but on data that has been stored.
Although, without a doubt there will continue to be challenges to build a fully functioning quantum computing apparatus, one thing is clear: when fully functional, quantum computing will have a profound change in the very fabric of technology and computing.
This article paints a bleak picture of what this decade holds, however, the goal is not to make its readers feel down, but to help serve as a light of what is to come so that individuals and society can make stronger, more informed decisions and policies to help drive a better future. One thing is clear: history repeats itself, albeit with different shades and intensity.
*Due to the sensitive nature of the topic, examples have been limited to highly publicized stories. For those interested in enhancing their cybersecurity capabilities and overall digital strategy, contact the authors.