Gartner's vision of infosec 2019: four scenarios, all bad

Will it be the total surveillance society and internet licenses? A breakdown of authority, with e-militias fighting extreme anarcho-hactivists? Or one of the other two?

Global research and advisory firms are meant to give you the big picture. That's why they charge the big bucks. But Gartner's new vision of the future of information security goes beyond the familiar narrative of change — cloud, mobile, hackers, nation-state cybers, etc — to sketch out four potential scenarios. All of them are dreadful.

Gartner outlined this five-year security and risk scenario at their two-day Security & Risk Management Summit in Sydney last week, although some of the material had previously appeared in a June 2013 presentation, The Future of Global Information Security (PDF).

Gartner deployed its entire 50-person team of security analysts to develop the scenarios, along with "guideposts" for determining which of the scenarios might be unfolding — although a marketing company came up with the catchy titles.

The key question they tackled? "How will the Nexus of Forces (cloud, mobile, social, and big data) plus other forces and trends, transform the practice of information security and IT risk management between 2014 and 2019?"

There are many factors at play. Servers are moving into the cloud, and enterprise security is improving (allegedly). But there's more connectivity and more mobile devices out at the edge, so the value at the edge is increasing — and the tools for compromising end-user devices continue to become more automated.

Add to that the fact that "the number of highly trained cyber-students increases by orders of magnitude", Garter says. There's already more than 100 "white hat" hacker university degree courses in the US, funded by the National Security Agency (NSA) and the Department of Homeland Security (DHS). There's similar programs in the UK. In Israel, every grade 10 to 12 student gets training. And China?

Even if 90 per cent of all these people stay on the white hat side...

Gartner decided that one of the most powerful trends will be about how attacks are targeted, at the enterprise or the individual. Attacks may focus more clearly on the servers, or they may focus more on indirect attacks through captured end nodes.

The other key trend will be how the response is coordinated. Maybe it will come from "the authorities" of government, of nation states, with more regulation — but Gartner notes that "critical infrastructure" is continuously redefined, and "very little actually gets done". Or maybe it will be a more tribal, community-based response.

Mapping enterprise-versus-individual targeting on one axis, and tribal-versus-monolithic authority on the other, generates Gartner's four scenarios.

Gartner's Security Scenario 2014-2020

Enterprise target + centralised authority = regulated risk

In this scenario, governments use regulation to provide safety. An attack can become an act of war. All infrastructure becomes critical infrastructure. Enterprises are held responsible for the actions of employees.

An example? The US Critical infrastructure directive.

Milestones along the path to this scenario could include more regulations; an increase in public acknowledgement of attacks; public shaming and fines for breaches; rules of engagement for cyber-security like the Monroe Doctrine; NATO creates a cyber-security division; software liability laws are established; there's an international convention on cyber-war; and neo major nation refuses to sign because it limits their responses.

Enterprise target + fragmented authority = coalition rule

In this scenario, warlords and cartels rule. Hacktivism escalates. Major corporations establish protected fiefdoms. There's aggressive corporate and national espionage. Freelance or mercenary hackers proliferate. The underground economy grows. Defensive cartels promote market manipulation over competition (price fixing, collusion).

Examples? The Cyber Security Alliance, the Cloud Security Alliance, and drug cartel use of the Internet.

Milestones along the path to this scenario could include evidence of corporate counter-attack; a major financial industry company forms a cyber-war department; there's an IPO for a cyber-war mercenary company; an increase in crypto-extortion schemes; cyber-insurance fails and is withdrawn; and a public corporation records a $100 million charge for cyber-blackmail.

Individual target + centralised authority = controlling parent

In this scenario, attacks against individuals push the government to act. Theft-oriented botnets proliferate. The government tries to establish a norm of personal responsibility. The surveillance society grows, with pervasive internet activity tracking and, as a consequence, the "darknet" grows. Criminals use data mining to identify potential victims. Strong privacy regulations emerge. Mobile devices become closed and curated.

Examples? Do not call lists and the Foreign Intelligence Surveillance Act (FISA) amendments.

Milestones along the path to this scenario could include internet service providers (outside of Europe) being ordered to retain all transactions; US CPSC/FTC takes action against product vulnerabilities; there's US class action lawsuits over vulnerabilities; school training and, in some areas, a license is needed to browse the internet; a computer user database is created. ("That last one is called the NSA", quipped Gartner managing vice-president F Christian Byrnes.)

Individual target + authority breakdown = neighbourhood watch

In this scenario, e-militias are formed to fight the extreme anarcho-hacktivism. The Internet resembles the gangs of New York. Corporate and communal walled gardens form, along with self-organising protection societies (both honest and dishonest). There's an extensive darknet and dependence on anonymity. E-commerce declines due to distrust. There is "civil cyber-strife".

Examples? Various Islamic Internet efforts, the increase in identity theft, and the Net Nanny approaches.

Milestones along the path to this scenario could include the formation of cyber-militias; Anonymous focuses on CEOs rather than business operations; corporations start refusing to hold personal information; harassment, reputation attacks and cyber-bullying become common; Facebook loses 10 percent of its members; there's a slowdown in e-commerce growth rates.

Threats and opportunities

"The future is dangerous, so please buy what the vendors are selling", was that the key subliminal message in all this? No. It was more about making sure your organisation is prepared for whichever of those four scenarios unfolds, watching for potential threats and opportunities.

Under the Controlling Parent scenario, for example, one threat is that privacy regulations will inhibit business operations — but an opportunity is that the surveillance society would benefit those who do big data well.

Gartner has developed a "strategy tool" for understanding the threats and opportunities, and for determining what sort of security measures might work best — ranging from traditional passive technical controls such as isolation via network architecture and access controls, improved security training programs and behavioural controls, active technical approaches for returning fire, or the "psy-ops" of advanced behavioural intervention.

Gartner says another there'll be another phase of special reporting, as well as ongoing research publications.

Contact Stilgherrian at or follow him on Twitter at @stilgherrian

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gartnerinfosecsecurity

More about CSOFacebookFTCGartnerMilestonesNational Security AgencyNATONet NannyNet NannyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place