Researchers often provides the cybersecurity community with a helpful snapshot on a particular issue. But what might they offer the front-facing information security officer – someone with a ten-year plan, wondering what to prepare for down the line?
Enter Project 2030, a collaboration between Oxford Visiting Researcher Victoria Baines and Trend Micro Vice President of Security Research Rik Ferguson, which uses a mixture of survey data and forward-thinking understanding of technology to predict the infosec concerns a decade from now.
"We hope that it offers you a framework that you can begin to build a long term plan of which technology areas are worthy of more strategic investment, which require further planning, and maybe even areas where you don't need to focus as much than you perhaps thought you did," said Ferguson.
The researchers presented Monday afternoon at the RSA Conference, to tease a soon-to-be-released whitepaper of their work.
The project is based on work Baines did for Europol's Cyber Crimes Center, Project 2020, which made a similar series of predictions in 2013 targeting last year.
"The future we described turned out to be really quite accurate," said Baines. "In fact, the overwhelming majority of the threats we envisage were present in some form, at least, by 2020."
The duo homed in on a list of emerging technologies that could create new wrinkles in the security landscape: automation, machine learning and AI including advances in NLP and GAN, immersive digital environments, data in the digital supply chain, cyber/physical crossover, additive manufacturing and the prevalence of 5G and widescale IoT.
Baines and Ferguson tempered some of the expectations for the future using a survey of technologists.
"The majority of our survey participants agreed with the statement that by 2030 countries will launch cyberattacks on each other by mistake, and with no human intervention. So that's something else to be thinking about and keeping us awake at nights," said Baines.
The project envisions security changes brought from massively increased work from home, pervasive (and more invasive) wearable health monitors, even recreational neural implants.
Changes to manufacturing, including a move to massive networks of industrial IoT on private 5G networks with components that operate with no direct human interaction, offer a broader surface area. Project 2030 foresees continued intellectual property theft, but also the rise of competitive sabotage, degrading data pools and even products of rival brands and nations during manufacture.
The Project assumes that consumers will access information with technologies designed for more and more immediacy, and less and less effort. That could restructure education, with the focus shifting from memorization of facts to training children to use data retrieved from the internet. But it also could change the way we think, reducing the critical distance between a user and the data source.
"In a world where information is delivered into citizens immediate line of sight through heads up displays or AR, then data manipulation can be harnessed for influence operations and disinformation purposes, a huge evolution over what we have seen in recent years,” said Ferguson.
With greater immediacy comes lessor critical thinking, the researchers warned. With advances in artificial intelligence, disinformation become full conversations, and information could become a pervasive threat requiring training or even evaluation tools to evade. Since more and more legitimate content may be automated, merely detecting AI may no longer be a useful tool in sifting out malicious actors.
AI could impact more than just social engineering.
"It's reasonable to assume that highly automated reconnaissance target selection, penetration testing and delivery of pre-packaged victims to cyber criminals will absolutely be the norm," said Ferguson.
AI could also bolster obfuscation techniques, he said.
Increased automation could change our understanding of insider threats, said Baines. "The insider threat of 2030 could just as easily be an object or an algorithm."
Project 2030 envisions country level changes that could impact security. A switch to digital currency without anonymity would leverage some of the strengths of cryptocurrency, but likely change the fabric of privacy and crime. The gap between nations with cutting edge technological resources could widen, creating full nations with more and less cybersecurity.
"And if we stay on the same trajectory, the trends for techno nationalism and digital sovereignty will pose challenges to truly open markets, and we'll remove forever the prospect of a truly global internet,” said Baines.
The researchers took aggressive stances on the technologic change, but were less definitive on quantum computing, a commonly sited emerging technology threat.
"While we deliberately leave a question mark hanging over the precise date of quantum decryption, we highlight some of the key considerations for governments as that event,” said Baines.
The researchers acknowledged their future may not come to pass in all or any location, stating that the more important lesson would be for security pros to think ahead in making decisions.
"Uncertainty is no longer a good reason for failing to prepare for future cyber threats."