How about the future of cyber security?

A simple online search for “cyber security predictions” will reveal a tremendous number of results. Everybody feels confident enough that they can predict the future in this area. But to what good, if human predictions are no better than “chimps randomly throwing darts at the possible outcomes”. Are we even near close to what the future in security might look like?

A little something about predictions

Foreseeing the future is man’s earnest desire. Humanity has always looked for ways into predicting future. Hundreds of years ago we relied on prophets, nowadays we use scientific approaches such as statistical forecasting but also some modern prophets (called visionaries).

Of course, when I say predictions, I do not mean the type of sales forecast from one year to another, as for those I am pretty sure we have already identified reliable statistical methods. What I actually refer to is predicting events that can have huge socio-economic impact, so as to influence the course of communities, such as world politics any why not cyber security.

We never got so good at this so called “art”. One of the best papers on the accuracy of predictions is the study entitled “The Psychology of Intelligence Analysis: Drivers of Prediction Accuracy in World Politics”, authored by Philip Tetlock (along with other co-authors) from University of Pennsylvania. The study reports “findings from a geopolitical forecasting tournament that assessed the accuracy of more than 150,000 forecasts of 743 participants on 199 events occurring over 2 years”. Not surprisingly, the main finding is that “chimps randomly throwing darts at the possible outcomes would have done almost as well as the experts”, as describes in a New York Times article. The same article remarks that “long-term prophecies can be derived from scientific conditional predictions only if they apply to systems which can be described as well-isolated, stationary, and recurrent. These systems are very rare in nature; and modern society is not one of them”. The quote is attributed to Karl Popper, the author of the 1934 revolutionary book “The Logic of Scientific Discovery”.

Considering the above, you should really have some doubts when reading any kind of prediction, in any kind of domains. We were simply not blessed with such a skill by nature. This article, undoubtedly, falls into the same category. 🙂

But wait, not everything is lost. The same scientific paper mentioned above, uncovers some factors that can contribute to a slight increase in the accuracy of the one’s predictions:

  • The more intelligent, the merrier (no surprises here, as this helps in all cases);
  • Domain expertise (a weather forecasts by a cyber security expert might not be something that you can rely on);
  • Teams always outperform individuals;
  • The more open-minded the better predictions;
  • Training in probability can guard against bias;
  • Rushing produces bad predictions (certainly not something new);
  • Revision leads to better results (I was told in school something like that).

The bright future of cyber security

Anyway, my focus here is cyber security and how the future in this field might look like. Just by googling “cyber security predictions 2019” you get a tremendous number of results. Almost every big player has at least one article or white paper on foreseeing the future. It has become a kind of a tradition, in that if you don’t make some predictions, you’re not worthy of being part of this industry. I do consider this as a first sign of doubt.

In the table below I tried to summarize what many sources have indicated. I took the liberty in dividing them into threats, new technology developments and trends, just to offer more clarity. By the way, in the “Useful resources” section you can find the main sources used for this article.

Table 1 — Future of cyber security

Scouting through the numerous number of predictions, you do find a lot of common findings, from different sources. That’s not necessarily a bad thing, meaning that industry players are quite aligned, having a clear view on the threat landscape and hopefully on what needs to be done next.

In the THREATS column there’s nothing really new to be honest. The only novel thing might be an increase in the volume, something that is not necessarily out of the ordinary. The newest entries (ransomware, crypto mining) are actually developing quite fast for some years now. We do have nation state attacks since 2007 (Estonia), just that now more nations have developed such capabilities. Critical infrastructure has been a target for some time now and we’re not getting better about it, according to this source. IoT was a concern from the beginning and still is nowadays, although considerable efforts have been done throughout industry (just try to count the number of conferences on IoT security). As cloud adoption rate increases worldwide, so the volume and variety of attacks.

Going into the TRENDS column we notice that both sides (ethical and unethical) have started either being more aware or further developing their capacities. The ethical side (governments, security vendors, professionals etc.) have now turned their attention to regulation (especially in the privacy area — GDPR), budget increases for security spending and supporting cyber security penetration higher up in company hierarchies. This means more focus on cyber and larger penetration within the market, as small and medium companies also start considering security solutions. The unethical side becomes more professional, aiming for quality (improved crime as a service) but also for quantity (rise in the number of data breaches).

This takes us to the last column related to NEW TECHNOLOGY DEVELOPMENTS. As you may notice, its quite slight. Buzzwords here are Machine Learning (ML), automation/orchestration and User Behavior Analytics (UBA). Machine Learning is not something specific to cyber and you can find more details on this on a previous article of mine. Automation/orchestration is not something new, just that we have ended up doing more of it, so as to cope with the increasing number of alerts. As regards the UBA usage increase, might be true, but have not found anything concluding online. It is usual nowadays that companies adopt diverse security solutions so as to cover as many layers as possible. Password replacement is also something that we try for many years now. 2FA has recorded increases in the last year, with help from the financial sector and some big players in the industry, but it’s still too complicated for many to adopt. The truth is that people like simple security.

Overall, on the short-term cyber security seems characterized by increases in volume mostly, legislative developments but not so much by technological innovation. Products are becoming more robust, more capable but also more expensive. However, functionalities are merely the same! Is it possible that we have reached technological limits in cyber security? Should we focus from now on only on maturing the market, making products and services more affordable for larger audiences?

But what about the long term. Have we reached the maximum in this area and we are now just playing with available pieces trying to improve them and resell them as new products? There must be something more in this overenthusiastic industry? Well, the more might come with overall general developments in information technology, such as quantum computing. Such a technological change will definitely challenge current attack methods and security solutions. More details here.

Encryption has always been an important factor in security. Currently, encryption is waiting for a boost from the hardware industry. Strongest algorithms (AES, RSA etc.) will become vulnerable to brute force attacks when computing power will cross certain boundaries. Based on the current progress in quantum computing, it is expected that we are very close to this point. More details here.

My takeaways…

Some kind of short term “predictions” below:

  • Cyber security will become over regulated, with more focus on privacy, personal data and critical infrastructures.
  • Products and services will have to become more affordable for the masses. Security-as-a-Service will become the new trend, as more players will incorporate security functions into their products/services. This will put pressure on the traditional security vendors, that will have to lower prices or adapt to the market. In the end, “the more the merrier” is what we aim in security.
  • Very unlikely that new revolutionary security technologies will be developed soon. We’ll just need to follow the progress on machine learning, quantum and encryption and adapt accordingly.

Some interesting developments that might change the future, as we know it:

Useful resources:

https://hbr.org/2015/02/what-research-tells-us-about-making-accurate-predictions

https://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-top-19-security-predictions-for-2019.html

https://www.techradar.com/news/top-ten-cybersecurity-predictions-for-2019

https://www.forbes.com/sites/gilpress/2018/12/03/60-cybersecurity-predictions-for-2019/#44127d0c4352

https://techcrunch.com/2018/12/31/cybersecurity-predictions-2019/

https://www.csoonline.com/article/3322221/9-cyber-security-predictions-for-2019.html

https://www.secureworks.com/blog/what-to-expect-in-cybersecurity-for-2019

https://www.delltechnologies.com/en-us/perspectives/using-ai-and-machine-learning-to-anticipate-cyber-threats/

https://www.proofpoint.com/us/threat-insight/post/cybersecurity-predictions-2019

https://www.symantec.com/blogs/feature-stories/cyber-security-predictions-2019-and-beyond


Originally published at technology-insights.com on April 1, 2019.