I.

Looking into the future

Accurately predicting the future is close to impossible, but some trends for the near future seem inevitable. In this chapter, we’ll take a look at the near future – and we'll also venture a guess at what the not-so-immediate future might hold as well.

The near future (1-10 years)

As the cat-and-mouse game of attackers and defenders continues to unfold, new techniques and innovations will be taken into use. However, in the near future the biggest impact will most likely come from already existing threats being used in more innovative ways. The currently used methods will be fine-tuned and used in more and more attacks. Computer systems will be hacked and new vulnerabilities will be found. The current trends of ransomware attacks will most likely continue evolving, affecting more and more organisations.

1) Greater use of artificial intelligence and machine learning

Machine learning and AI solutions will most likely become more prevalent on both the attackers’ and the defenders’ sides. These are already used, for example to filter the thousands or millions of potential security issues a company faces to a more manageable number. AI and machine learning are currently used to reduce the need for human specialists, not to replace them. The sheer number of connections and traffic that a single web service, let alone a whole company network, handles is mind-bogglingly large. It is impossible for human to keep up with that amount of data. AI solutions can ease the burden on the humans by removing events that can be safely ignored and by reducing the suspicious events to a more manageable number.

“Real AI” that might hack or defend automatically is still a long way away, but solutions will steadily become smarter.

A person working remotely with a laptop

2) More remote work

The COVID-19 pandemic caused a huge part of the workforce to move to remote working. This has created a scale of distributed (remote) work we’ve never seen before. The nature of work will most likely stay distributed in the future as well, and that will create new challenges for companies trying to protect their assets. VPN solutions need to be scaled and data storage issues such as encryption will need to be implemented for devices that handle the data. Internet access at home will need to be better protected. Internet access has been thought of as a commodity in many places in the world, but the security of the connection is still in its infancy.

Additionally, more remote work means that more important data is processed away from the office. Data that was only deemed safe to access from the office network now needs to be accessed from home and possibly also stored at home on personal devices. As office network shares are not the solution for storing files, personal devices will also need to be backed up so that important data isn't lost to equipment breaking or malware wiping a hard drive. Encryption of data located on a disk (data at rest) will become as important as encryption of data during communication (data in transit).

3) Greater use of the Internet of Things and 5G

Another development that will create more attack surface is the emergence of the Internet of Things (IoT). As more and more devices use an internet connection, they too have become targets for attacks. Any device with an internet connection is at least a mini computer and as such, is susceptible to the same kinds of attacks as a regular computer. The sheer number of IoT devices in the future will ensure these devices will be seeing more and more misuse. In many cases, an IoT device itself is not the target of an attack, but just the first step in getting inside the network. Once inside the network, the attacker usually does reconnaissance and tries to move laterally inside the network, breaching other devices or services. In a company, an IoT device might give an attacker a way to sneak inside the network undetected by any of the protections in place. The security of the IoT devices is not currently up to par and it has to be taken into account and prioritised in the very near future.

The spread of 5G, and faster mobile networks in general, will allow billions upon billions of IoT and many other kinds of electronic devices to connect the internet. This will grow the attack surface exponentially. More devices will make finding targets easier, but it will most likely require more automation from the attackers as well. Segmentation of networks is therefore, becoming more important. If your IoT devices are separated from your local network, the risk factor is much smaller. Many companies already perform network segmentation to mitigate risks, but most home networks today are just a single network with all devices connected through a wireless connection.

Note

How secure is your IoT device?

Some initiatives have been started for testing and labelling IoT devices as "secure". One such initiative is the National Cyber Security Centre Finland’s (NCSC-FI) Cybersecurity label. Vendors can apply for the label, and if their device’s design is deemed to be secure then they can use it. The initiative is still new but hopefully such labels will become more prevalent in the near future. In the absence of any such label, consumers will have a really hard time assessing a device’s security.

The cybersecurity label and all approved products can be seen at https://tietoturvamerkki.fi/en/products/

4) Shortage of cybersecurity professionals

As pretty much all businesses are currently IT businesses in some form (and will be even more so in the future), cybersecurity as a career will become more and more important. It has been estimated that there was a shortage of about one million cybersecurity professionals at the end of 2014, and the number is estimated to be rising to 3.5 million in 2021. The shortage of workers in the industry is also a big driver for machine learning and AI development, as it is hoped that they will help overcome the shortage. Cybersecurity, which has been seen as a distinct profession from other IT fields, will need to be an integral part of computer science. Programmers who understand at least the basics of cybersecurity are already viewed as more valuable to employers.

