Will it be the total surveillance society and internet licenses? A breakdown of authority, with e-militias fighting extreme anarcho-hactivists? Or one of the other two?
Global research and advisory firms are meant to give you the big picture. That's why they charge the big bucks. But Gartner's new vision of the future of information security goes beyond the familiar narrative of change — cloud, mobile, hackers, nation-state cybers, etc — to sketch out four potential scenarios. All of them are dreadful.
Gartner outlined this five-year security and risk scenario at their two-day Security & Risk Management Summit in Sydney last week, although some of the material had previously appeared in a June 2013 presentation, The Future of Global Information Security (PDF).
Gartner deployed its entire 50-person team of security analysts to develop the scenarios, along with "guideposts" for determining which of the scenarios might be unfolding — although a marketing company came up with the catchy titles.
The key question they tackled? "How will the Nexus of Forces (cloud, mobile, social, and big data) plus other forces and trends, transform the practice of information security and IT risk management between 2014 and 2019?"
There are many factors at play. Servers are moving into the cloud, and enterprise security is improving (allegedly). But there's more connectivity and more mobile devices out at the edge, so the value at the edge is increasing — and the tools for compromising end-user devices continue to become more automated.
Add to that the fact that "the number of highly trained cyber-students increases by orders of magnitude", Garter says. There's already more than 100 "white hat" hacker university degree courses in the US, funded by the National Security Agency (NSA) and the Department of Homeland Security (DHS). There's similar programs in the UK. In Israel, every grade 10 to 12 student gets training. And China?
Even if 90 per cent of all these people stay on the white hat side...
Gartner decided that one of the most powerful trends will be about how attacks are targeted, at the enterprise or the individual. Attacks may focus more clearly on the servers, or they may focus more on indirect attacks through captured end nodes.
The other key trend will be how the response is coordinated. Maybe it will come from "the authorities" of government, of nation states, with more regulation — but Gartner notes that "critical infrastructure" is continuously redefined, and "very little actually gets done". Or maybe it will be a more tribal, community-based response.
Mapping enterprise-versus-individual targeting on one axis, and tribal-versus-monolithic authority on the other, generates Gartner's four scenarios.
Gartner's Security Scenario 2014-2020
Enterprise target + centralised authority = regulated risk
In this scenario, governments use regulation to provide safety. An attack can become an act of war. All infrastructure becomes critical infrastructure. Enterprises are held responsible for the actions of employees.
An example? The US Critical infrastructure directive.
Milestones along the path to this scenario could include more regulations; an increase in public acknowledgement of attacks; public shaming and fines for breaches; rules of engagement for cyber-security like the Monroe Doctrine; NATO creates a cyber-security division; software liability laws are established; there's an international convention on cyber-war; and neo major nation refuses to sign because it limits their responses.
Enterprise target + fragmented authority = coalition rule
In this scenario, warlords and cartels rule. Hacktivism escalates. Major corporations establish protected fiefdoms. There's aggressive corporate and national espionage. Freelance or mercenary hackers proliferate. The underground economy grows. Defensive cartels promote market manipulation over competition (price fixing, collusion).
Examples? The Cyber Security Alliance, the Cloud Security Alliance, and drug cartel use of the Internet.
Milestones along the path to this scenario could include evidence of corporate counter-attack; a major financial industry company forms a cyber-war department; there's an IPO for a cyber-war mercenary company; an increase in crypto-extortion schemes; cyber-insurance fails and is withdrawn; and a public corporation records a $100 million charge for cyber-blackmail.
Individual target + centralised authority = controlling parent
In this scenario, attacks against individuals push the government to act. Theft-oriented botnets proliferate. The government tries to establish a norm of personal responsibility. The surveillance society grows, with pervasive internet activity tracking and, as a consequence, the "darknet" grows. Criminals use data mining to identify potential victims. Strong privacy regulations emerge. Mobile devices become closed and curated.
Examples? Do not call lists and the Foreign Intelligence Surveillance Act (FISA) amendments.
Milestones along the path to this scenario could include internet service providers (outside of Europe) being ordered to retain all transactions; US CPSC/FTC takes action against product vulnerabilities; there's US class action lawsuits over vulnerabilities; school training and, in some areas, a license is needed to browse the internet; a computer user database is created. ("That last one is called the NSA", quipped Gartner managing vice-president F Christian Byrnes.)
Individual target + authority breakdown = neighbourhood watch
In this scenario, e-militias are formed to fight the extreme anarcho-hacktivism. The Internet resembles the gangs of New York. Corporate and communal walled gardens form, along with self-organising protection societies (both honest and dishonest). There's an extensive darknet and dependence on anonymity. E-commerce declines due to distrust. There is "civil cyber-strife".
Examples? Various Islamic Internet efforts, the increase in identity theft, and the Net Nanny approaches.
Milestones along the path to this scenario could include the formation of cyber-militias; Anonymous focuses on CEOs rather than business operations; corporations start refusing to hold personal information; harassment, reputation attacks and cyber-bullying become common; Facebook loses 10 percent of its members; there's a slowdown in e-commerce growth rates.
Threats and opportunities
"The future is dangerous, so please buy what the vendors are selling", was that the key subliminal message in all this? No. It was more about making sure your organisation is prepared for whichever of those four scenarios unfolds, watching for potential threats and opportunities.
Under the Controlling Parent scenario, for example, one threat is that privacy regulations will inhibit business operations — but an opportunity is that the surveillance society would benefit those who do big data well.
Gartner has developed a "strategy tool" for understanding the threats and opportunities, and for determining what sort of security measures might work best — ranging from traditional passive technical controls such as isolation via network architecture and access controls, improved security training programs and behavioural controls, active technical approaches for returning fire, or the "psy-ops" of advanced behavioural intervention.
Gartner says another there'll be another phase of special reporting, as well as ongoing research publications.
Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian