The future of cybersecurity will in one sense be like the present: hard to define and potentially unbounded as digital technologies interact with human beings across virtually all aspects of politics, society, the economy, and beyond. We built this project on the proposition that both the “cyber” and the “security” components of the concept “cybersecurity” will be in rapid motion during the back half of the 2010s. That motion is more likely to accelerate than to decelerate, but its direction varies widely among our scenarios. That is no artifact of our research process; it is the central point of the work. We hypothesize that, at some point in the not-so-distant future (if it is not already true at present), cybersecurity will be recognized widely as the “master problem” of the internet era. That puts it at the top of any list of problems that societies face, more similar to a nearly existential challenge like climate change than to an operational concern that technology companies have to manage. That recognition also will bring major changes to how human beings and digital machines interact. One purpose of these five scenarios is to point to some of the changes that may result.
In this work, we have left arguments about straight-up military to military “cyberwar” to the side. This was by intention, a modeling choice made to bound the problem. It is clear that cyberwar—or at least cyber conflict—will (continue to) happen, because wars will happen and the internet is a contested arena, just like land, sea, air, and space. Moreover, others already have done a great deal of work on cyber warfare scenarios that can and should be used alongside this document to complement our more market-, technology-, user-, and public-sector-driven scenario set. We acknowledge that a major war between powerful states fought substantially or even principally in cyberspace would be a discontinuity that could redirect in important ways some of the driving forces that we emphasize. But we have chosen to treat this kind of event as more like an exogenous shock or “wild card” than an underlying trend—at least for now.
We have tried to stretch imaginations just enough to see over-the-horizon glimpses of how the problem set will shift and what new opportunities will arise. The target date for these scenarios, 2020, is very close in time to the present. Our experience with scenario thinking as a modeling tool suggests two important observations about that fact.
The first is that change generally happens faster than people expect. Although we may all suffer a bit from internet hype-fatigue, especially in light of (sometimes outlandish) claims about exponential rates of change, it remains true that the landscape will probably look more different than we expect, sooner than we expect.
The second observation is that it is easier to envision downside risks than upside opportunities. That makes sense in evolutionary, natural-selectiondriven environments, where anticipating potentially damaging risk is an advantage for ensuring survival, but it may not be quite so advantageous in engineered environments where human beings have a greater degree of control. The internet is among the most complex environments that humans have created, but it is still (for now) an engineered environment made up of digital machines that are built and programmed by people. Fatalism is just as dysfunctional in that context as complacency.
It is our hope that these scenarios prompt expansive thinking and discussion—that they generate more questions than answers, more bold research ideas and creative policy propositions than fixed emphatic proclamations about what must or must not be done. With that in mind, we offer below some very high-level summary points and provocations that emerged from this work.
The most insight is gained, of course, when particular actors and organizations use scenarios like these to develop more precise and pointed implications relevant to their own interests, positioning, capability, and risk tolerance. So we hope that readers will ask themselves this: confronted with a landscape of future possibilities that feature the issues these scenarios highlight, what will cybersecurity come to mean from my perspective— and what should I, or the organization(s) that I am part of, do next? Equally importantly, what will I need from basic research and policy in order to achieve the best cybersecurity outcomes I can envision?
We offer, in conclusion, 10 summary insights from the scenario set as a whole. These insights will have different levels of significance for different readers. We present them as a way to provoke further thinking about the meaning of cybersecurity and its implications in an as-yet unseen future.
- Human beings are at the center of technology—and they are imperfect. Digital technologies are powerful, but not powerful enough to overwhelm either human ingenuity or human stupidity. The “basic hygiene” story about educating people to undertake simple security-friendly behaviors (like using better passwords) in day-to-day life is accurate, but massively incomplete. By 2020, we will see meaningful progress in helping people make smarter choices, or at least be more self-aware about and responsible for the choices they make. But there is no technical or behavioral intervention (or combination) that will stop people from creating insecurity through their actions, any more than there is a completeness proof for perfect software code.
- Hackers go mainstream. Hackers will play an increasingly influential role in shaping the criminal world, as digital technology and physical infrastructure become more closely tied together and integrated into human life. In 2020, digital criminals will not be called “hackers” anymore because they will not be considered a special category; they will just be fraudsters, extortionists, and thieves. Digital criminals are not currently perceived to be the broadest and largest set of illicit actors, either in local settings or transnational networks. In 2020, they may very well be, demanding a massive shift in the priorities of law enforcement.
- A lot hinges on how the political economy of data evolves. In some scenarios, it is security issues around data—more than the security of digital devices or communications networks per se—that drive outcomes. When data becomes more easily exchangeable, it also becomes something of measurable value that criminals want to acquire and sell. The interactive dance between data and algorithms—where the scarce resource lies at any moment, where differential insights can be created, and where the most dangerous manipulations can occur—becomes an important variable in the shape of the threat landscape.
