Whether to disrupt a country, halt major commercial flows, or make important financial gains, cyber criminals usually look for vulnerabilities that have not yet been discovered. The constant evolution of technology is a catalyst for them to find new flaws to exploit. Therefore, in a fast-evolving digital ecosystem, decision-makers in government, industry, academia, and civil society need to anticipate and address tomorrow’s cybersecurity challenges to stay ahead of the curve.
In Fall 2022, the Center for Long-Term Cybersecurity (CLTC), with support from the World Economic Forum’s Centre for Cybersecurity, convened decision-makers in government, industry, academia, and civil society for a series of workshops as part of the initial phase of Cybersecurity Futures 2030, a scenario planning exercise focused on exploring how digital security (broadly defined) could evolve over the next five- to seven years.
The purpose of these initial conversations was to shape an understanding of the “official future,” a baseline set of assumptions about what the coming years will look like if recent trends in cybersecurity continue on their current trajectories. Below are some of the key insights, tensions, and trade-offs that emerged from the workshops, with an eye toward helping organizations better prepare for the opportunities, risks, and challenges that lie ahead.
1. Progress in cybersecurity, but access must be widened
Public and private investments in security technologies, as well as broader efforts to tackle cybercrime, defend critical infrastructure, and raise public awareness about cybersecurity, are likely to reap tangible payoffs by 2030. Cybersecurity will be less about “defending fortresses” than moving toward acceptance of ongoing cyber-risk, with a focus on bolstering resilience and capacity for recovery. As markers of this trend, passwords could be nearly obsolete by 2030, cybersecurity will be widely taught in primary schools, and cryptocurrencies will be more effectively regulated. Still, while investments in more secure systems and basic cyber hygiene will raise many above the “cyber poverty line,” progress is likely to be unevenly distributed across communities and geographies.
2. A worsening crisis in trust online
Erosion of trust online is poised to deepen and continue to undermine offline relationships and institutions. Advances in AI and machine learning will make it increasingly difficult to distinguish between humans and machines online, potentially leading many people to shift their activities back offline and even revert to using analog devices. In a world of increasingly sophisticated synthetic media and AI-based cyberattacks, cybersecurity will become less about protecting confidentiality and more about protecting the integrity and provenance of information. Unfortunately, at the moment when societies most need to come together to solve major problems like climate change, distrust could lead to a retreat from regional and global cooperation. We need to work to avoid this outcome.
3. The double-edged sword of AI and machine learning technologies
There is both optimism and uneasiness about the rapid pace of scientific advancement and commercial adoption of AI and machine learning technologies. On the upside, we will see vast innovation in sectors such as medicine and transportation, as well as improvements to cybersecurity. On the downside, AI will also lead to innovation in cybercrime, and machine-learning models could train themselves to achieve illicit or devious ends. There is a lack of clarity in how governments, companies, or communities will ensure that AI and other technology-based systems are built, deployed, and monitored safely and ethically, and no clear forum from which that guidance will come.
4. Downsides (and limited upsides) of internet fragmentation
The trend toward “digital sovereignty” and internet fragmentation will continue, as efforts toward internet interoperability and cross-border data transfers will compete with efforts by governments to establish localized or regional controls over online spaces. This may be an opportunity for local communities to have more agency in defining digital security, but we could also see a “wild west” of disinformation, surveillance, and more powerful cyberattacks emanating from rogue states that have isolated themselves from the global internet. The trend toward deglobalization could also lead to more pronounced “regional pockets of truth,” with differences in information defined by geographic or other boundaries, and governments could exert more control through technology.
5. Pull and push between regulatory experiments and the future of privacy
By 2030, we will know whether early efforts at privacy legislation (such as Europe’s General Data Protection Regulation) are delivering on their policy objectives, but it remains uncertain whether we will have improved methods for managing personal data by 2030 or will be living in a world in which we have given up on contemporary notions of individual privacy.
6. Metaverse uncertainty
Participants were split between those who believe that the metaverse (or metaverses) will not materialize, and will be considered a failed experiment by 2030, and those who believe we need to accelerate policy innovation to keep up with the new privacy and security issues that a fully realized metaverse will pose. However, the most dystopian visions of the future that emerged from the workshops were based on a passive consumer (i.e., living in the metaverse to escape problems in the real world). The antidote to this dystopia, and a key aspect of what the future holds, relies on our ability to educate citizens to embrace critical thinking.
7. Sovereignty and shifting power dynamics
In the workshops held in Europe, we heard concerns about a blurring of frontiers between governments and private corporations (for example, a few participants speculated about a future in which the largest tech companies hold seats on the UN Security Council). From US-based participants, we heard more concerns about a trend toward digital sovereignty, the security issues companies face in addressing increasingly divergent regulatory requirements around the world, and the lack of a practical human rights framework for determining compliance trade-offs. Most agreed that the public sector will play an important role as both buyer and investor in technology and in developing guardrails in how cybersecurity plays out.
It is imperative for security practitioners to take a holistic view on the advancement of digital technologies to stay ahead of the curve. Those who begin now to look toward this complex new future will have the advantage.
Learn more about Cybersecurity Futures 2030
The UC Berkeley Center for Long-Term Cybersecurity, in collaboration with the World Economic Forum’s Centre for Cybersecurity (WEF), is running the Cybersecurity Futures 2030 initiative, a foresight-focused scenario-planning exercise to inform cybersecurity strategic plans and enable practitioners to understand the impact and prepare for the future of digital security. As detailed in the Global Cybersecurity Outlook Report, a varied range of new technologies are being adopted by organizations, significantly raising the complexity of securing the digital ecosystem and widening the attack surface for malicious actors to exploit. Navigating this complex world will require strategic foresight. CLTC will use the insights above to develop formal 2030 scenarios for cybersecurity, and, in partnership with WEF, will invite stakeholders to discuss and stress-test the scenarios in the coming months.
Join the conversation on Twitter (@CLTCBerkeley) or LinkedIn. To learn more about Cybersecurity Futures 2030, please contact cltc@berkeley.edu.