Hocus-pocus! The stupidity of cybersecurity predictions

Security industry prognosticators rely more on marketing, hype, and our own bad memories than any knowledge of security past, present or future

Every year, some publication asks me to come up with a list of my top 10 predictions for the security field, and every year I tell them they might as well just dust off an article I wrote a year earlier, with maybe a couple of buzzwords and a new technology added on. What you can generally expect in any given year is more of the same, with some slight variations.

That doesn’t stop people from making predictions, though. Vendors and supposed experts can’t seem to control the urge, but when I read their predictions, I just have to shake my head at the uselessness and gross ignorance of most of the comments. Predictions are useless when they are obvious, which many of them are, and they show gross ignorance when they predict things that have already happened. Surprisingly, predictions of past events are fairly common on these end-of-year lists; the prognosticators don’t know enough about the security industry to know that what they are predicting has already happened.

What is important to know about the year ahead is that it will resemble the years behind us. All technologies can and will be hacked, and likely already have been. If a new technology becomes especially pervasive, hackers (perhaps terrorist hackers) will try to compromise it. There is no genius in predicting that many hackers, including those affiliated with terrorists and nation-states, will try to compromise IoT devices.

Prognosticators on occasion make truly sensational predictions. Unfortunately, those rarely come to pass. Back at the turn of the millennium, one analyst firm predicted a $1 billion theft as criminals took advantage of Y2K-related issues. People still pay that firm tens of millions of dollars a year for its advice. Another analyst firm predicted a Cyber Pearl Harbor in 2003. As you know, neither of those predictions, which garnered major headlines, came true. The people who make such predictions hope that people won’t remember them when they fail to come true, and of course, most people don’t.

I don’t know why people let prognosticators get away with including obvious things on their lists of predictions. This year we were told that in 2016 there will be an increase in mobile device hacking. Security spending will continue to grow. There will be security problems with IoT devices and Apple products. I would just like to add that the sun will rise 366 times.

This year was also not lacking in predictions of things that have already happened. For example, “The power grid will be successfully attacked.” Are you worried? Well, keep in mind that Russia, China and Iran have already been directly identified as having compromised the U.S. power grid. And it is likely that other power grids around the world are thoroughly compromised. Brazil’s power grid reportedly suffered an intention outage due to hackers as early as 2005. Claimed hacks against power grids were noted by President Obama in a speech in May 2009. So “predictions” about successful hacks against the power grid are about 10 years too late.

Ah, but this year, say some prognosticators, we can expect terrorists to target the power grid and other critical infrastructure components. Sure, we can, but that doesn’t make this much of a prediction. In 2008, CBS News reported that terrorists were using one of my old presentations for training on how to take down the power grid. It is also old news that terrorists will use the Internet to communicate with one another. Terrorists began using click fraud as a form of fundraising soon after Google Ads became available.

Trend Micro stated that “a customer-grade smart device failure will be lethal.” That is upsetting, but not news. Various failures have already resulted in deaths, and it can be argued that faulty directions in GPS devices have led to incidents causing deaths. In any event, more people will die from texting while driving. It is of course possible that someone will hack a medical device, such as an insulin pump, causing deaths, but that has been considered a possibility for more than a decade, with a proof of concept performed at the Black Hat conference in 2011. While there has not been a realized case of a medical device being hacked in the real world, I guess if you keep repeating it, it will eventually happen.

Repeating predictions seems to be safe, because nobody remembers failed predictions. And should one of those perennial forecasts ever actually come true, you can bet that the prognosticators will be crowing like roosters.

Why do these trite and useless lists proliferate? The media shares much of the blame. Columnists have to write stories, even during those end-of-year holidays when little in the way of actual tech news is being generated. Meanwhile, vendors’ PR people scramble to get their executives to come up with something, package the crap they come up with, and pitch it to any publication they can think of.

But little of it would get published if readers weren’t fascinated by predictions. Whatever readers click on, we will be given more of. Apparently, people just like to read lists.

But I have a proposal for readers. The next time you see a list of predictions for the coming year, do a search and find an article from a year earlier predicting what would happen in the year just ending. Do that a few times, and you will begin to see just how inane this exercise is, and more important, how much you should really trust these supposed experts and vendors.

For example, here’s one from a year ago in which Kaspersky stated that mobile payment systems would come under attack in 2015. Although there is little doubt that attackers are thinking about such attacks, there were no known attacks against this technology over the last year. If you had read that a year ago, you might have thought it a bold prediction. Reading it now, it’s just lame.

You’re never going to do anything with the predictions you read anyway, so you might as well use last year’s predictions to see just how useful and insightful vendors can be.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleGoogleKasperskyNewsTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place