The future of cybersecurity will be complex. As humans invest more time and resources in cyberspace, the digital realm will become increasingly multifaceted, and so will cybersecurity. In the coming decades, cyberspace will continue to grow in influence at all levels of society. The number of Internet-enabled devices is expected to expand substantially from 20 billion in 2020 to more than 100 billion by 2050. These devices will pervade every aspect of modern life, from the rise of smart cities to new biotechnologies, and collect zettabytes-worth of data daily, requiring increasingly robust capabilities to process, interpret and secure big data. Quantum computing and other novel technologies are poised to expand processing power at unfathomable rates, redefining human–machine interactions. The confluence of greater numbers of devices, increasing automation and faster computing offers both challenges and opportunities for the future of cybersecurity. Yet, despite all the technological advances over the horizon, the inherently human – and therefore complex and imperfect – nature of cybersecurity will remain.
The best experts in any field frequently get it wrong when they write about the future. Futurists prefer to discuss an array of alternative futures to reflect the infinite number of possible permutations originating in the present. Using scenarios to plot possible futures can help strategic planning and identify research priorities, but they should not be treated as predictions. In the best cases, they are informed hypotheses whose implications can orient cybersecurity planning and practices.1 For example, Jason Healey, the Director of the Cyber Statecraft Initiative at the Atlantic Council in Washington DC, imagines five possible futures of cyber conflict and cooperation based on three key factors: offense–defense balance, the intensity and kinds of cyber conflict, and the intensity and kinds of cyber cooperation. His “most likely” scenario is one that imagines cyberspace as a “conflict domain” where cyber terror and cyber war co-exist with normal use of the Internet for communication and commerce. Another plausible scenario plots a balkanized Internet divided by national interests and intranets. Healey’s preferred future is a “paradise cyberspace” that is secure, and where espionage, warfare and crime are all extremely difficult.2
Thinking about a multitude of different possible futures for cybersecurity keeps the door open for different understandings of cyberspace to co-exist. This concluding chapter focuses on possible developments and highlights some of the puzzles confronting scholars and practitioners as they ponder over the shape that a desirable cyber future might take. A common method for thinking about futures is to extrapolate from current trends to anticipate changes. The sections below highlight three interconnected trends that are frequently discussed in the contemporary debate on cybersecurity: the Internet of Things (IoT), the rise of big data and Artificial Intelligence (AI), and the deepening of human–machine interactions. These trends offer a small window into the future that allows us to examine some – but not all – of the key developments in the field, related threats and opportunities, and their policy implications. Given the growing complexity of cyberspace as a socio-technical domain, greater engagement from the humanities and social sciences will improve our understanding of cybersecurity. To tackle emerging challenges, researchers need to study how humans and societies interact in and through the digital realm.
The IoT will significantly expand the physical and digital frontiers of cyberspace in the next decades. The concept of IoT is best understood as an ecosystem of connected sensors attached to everyday devices and appliances, from vehicles to door locks, thermostats, fridges, security cameras and so on.3 Together, these sensors “collect and transmit data (sensing),” feed it to “systems that interpret and make use of the aggregated information (processing), and actuators that, on the basis of this information, take action without direct human intervention (actuation).”4 According to one estimate, the number of objects connected to the IoT will reach 50 billion in 2020, and 100 billion by 2025.5 The growing physical presence of connected devices will significantly increase the flow of data in cyberspace, and will require the development of new standards to maintain interoperability between billions of connected digital tools.
With applications in every sector of society, from agriculture to finance and health, the IoT will significantly expand the scope and scale of cybersecurity needs. Each new Internet-enabled device provides an entry point into cyberspace, as well as new opportunities to shape human lives in and through cyberspace in both positive and negative ways. Presently, IoT devices are a major point of weakness in the cybersecurity landscape. Many devices lack basic security features and rely upon default passwords, giving attackers easy access to them.
Experts warn that the emergence of the IoT will boost cyberattack capabilities. The growing ecosystem of devices already provides fertile ground for hackers to develop large botnets. The convergence of billions of devices across multiple sectors is likely to increase the potential scale of these disruptions. A single attack will be able to affect more devices and users, and is likely to result in amplified socio-economic effects.6 The IoT will also open new vectors for holding individual data or access to ransom. For example, hackers might one day lock users out of their personal vehicle, home or appliances until a ransom is paid.
