’Tis the season.No, we’re not talking about the holidays — Thanksgiving, Hanukkah, Kwanzaa, Christmas, and others. In the world of cyber, ’tis the season for speculation. Every year around this time, experts dust off their crystal balls and tell us what to expect in the coming year. Their forecasts flood tech websites from early November until January.
Which can be both useful and entertaining. But they can also be tricky — not every year plays out as expected. Sometimes the late, great Yogi Berra’s homespun wisdom prevails: “Predictions are hard, especially about the future.”
Especially about this year.
Indeed. I spent several hours combing through November 2019’s avalanche of 2020 cyber security prediction pitches from industry experts, and as you might guess, not a single one mentioned the biggest, most consequential event of the year — that the nation would be in the grip of a pandemic by March, with lockdowns of varying severity continuing to today and beyond.
Not one predicted that after the RSA conference in late February, every other security conference of the year would either be canceled or go virtual, since gatherings of more than a few dozen people indoors were forbidden. Not one predicted that WFH would become the most common acronym of the year, given that the large majority of workers who still had a job would be doing it from home for months on end, while their kids tried to adjust to remote learning.
Not one predicted that the travel budget of most security vendors (and just about every other company) would plunge to something close to zero. But of course, who could have imagined, let alone predicted, any of that? Sometimes the unexpected upends everything. There’s a reason the cliché refers to “20/20 hindsight” rather than foresight.
Which 2020 cyber security predictions fell short?
But besides the predictions that everybody missed, some didn’t age all that well either.
One confidently declared that “a Western government will be forced to quell looting and rioting when a cyber attack disrupts its electric grid.”
That could still happen — there are another six weeks to go in the year that everyone would like to forget. And there are widely reported vulnerabilities in US critical infrastructure. But so far, the civil unrest of 2020 was mostly due to Black Lives Matter protests, not a cyber attack.
Another declared that the “ransomware window” would be closing in 2020. Uhhh, not so much. ZDNet was just one of multiple outlets reporting in the last couple of months that ransomware attacks have not only increased seven-fold since last year, but that they are evolving.
Instead of simply encrypting files and demanding a ransom for a decryption key, attackers are adding blackmail/extortion for more leverage, threatening to post the data they’ve accessed on open forums if the victims don’t pay up. In those cases, having a backup doesn’t do much good.
Not everybody was seeing the ransomware window closing, however. Some other experts correctly predicted it would be a banner year for that kind of attack.
Yet another declared that 2020 would be “the year of 5G,” which seems to be partially right. It’s the year of 5G advertising — the big telcos are relentlessly touting it, and more devices are built to take advantage of it. But the “next big thing” in cellular remains a long way from mainstream. Visual Capitalist reported last month that even by 2023, the share of 5G networks in North America will be just 17 percent — better than any other region in the world but not even close to a universal standard.
And yet another declared that the REAL ID deadline would create “real chaos.” Well, maybe next year. But not this year, since the pandemic prompted a delay of the deadline by a year.
Which 2020 cyber security predictions held up?
Some predictions did hold up reasonably well, perhaps in part because they simply pointed to trends that were already under way and weren’t going to collapse even amid a pandemic. Among them:
The skills gap
It was bad last year. Most experts predicted it would get worse this year. It did. It will likely be worse next year. According to a report released in July by ESG and ISSA, the worldwide shortage of qualified applicants for cyber security jobs is in the 4 million range, due to “a continuous lack of training, career development, and long-term planning. ”To close that gap, the cyber security workforce in the U.S. would have to increase by 62 percent.
People have been slowly awakening to the reality of the long-time slogan “if you aren’t paying for a product, you are the product.” And as many predicted, privacy legislation is gaining traction.
It wasn’t just that California’s Proposition 24, the Consumer Personal Information Law and Agency Initiative, aimed plugging loopholes and strengthening the landmark California Consumer Privacy Act, passed easily on Election Day. It’s that more than 30 states considered new privacy laws.
Few of them passed, given the disruption of both the pandemic and a national election. But almost 75 percent of Massachusetts voters went for an updated Right to Repair law that gives vehicle owners and independent repair shops access to connected-car telematics data. Put more simply, once people buy a car, they have some control over the data it generates.
While that’s just one state, analysts said it could generate a national standard, since automakers and dealers would have to create that infrastructure to sell their products in Massachusetts.
Artificial intelligence was all the rage last year. It’s even more so this year but it’s also generating some actual rage — a trend that multiple experts predicted correctly would continue and expand on multiple levels.
First, when intelligence is artificial it reflects, or can even amplify, the biases of those who create it. Critics have been saying for some time that AI can lead to discrimination in everything from hiring to housing. Which means the algorithm can make things worse instead of better.
Second, as is the case with any technology, bad guys can use it too — and they are. AI is helping cyber criminals be more effective at social engineering, spoofing, impersonation, defeating captchas, cracking passwords, and discovering vulnerabilities.
AI also enables deepfakes — fraudulent audio and/or video that is alarmingly realistic. It was labeled this past August by the journal Crime Science as “the most worrying use of AI for crime or terrorism.”
The IoT — bigger but not much better
If awareness of that reality is progress, then there is progress. Experts everywhere have for years been calling for vendors to “build security in” to their products, and it’s a constant theme at security conferences. But so far, consumers remain much more dazzled by cool features and user experience than by privacy and security protections. And vendors continue to respond to those priorities. So the need for security conferences continues, greater than ever.
It was easy to predict a year ago that in 2020 more and more organizations would be moving, all or in part, to the cloud. It was trickier to forecast how many of those organizations would know what they were getting, or not getting.
The cloud is gaining mainstream traction for good reasons, among them that it saves money, increases storage capacity and automation, and enables agility, flexibility, and scalability.
But security in the cloud is not a guarantee. As the most recent Building Security In Maturity Model report puts it, “cloud providers are 100 percent responsible for providing security software for organizations to use, but the organizations are 100 percent responsible for software security.”
This is not an exhaustive list, of course. And the fact that some of the best minds in the industry missed or got some big things wrong about this year doesn’t mean predictions are worthless. It always makes sense to plan ahead. And 2021 predictions are already pouring in — we’ll present some of those in early December.
Just keep in mind that nothing is guaranteed. Because predictions are hard…
This article appeared on Synopsys' Software Integrity blog