Ever wonder what the state of cybersecurity in 2031 will look like? While 10 years may seem a long way into the future, the speed at which the industry is evolving is sure to make the next decade fly by. Predicting the future of cybersecurity isn’t about looking into the crystal ball merely for fun. By envisioning how the industry will change in 10 years, chief information officers and chief security officers can prepare for future challenges, so they don’t look back and wish they had acted in 2021.

As much as I enjoy making predictions, to give this story the best chance at getting things right, I interviewed three top cybersecurity experts for their perspectives on the future of cybersecurity.

Tyler Cohen Wood is an author, speaker and former senior intelligence officer with the Defense Intelligence Agency.

Roger Grimes is the defense evangelist for KnowBe4 and author of several books about hacking.

Troy Hunt is a cybersecurity speaker and trainer. Founder of the popular ‘Have I Been Pwned’ website, he has also testified before Congress about data breaches.

We talked about the future of the cloud, passwords, artificial intelligence (AI), data breaches and the skills gap. Take a look at their expert insight on what the industry needs to know about the future of cybersecurity in 2031.

Future of Cybersecurity: Cloud Computing 

If there’s one aspect of IT that has experienced the most growth in the last 10 years, it’s undoubtedly the use of cloud. In 2031, cloud can only keep blazing forward. Or can it? Depends on who you ask.

According to Hunt, cloud makes it faster, cheaper and easier than ever to put services online and collect huge amounts of data.

“But, faster and easier and cheaper than ever means it’s easier to leave it all exposed,” he said. “We are seeing a lot of them go wrong now. I don’t see any of those factors reducing over the next decade. Mostly because there’s just such a high demand for them. Of course, we want cheap, ubiquitous cloud services; of course, we want to connect our washing machines to the internet, and that’s not going to change.”

Cohen Wood, however, predicts that the future of cloud computing might be short: the cloud might evaporate in 2031.

“I don’t think things will be in the cloud in 10 years; I think things will be back to on-prem,” she said. “There will be more peer-to-peer closed networks. People will figure out how to use blockchain.”

She envisions a peer-to-peer system. In it, each network carries different types of traffic for different types of communication. This is not unlike what the intelligence community uses.

“You’ll have an unsecure network, a secure network and then you’ll have a very secure network,” she added.

However, Cohen Wood said cloud won’t ever go away. “Things will swing [towards on-prem] for a while, but eventually it will swing back to cloud because that’s how it works. History has proven that time and time again.”

The State of Passwords

Ahh, the password. We’ve been discussing its demise for decades. Yet today, we’re amassing them at unprecedented rates.

According to Grimes, the same attacks that allow threat actors to steal our passwords will still be the same in 10 years. So, it follows that the password we know and love (or hate) will be alive and well, too.

“There are 10 root causes of all hacking and malware exploitation, including social engineering, unpatched software, misconfiguration and eavesdropping,” he said. “The methods used 34 years ago (when I started in the industry) are the same methods used today. They haven’t invented a new way of hacking. So, I believe that passwords will be around at least another 10 years, or two decades, or forever. I’m going to go against the conventional wisdom.”

Did Past Predictions Come True?

Grimes wrote his first article about the password’s demise thirty years ago, and while he still revisits that theory with restrained optimism, he acknowledges that passwords are just so useful. After all, that first article’s future of cybersecurity has become the present.

“Not only do we not have less passwords, we have more than ever,” he said. “It’s because there are some benefits of passwords. They’re cheap, they’re easy to use and easy to change. If you were to tell me that in two decades they will still be in use, it won’t be surprising at all.”

Hunt agrees that passwords are here to stay, but hopes that they will evolve. “I suspect that we will have more passwords in 10 years than we do now, but I also suspect that we will have more means of authenticating without them,” he said. “A good example of where we’re seeing that industry shift is when I look at my iPhone, I log on with my face; I don’t need to use a password. But I still have a password, and I have a PIN as a fallback position. I like the direction we’re starting to go with more clever ways of doing authentication.”

Over the next 10 years, Hunt predicts we’ll see more biometrics and leverage additional authentication methods involving devices we already have in our pockets.