5) More privacy issues

In the near future, privacy issues will be discussed a lot more in both the public and the private sector. Regulations such as GDPR in the EU, the CCPA in California, or the PIPEDA in Canada aim to protect the privacy of citizens from companies trying to profit from the information they have on their users. Some companies will keep pushing the limits of what can be done to profit from the data while acting (barely) within these regulations. This is why it is vital that regulations attempt to keep up with the evolving technologies, and that businesses and individuals are able to protect themselves through a better awareness of evolving threats.

6) Possible use of cyberwarfare

In the near future we will most likely see attempts at a more targeted cyberwarfare attack as well. Attacks on infrastructure can be devastating against an unprepared enemy. So could attacks on enemy missile targeting or guidance systems. Examples of cyber espionage exist, but we haven’t really yet seen the extent of the tools that might be used in such attacks. These risks, as in all other areas, will increase as more and more assets are digitised, stored, and operated online.

Cyberwarfare can take less visible forms as well; propaganda and more subtle ways of changing common opinions is an effective tactic. We have already seen glimpses of what this type of cyberwarfare can mean in the form of false flag attacks. A false flag operation is one in which the source of the attack is masked and falsified to direct the retaliation to someone else. An example of a false flag attack was the 2015 email hack that targeted US military personnel with death threats. The attack was originally attributed to the “Cyber Caliphate” related to ISIS, but it was later tied to the Russian group APT-28, also called Fancy Bear. What makes the attack significant was that it sparked US retaliation attacks against Syrians who were falsely thought to be the original perpetrators.

The more distant future (2030 and beyond)

A person standing in a crossroads thinking about the future

1) Quantum computing

Quantum computing has the potential to disturb almost all of the current encryption-based protections we use. Symmetric encryption with longer keys will most likely still be viable, but public key encryption might become unusable for protecting secrets. Current public key cryptographic functions base their security on the difficulty of factoring large numbers. Quantum computers can break asymmetric encryption, for example through Shor's algorithm, which makes factoring large numbers more feasible.

Currently, quantum computers are in their infancy and they will require a lot of development to become more feasible in breaking encryption. New ways of using these computers will be developed though. Assets that need to be protected for years to come, such as government-level secrets, should be made “quantum-safe” now, but not all confidential data is under threat from quantum computers. Quantum computers will not become magical tools that break encryption schemes on the fly and they will most likely still be out of the reach of individuals and criminals for a long time.

On the flip side, quantum computing also enables better ways of protecting data with more efficient encryption and key exchange mechanisms. These developments will most likely protect the average internet user better than the current ones.

When will quantum computing be feasible then? The answer is, it depends. For some use cases quantum computing can be possible in the very near future. Some functions, such as the efficient use of Shor’s algorithm, require solutions that scientists do not yet know how to solve. Realistic estimates for when a quantum computer could reliably factor a 2048-bit number using Shor’s algorithm vary from 10-30 years from 2020.

2) Passwords become obsolete

The rise of quantum computing will affect many other areas aside from encryption, and one of these is passwords. It’s assumed that quantum computing will allow for much easier brute forcing of passwords, making them obsolete. Multifactor or hardware-based authentication is one probable solution to the authentication problem. Biometric authentication is here already but its weaknesses are already quite obvious. New solutions will be needed to close this security gap.

3) Artificial intelligence capabilities increase

In 20 years, artificial intelligence might have met some of its expected abilities. We might see AI that can reliably detect new threats and handle them on its own. It will be used on the attacker’s side as well, and the same arms race will continue. Real automated artificial intelligence will still be far away though, according to most predictions.

4) The Internet of Things is everywhere

By the year 2030, close to 100 billion devices are expected to be connected to the internet. Tiny computer chips will become ubiquitous and will be embedded in almost everything. This means the attack surface will be magnified greatly and the security of the IoT devices will be even more important.

Note

Technology keeps on evolving more quickly than expected. Without a crystal ball, it is really hard to predict anything in the field of technology further than a few years. Big leaps might come unexpectedly, shifting the focus of cybersecurity attacks and defence. What is sure though, is that new threats will still emerge and the game of cat and mouse will continue.

Next section
II. Cybersecurity as a profession