The more we interact with the Internet in our everyday life, the larger the data footprint we leave behind. Interconnected devices increasingly transfer large amounts of personal data in cyberspace, generating deeper concerns about privacy, and raising the political stakes of cybersecurity. The IoT will increase surveillance capacities to an unprecedented level, allowing resourceful cyber actors to collect new types of data in greater quantities. In 2018, media revealed how popular fitness trackers allowed companies to monitor the movement of national security professionals working in military bases around the world.7 An interconnected system of billions of sensors provides a tremendous source of information, not only for governments to conduct domestic and foreign surveillance, but also for data-hungry companies and non-state threat actors.8
While none of the risks highlighted in this section is fundamentally new, their scale and scope are likely to significantly affect the way users approach cybersecurity. When cyberspace is everywhere, traditional boundaries between the home and workplace, public and private sphere, and related security practices will become harder to distinguish.9 In a future in which the IoT dominates our daily lives, cybersecurity will become just security.10 Who or what will guarantee the confidentiality, integrity and availability of our data in this future?11 Key security actors, in governments and beyond, will need to develop new concepts and technologies to protect and process the massive amounts of data generated by the IoT.12
According to IBM, humans create 2.5 trillion megabytes of data every day.13 With the advent of the IoT, increasingly large amounts of data will be captured from humans, machines and their environment. By the year 2020, worldwide data production is expected to reach 3,500,000,000,000 trillion gigabytes.14 The ability to process such large volumes of data is one of the defining challenges of big data, but volume alone is not sufficient to define this new norm. The velocity at which data are produced or changed, and the variety of data types, also contribute to the complexity of big data. Scholars and practitioners generally define big data as “the information assets characterized by such a high volume, velocity and variety [as] to require specific technology and analytical methods for its transformation into value.”15
Individuals and organizations confronted with an ever-increasing volume, velocity and variety of data will need assistive technology to extract information and meaning out of them.16 Emerging practices such as machine learning, a form of AI, will support this process and redefine cybersecurity. According to an industry report, 87 percent of US cybersecurity professionals and 60 percent of those in Japan report their organizations are already using AI as part of their cybersecurity strategy.17 A computer using machine learning can learn and adapt its code (operating instructions) and underlying algorithms (predictive mathematical frameworks) to new inputs without assistance from human programmers. This learning process leverages AI to perform tasks faster and more accurately than a human user attempting to keep up with a deluge of data such as malware samples.18 In the years ahead, machine-learning models will help identify, anticipate and respond more swiftly to cyber threats, including malware, malicious Internet Protocols (IPs) and websites. Quantum computing, a branch of computer science poised to revolutionize the processing of data, is likely to offer the first major revolution in fundamental computer architectures and logic since their invention prior to World War II. Quantum computers will allow for more complicated computational structures beyond binary 1s and 0s. Such advances, paired with new forms of code and algorithms, are expected to undermine most current forms of encryption and offer potentially revolutionary advances in computational power that could make the most computationally intensive tasks solvable in far shorter periods of time. Advances such as quantum computing and AI are expected to open up new areas of research for fields as diverse as medicine and physics.
In this data-intensive context, cybersecurity will increasingly be about controlling data and the tools to process them. The convergence of big data, cloud computing and the IoT will generate huge amounts of personal data, increasing public concern about the availability of personal data in cyberspace.19 Many experts expect a deterioration of privacy in the future, which will be mirrored by an increasing level of societal acceptance of infringement on privacy.20
Powerful big data tools will allow those that wield them to better target their interactions with individual users. Similarly, hackers could exploit big data and machine learning to better identify potential targets and develop more sophisticated attacks, by such techniques as narrowing down the probable passwords used by a target. The growing role played by AI will force security professionals to adapt their practices to focus increasingly on overseeing machines. AI is unlikely to work perfectly and the potential for error will remain, not least because bias limits computers and the humans who develop and use them. In one notable case, a crime prediction tool, which combined criminal data to tell officers where to focus their prevention efforts, was found to significantly amplify racially biased policing.21 While machine learning and AI offer many promises, humans will remain essential to develop, use, make sense of and secure cyberspace.
A third trend suggests that the boundaries between humans and machines will become increasingly blurred. Contemporary research on the brain–machine interface already allows humans to interact with computers by thought. The merging of biological data and digital devices presents tremendous opportunities to improve standards of living. In one famous medical experiment, a tetraplegic patient was able to directly control robotic prosthetic limbs thanks to electrodes placed in his brain.22
But some commentators worry about the risks of bio-surveillance and, specifically, their impact on privacy. A scenario developed by the Center for Long-Term Cybersecurity at the University of Berkeley hypothesizes an “Internet of Emotion” in which computer devices – directly able to track our hormone levels, heart rate, facial expressions and voice – will be able to read our emotions and touch “the most sensitive aspects of human psychology.” In this future, the report concludes, “managing and protecting an emotional public image and outward mindset appearance become basic social maintenance.”23 In the worst case, this is a future in which Internet users’ privacy will increasingly fall prey to psychological manipulations and blackmail.
