The year is 2030. The world is full of smart mega cities, digital surveillance is openly ubiquitous, cash transactions no longer exist, wired connections remain for only the most demanding data flows, the “Internet of Things” age is over and the “Everything is Internet” age is here, and we churn out data with every heartbeat – literally – contributing to the Yottabyte Era.
It all sounds daunting or even dystopian. But such a future is not unrealistic at all; therefore, we must consider the cybersecurity risks that come with that future.
Attack surface, what attack surface?
The digital age of the near future will undoubtedly retain one characteristic of today’s networks and systems: it will remain inherently insecure. You see, decisions made long ago had downstream consequences. Namely, the free exchange of information was prioritized over the secure exchange of information.
To be clear, the issue at hand is not about suppression, censorship or restriction of information; rather, the issue is how we exchange that information.
Consider the postcard versus the letter in an envelope. Both have a stamp, and an address from sender to receiver and travel over the same infrastructure. But anybody with access to the infrastructure can read a postcard, whereas opening the envelope requires some tampering.
The future inherits that problem: the mail system is still the same. That means:
- Postcards can — and will — still be mailed (think little gadgets and insecure devices)
- Some letters will be in envelopes (e.g., encryption), but the envelope security is challenged
- Some will opt for special handlers (think private couriers as proprietary technology), but not everybody can use or afford these options.
Short of a “new internet” built with secure transfer prioritized — one can hope for a space-based communications system that does that — we are stuck with the Internet we have and will continue to build on that weak foundation.
The result is a “postcard nirvana” for malicious actors unless you employ the joint power of the two letters “n” and “o” in your decisions. Otherwise, your attack surface is everywhere. CISOs, CIOs, risk officers and executive officers appreciate that as you balance your business operations, risk tolerance levels and security programs, the most important decision you make may be saying, “no, we will not implement that technology because it generates too much exposure.”
So, against that backdrop, what could the future of cyberattacks look like?
Unleash the machines
The use of a graphic user interface to conduct hacking operations was a type of super leap for both offensive and defensive hackers. The GUI made life easier and more accessible. Artificial intelligence may likely be the next super leap, particularly as solutions become commoditized. Soon, an attacker may give the AI a target, program in some type of training method, supervised or unsupervised, and just let the machines run wild. And the defender will return with AI in kind.
Obfuscate, confuse and drain
For the more sinister who seek to bleed instead of kill, whatever the tools of the future are, defense against hacking may generate a feeling of futility if data sets are no longer reliable. The challenge is big data. If the threat actors of tomorrow can undermine data integrity, poor decision-making is the result. How can you operate with any level of efficiency and accuracy if your source data is wrong? Now, apply this thinking to the operations of a smart city or your auto-drive car. Not a pretty picture, and a means to shut down large swaths of operations in one shot.
Steal now, decrypt later
Sticking to big data, data transfer speeds are becoming so fast — even at the consumer level — that hackers may just start hoarding. Even without the ability to decrypt containers today, encryption obsolescence is nearing as we cross the quantum barrier. Do not be surprised if hackers, especially at the nation-state level, simply steal something now with the intent of using it later when technology permits easier decryption. Cloud and third-party service providers become lucrative targets here. Consider it wholesale theft.
Battle of the titans: Encryption and quantum
Something to think about today, quantum-proofing your encrypted data sets buys time. Even if quantum technology cannot reach the commercial or consumer markets in the near future, you can be sure threat actors at the nation-state level are game to play. Quantum computing takes smash-and-grab to industrial levels.
What does this obscure and relatively unheard term mean? A yours truly definition: hacks are multi-vectored between technical and non-technical means. For example, threat actors use AI to conduct a social engineering attack based on your behavioral characteristics. The AI learns your traits through different data trails you leave behind and devises tailored attacks.
Targeted micro attacks
If we go down the dystopian route, malicious actors will conduct highly individualized attacks. We all possess unique DNA, just like any device ID. The only remaining question is whether we plug into the network. Stay off; good chance you stay protected. Connect once, and you are there for the world. Now, imagine your PII and PHI out in the wild — today’s breaches may have already done that — and hackers for hire can take contracts for a specific internet-connected medical device used by a specific individual. Your nightmares can finish this thought.
As more people are “born into” technology, their technical proficiency could very well increase compared to us today. Those in the infosec world today are there by choice and desire; future generations will just be in it. Survival will depend on their ability to navigate it, and “how to hack” may be a kindergarten lesson.
What is the future outlook?
In closing, the key to protection is designing an inherently secure network. Until such time, the future of hacking will likely become more impactful until it falls off a cliff. Why is that?
Tools and data will become unmanageable, causing the constant fire drill. But then, how does it drop off entirely? Our attitude towards data. There will come a time when we decide either:
- Not to care and let data run free, making it effectively worthless; or
- Begin to focus on privacy, move critical data off systems, destroy unnecessary information and voluntarily restrict data generation.
The choice is yours.