“Passwords get a bit of a bad rap,” he said. “But what passwords do extraordinarily well is usability. Everybody knows how to use a password.”

The Role of AI in the Future of Cybersecurity 

How prominent the password and the cloud will be in 2031 might be up for debate, but the key role that AI will play in cybersecurity is something we can bank on.

All three experts told me that the use of AI will be even more critical than we think.

“I believe that if AI is not adopted, we’re in trouble,” said Cohen Wood, who has been developing her own AI algorithm for the health care industry. “I also believe that in health care, for example, there’s a chance that it may even be illegal or a form of malpractice at some point in the future not to be using AI in your health care practice.”

For Grimes, AI will be the catalyst in determining whether the industry can keep up with the threat actor community. “You’re going to end up having these good threat hunting bots going against bad bots that are changing on the fly depending on the conditions,” he said. “I think you’ll have computer security algorithms where people sit around and create better algorithms for their particular bots. It’s eventually going to be bot versus bot. You’ll still require human intervention because humans are always needed and are at least half the solution.”

Data Breaches and the Threat Landscape

Much like AI, data breaches are expected to be more prevalent in 2031 than they are in 2021 — which is both unfortunate and scary. As more data and devices appear online, the risk of a breach only grows.

For years, Hunt has been saying that there are numerous aligning factors that contribute to worsening data breaches that will continue as the future of cybersecurity approaches. “We simply have a lot more data, we’ve collected a lot more data because we’ve got more online assets and digital systems,” he said. “We’ve also got more people online; look at these emerging markets like India, for example. There’s still a massive amount of growth that’s going to happen there in terms of people coming online and then providing their data into digital systems.”

And that’s just people. When you add the Internet of Things into the equation, attackers have more data out there to breach. “We’re collecting a lot of data from devices that were never digitized before,” Hunt said. “Now we have all of this data digitized.”

Large-Scale and Supply Chain Breaches

When it comes to the type of threats we can expect, I asked the experts if we should worry about infrastructure attacks and other large-scale breaches.

According to Grimes, he expects more supply chain attacks and even more nation-state attacks. “All the horror stories that we were long worried about kind of came true,” he said. “Nation-states are more likely to go after infrastructure as our infrastructures are becoming more digital.”

However, he predicts that the same attack types will happen, caused by the same mistakes made today and in the past as people bring more systems online and make them more accessible.

He suggested that the only way to prevent more infrastructure attacks is to pass a Geneva Convention-style digital act amongst nations prohibiting them from attacking infrastructure.

The Cybersecurity Skills Gap

Finally, we need to talk about the overwhelming number of unfilled cybersecurity positions. After all, if we can’t solve this critical piece of the cybersecurity puzzle, how can we keep up?

With such lucrative salaries in the field, you’d assume it would decrease the cybersecurity skills gap.

“Let me say I’m a little bit disappointed,” said Grimes. “Money has been good for a while. Within a few years, you can be making six figures, and some can make that much right out of school. The sky’s the limit. You can make your own software, you can make your own threat hunting bot. It’s frustrating we’ve still got this issue in 2021.”

Women in Cybersecurity

But what frustrates Grimes, even more, is how to solve the issue of getting more women interested in the field.

“It may be shocking to a lot of people, but the percentage of women in the IT security field today is lower than the percentage twenty years ago,” he said. “I applaud the people that figure out how to correct it because we need the female perspective. I raised three girls; they’re scary smart. Long-term planners often say that women play chess, and every guy I know plays checkers at best.”

Of course, a career is about much more than money. But the job security in this industry is equally solid. After all, today’s recruits are the people building the future of cybersecurity.

“There’s so much demand for it,” said Hunt. “But clearly, we’re leaving a lot to be desired in terms of how good a job we’re actually doing in securing our things … Now seems like a better time than ever to be involved in this industry.”

“I want to think positively or I wouldn’t be doing what I’m doing,” added Wood. “I have to believe that we can succeed in this. But I do know that the only way that we’re going to be able to do that is collaboratively.”

The future of cybersecurity depends on it.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…