The possibility of a future in which AI directly augments human intelligence has encouraged researchers to examine the need for appropriate human-centered safeguards and ethical considerations in the development of AI technologies.24 In recent years, a number of prominent TV shows – from Black Mirror to Westworld – have used fiction to explore the ethical implications of a future dominated by new forms of AI. As AI becomes more prominent, the role of humans will evolve increasingly toward oversight and management of computer systems. Automation requires guardians to ensure the continuity of the values, ethics and policies that define human societies. Prominent thinkers are currently debating whether humans should always have the ultimate say in this context, or whether machines might be able to act as their own masters.25
Either way, both humans and machines will continue to generate cybersecurity vulnerabilities. Humans will continue to forget to install the latest security patch, fall for phishing attacks, and leave flash drives containing personal information on public transport. Computers will continue to bug, and display system flaws or coding vulnerabilities. Cybersecurity will remain necessary to maintain acceptable – though not perfect – levels of trust between humans and machines.
Understanding current trends and alternative futures provides a good foundation for considering the need for new cybersecurity policies and regulations. As computer systems and their interactions with humans become more diverse and complex, experts worry about the extent to which governments, businesses and broader society will be able to maintain security and privacy online.26 Many of the cybersecurity trends discussed in this conclusion suggest a future in which privacy will decrease. If this is the case, policies and regulations will need to adapt to maintain acceptable levels of privacy. Commentators worry that the fast pace of technological change is outstripping laws and policies.27 For instance, researchers have expressed concern that current cybersecurity policies do not adequately address human vulnerabilities, such as the insider threat, and the risk posed by individuals bringing their own devices to work.28
In a highly complex and decentralized environment, multiple divides – between countries, industries and organizations – will require more coordinated efforts to develop coherent cybersecurity regulations and practices. Cybersecurity scholar Benoit Dupont warns that “the escalation and acceleration of data flows may lead to a dilution of security responsibilities if adequate regulatory obligations are not developed and implemented.”29 The concept of multistakeholderism, introduced in chapter 3, might not be enough to overcome these divisions. New concepts and theories will be necessary to better understand and explain the governance of cybersecurity, and to help decision-makers develop and implement common regulations.
The growing complexity of cyberspace and cybersecurity threats will widen the gap between those that can achieve some degree of security and those that cannot. An ISOC report on Paths to Our Digital Future identifies a growing divide, not between those who have and do not have access to the Internet, but between those who have the skills and capabilities to protect their data and those who do not.30 In a highly complex and divided environment, powerful states, companies and collectives will continue to dominate, while individual users struggle to understand the implications of their online activities.
Cybersecurity is a booming sector that will require not only new technologies but also a steady influx of human talent.31 The dearth of cybersecurity skills is already a major problem for many organizations. The tremendous growth of cybersecurity occupations poses pressing challenges in the fields of talent acquisition and education. The search for cyber talent will continue to create opportunities for non-state actors and companies, but also groups of hackers, to sell their services to the highest bidders. Education and training will remain essential to foster tomorrow’s cybersecurity workforce.
A seminal report by the Internet Society on the future of the Internet notes that “new thinking, new approaches and new models are needed across the board, from Internet policy to addressing digital divides, from security approaches to economic regulations.”32 This book has provided a starting point for understanding some of the defining concepts and issues confronting contemporary cybersecurity. While cybersecurity has long been considered a topic for engineers and computer scientists, the last two decades have witnessed growing engagement from scholars and students in the social sciences and humanities. These disciplines are uniquely placed to make sense of the rapid changes and multiple dimensions of cybersecurity. From the individual to the organizational, national and international, the social sciences have a unique capacity to contribute to the analysis of cybersecurity.
Throughout the book, we have shown how the study of human and social relationships – specifically of politics and international relations – provides insights into cybersecurity. Despite the pessimism and technological determinism that mark some of the debate on the futures of cyberspace, the human and political nature of cyberspace also provides ground for optimism. Whatever the future of cybersecurity will be, understanding its core challenges and the role humans continue to play in shaping this domain is essential.