How impossible is it to predict anything in the field of information security? 10 years? Into the future? Still the purpose of this endeavor is not necessarily to “have everything right”, but to have fun in the process and to get people to think beyond the immediate tactical horizon in information security.
Let's start from the overriding trend that will define the rest of the discussion:
That trend is that the walls between the computer world (aka the Internet, cyber-anything, online, virtual, cloud, etc) and the “real” world (aka meatspace, Earth, “outside”, “reality”, offline, etc) will break down beyond a certain interesting point, both on the perceptual level and in reality. With – duh! – huge implications to our profession and practice of information security.
What do I mean by this?
Whether perception is reality on not, studies I’ve seen (examples, more, more, more) point that most people behave differently in an online world and in the so-called “real” world. People can also point at many factual differences between online world (that happens inside the human created medium – networked devices) and the outside. I believe that this difference explains at least some of the current information security problems – on some deep level people just don’t see computer intrusions and other issues as “real enough” for them. Even the simple fact that we have “crime” and “cybercrime,” points that this difference.
So here is the punch line: I think that in the next 10 years these two worlds will be much closer to each other, in both perception and “real” reality. HUGE implications to information security will result.
Where's the evidence? Here are all the things that I bundle in that “ultimate convergence”
- Everything geo-related: GPS in phones, location- aware services, and even integrated Internet in cars. When you start to “google for coffee,” you straddle both worlds.
- Augmented reality, conspicuous high-speed video uploads (in 2020) and video analytics capture the real world and ”map” it onto the online world. And as computing devices first become wearable (needed for AR), and then implantable (best for AR), the convergence between both worlds will become even more intense.
- Everything computing embedded in objects: embedded computers in an ever-increasing percentage of the things we use in the real world; these will go a long way from the first Internet-connected refrigerator. Yes, clothes and shoes, not just sunglasses, are not far behind – and with bluetooth or whatever future incarnation, such wearable “PAN” becomes within reach. BTW, trains and planes run on computers too… And I am not even touching SCADA.
- Everything robotics: robots, from Roomba to military hardware, is one more way for a computer realm to “act out” in reality. If you are confused about this argument, think about the following: a crashed computer will destroy only a computer and information inside. A crashed computer in a vacuum cleaning robot can potentially destroy … your carpet. A crashed computer in a robotic high-speed cannon… you get the picture.
- On a perceptual level, some studies have noted that younger generations (and here) do not draw the line between their Facebook friends and their real-world friends. This is an example of the same trend, but occurring in the mighty realm of perception. If you are born and then grow up with (and on) the computer, you views of “computer world” will be different from those who still see computers as something “not really real.”
- On top of this, advances in bio-sciences will obviously rely on computers and algorithms. I predict this would be another way for the computer realm to impact the “meatspace” and not only through the implantable computers.
- Finally, the Ultimate Proof that such convergence has in fact taken place will be - you guessed it right! – cyber-terrorism. Smart folks today object to the concept of cyber-terrorism by [correctly!] stating that “real world” terrorism is more impactful. Today – it sure seems like it. In 10 years, when “real world” is so much closer to the “computer world” – I am just not going to bet on it…
All of the above will make information security and computer security (as well as a dying art of network security) PAINFULLY more relevant for people’s lives. If an attacker from a remote location can crash the computer and steal your data, this is bad. If that same attacker can impact what you perceive to be your “real world,” the game changes. And change it will - probably even before 2020. What will stand between such attacker and others? That’d be you and me, my dear reader :-)
The above convergence will also be combined with these “side trends”, all with big impact to security:
- In 2020, a lot of tasks can only be done with computers - or not at all. Now we can still buy a book in a bookstore, you can pay with a credit card when computers are down. Forget that – in 2020! Such irreplaceability of computers and Internet will make security sharply more relevant. Your business will not simply switch to an old, inefficient mode, when Internet is not an available. It will STOP.
- To quote Alvin Toffler, there will also be a lot more information and thus a lot more computers to process it. These are added to the above mentioned embedded computing devices. The result is not just an increased target set, but also more businesses being completely reliant on computers for their operation.
- I also predict a much larger use of non-deterministic algorithms, such as those based on statistical methods. This will imbue the phrase “computer did it” (and we don't know why and how) with a whole new meaning…
- Complete local and network scope convergence due to cloud computing and ubiquitous connectivity. They will be no such thing as a device asking “can I connect to the Internet?” As a result, Internet becomes a fabric of distributed applications, not client/server push/pull model we still largely have today. Security implications? You bet! BTW, this will also kill the whole “but why did they connect that to the Internet in the first place?!” thinking.
- As a result of the last point, the whole control over data will have to be done in a completely new way - or not at all. And if you think web hacking is fun today, just wait until 2020 :-)
So, I don’t know what features your log management system will have in 2020 or what the label “firewall” will mean in 2020, but I know is that it'll matter much, much more than now. Despite all the harping about information being “critical for business”, we only protect information today. Sorry for a bit of grandstanding here, but we will literally protect the world in 2020…