Checking My 2010 Security Predictions in 2020!

by Anton Chuvakin on January 10, 2020

A lot of people who do security predictions never bother to check their work afterwards. Well, I always prided myself in being an exception to that custom (example: predictions and check for 2008). You can read my current views on predictions here — together with some new predictions. In brief, the value of doing the predicting — despite the results being either very inaccurate or very boring — is in interrupting what you are doing and thinking long-term for a bit. Even if the result is not great, the process actually helps!

Or, as I said in 2010:

“Still the purpose of this endeavor [predicting] is not necessarily to “have everything right”, but to have fun in the process and to get people to think beyond the immediate tactical horizon in information security.”

As a result, I am now facing a mammoth task — to actually check my 2010 ten-year security predictions for 2020, made in this post on January 1, 2010.

The main theme of my 2010 thinking was that the separation between the realms of “cyber” (cyber, IT, digital, computers, data, etc) and the “real world” will be thinner and will start to noticeably vanish in some areas. This does not only mean more cyber-physical attacks, but attack impacts that go far beyond the IT impact and perhaps even beyond mere business impact.

Or:

Sponsorships Available

“That trend is that the walls between the computer world (aka the Internet, cyber-anything, online, virtual, cloud, etc) and the “real” world (aka meatspace, Earth, “outside”, “reality”, offline, etc) will break down beyond a certain interesting point, both on the perceptual level and in reality. “

The concept image I used in 2010 was:

Cyber and Real Collide 2010 (yeah, it sucks, I probably made it in Gimp back then)

Was I right? Looking from 2020, I think that the answer is “YES AND NO.” It was easy to imagine malicious hackers getting cars off the road and turning off power 10 years in the future. Well, both did happen. However, it happened very few times so far (as far as we know) and the car thing was only a POC. It was also easy to imagine malware shutting down businesses and public agencies 10 years in the future. Well, ransomware did this a few times. Some businesses didn’t recover, reportedly (here is an awesome table of them compiled by @sawaba).

However, these cases today are not that common. True cyber-physical attacks are still ultra-rare in 2020 and business-killing attacks are rare as well (according to most, but not all sources). This of course reminds us of the immortal saying by Marcus Ranum: “Will the future be more secure? It will be just as insecure as it possibly can, while still continuing to function.”

So, I think I was right in principle, but not exactly right on the timing and scale, hence “yes and no.” Much of cyber security today in 2020 is still about protecting data and computers, not lives and physical objects as I expected in 2010.

Similarly, I was skeptical about cyber-terrorism in 2010, but suspected that it will be more common in 10 years i.e. now in 2020:

“Finally, the Ultimate Proof that such convergence has in fact taken place will be — you guessed it right! — cyber-terrorism. Smart folks today object to the concept of cyber-terrorism by [correctly!] stating that “real world” terrorism is more impactful. Today — it sure seems like it. In 10 years, when “real world” is so much closer to the “computer world” — I am just not going to bet on it…”

Well, this teaches me a lesson to stick to my favorite prediction method: when in doubt, bet on the “status quo” staying the same in the future (aka “the Feynman method”). This, as I said before, will be boring, but more accurate than the alternatives. Here I deviated from this method and so was wrong: cyber-terrorism is perhaps no more of a threat today compared to 5 or 10 years in the past.

Also, hacking robots is really not a thing in 2020. And neither is hacking AR / VR realities. And neither is hacking implantable technology (well, it was done, but only as a POC). Will this happen by 2030? Well, let’s defer this question for now.

Now, I didn’t say “AI” per se in 2010, but I said this:

“I also predict a much larger use of non-deterministic algorithms, such as those based on statistical methods. This will imbue the phrase “computer did it” (and we don’t know why and how) with a whole new meaning…”

Still, no malicious hacking of AI/ML algorithms at large scale is going on today, as far as we know.

To remind you, my main 2010 prediction message was not merely about “cyber physical” but about information security / cyber security affecting the real world dramatically more. The viability of this prediction continues with the “Was Anton right in 2010? Yes and no!” theme. To much of my surprise, there are still places and industries where the perception that “information / cyber security does not affect the business” is alive and well (my recent trip to Japan really blew my mind in this regard).

To think about it, I asked in 2010:

“In 2020, a lot of tasks can only be done with computers — or not at all. Now we can still buy a book in a bookstore, you can pay with a credit card when computers are down. Forget that — in 2020! Such irreplaceability of computers and Internet will make security sharply more relevant. Your business will not simply switch to an old, inefficient mode, when Internet is not an available. It will STOP.”

Now, do we live in this world in 2020? To me, the answer is still mostly NO and it does go quite contrary to what I expected back in 2010. It’s been years since I’ve seen a mechanical credit card imprint machine in the US, but I have a sneaking suspicion that small stores still hide those under the counters somewhere. Cash is still in wide use and can be easily accepted when “cybers” (or even power) fail (great example that I just saw).

To conclude, as I said in 2010:

“Despite all the harping about information being “critical for business”, we only protect information today. Sorry for a bit of grandstanding here, but we will literally protect the world in 2020…”

So, the vision I laid out in 2010 for 2020 has not come to pass in full, to be sure. We are, in my view, still on track, but we are not truly there yet … In 2020, “cyber” matters more, but “cyber-fail” does not kill.

Finally, a question: should I try again and do “2030 predictions”?

Checking My 2010 Security Predictions in 2020! was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.