- Device security rules. Many new types of devices (and accompanying security systems) will be developed and deployed by 2020, by a very wide range of firms (small and large) around the globe, and from diverse economic sectors. Many of these new entrants will be poorly prepared and lacking incentives to ensure security. This presents a significant opportunity for governments and transnational organizations to act.
- Cybersecurity is at the threshold of profound psycho-social impact. The internet has already had a massive impact on nearly every facet of human life, including psychology, sociability, and the economy. Cybersecurity issues have not, until now, had anything near that level of impact on most human beings. Cybersecurity for individuals has been a nuisance or an embarrassment, a financial toll, and a source of fear and worry—but not a fundamental risk that changes how we live. Cybersecurity is about to have this type of psychosocial impact. This arena will feel more like nuclear security did to the generation of Americans who lived through the crises of the 1950s: an ever-present existential threat that shadows human life and calls for massive global action. Corporations and governments may become able to predict individual human behavior and come to “know” us (not just what we buy or where we go) better than we know ourselves. Memories may become storable, searchable, shareable, and possibly changeable. Such advancements will go to the essence of what it means to be human, how we interact with one another, what freedom and fairness mean, and ultimately how we assess a feeling we call “security.”
- Public-private partnerships are everywhere. It should be surprising (and troubling) that this observation feels situated in the future, but many private-sector and public-sector actors still behave as though the other “side” is not critical to cybersecurity outcomes. This is a dysfunctional mindset, and it will become even more so in the future. Successfully forging public-private relationships will be a source of significant security advantages for cities, regions, countries, and beyond. And as these partnerships multiply and morph, it will become harder to distinguish between what a private actor is doing and what a government is doing to threaten or defend networks and data assets. The public vs. private distinction may matter considerably less in 2020 than it does today.
- There is no silver bullet in cybersecurity. The ongoing and ever increasing demand for features, performance, and extensions of digital capabilities expands to fill the space of what is technically possible (and often goes beyond it). This observation, in light of the vagaries of human behavior that accompany it, means that the digital realm will evolve very much like other “security” realms have always evolved in human affairs: with ever-changing vulnerabilities that can never fully be mastered. In other words, bad actors coevolve with good, and the meanings and identities of “good” and “bad” are never settled. Threats don’t disappear; they change shape.
- Cybersecurity approaches the center of corporate and national strategies. The risk of cyberthreats to firms is now as significant a force as the “normal” unknowns that keep CEOs up at night: unexpected shifts in customer behavior, economic crises, disruptive new competitors entering the market. For countries, cybersecurity will soon (if it isn’t already) be on the same strategic plane as a major threatening nation-state or transnational actor with imperialist or revisionist ambitions. Firms and governments that come late to these recognitions will have to work very hard and fast to catch up.
- The developing world will play a significant role. Whether developing-world actors become hackers, lead the way in adopting or creating technologies, use market fluctuations to jumpstart their data economies, or something else, developing economies and societies will likely drive the evolution of the cybersecurity environment as much as—or even more so than—they drive the internet overall.
- Don’t count governments out. The most important determinants of the cybersecurity environment in the near future will not be cyber warfare per se, though preparations for and deterrence of major cyber conflicts will be one of the shapers of the environment. As a result, we do not expect cyberspace to be fully militarized in this timeframe. Our scenarios reflect the proposition that governments are major players regardless, and in some respects they are even more influential and directive of change over time in market- and technology-driven scenarios than their militaries might be in the event of cyberwar. While private-sector interests have dominated the internet agenda for nearly a generation, these scenarios suggests that governments in the future have the potential to play more significant—and possibly more constructive—roles than they do today.
Because scenarios are models, not predictions, no single scenario that we have described in this work, nor any single implication, will necessarily “come true.” Cybersecurity in 2020 will likely include elements of all these scenarios, in some indeterminate mix. Whatever that mix will look like, this work helps to demonstrate that “cybersecurity” will be stretched and broadened far beyond its meaning at present.
The cybersecurity world of 2020 will still be talking about malware, firewalls, network security, and social engineering. But it will also be talking about personal memories, new distinctions between what is public and private, the power of prediction, faith in public institutions, the provision of public good, psychological stability, the division of labor between humans and machines, coercive power (both visible and invisible), what it means for a human-machine system to have “intention,” and more.
That is a very different and much broader agenda for cybersecurity than we find today. These scenarios are both a reflection and outcome of this broader agenda, as well as an effort to drive others toward stretch mindsets that will enable re-perception of problems and opportunities. We are convinced that at the intersection of human beings and digital machines we will find the repository of people’s greatest hopes and fears. That is why cybersecurity deserves the highest level of attention, research, imagination, and action. Please share with us your reactions, insights, critiques, ideas, and questions. They are essential ingredients for shaping forward-looking research and policy agendas that universities, governments, firms, standards bodies, and other organizations should adopt as we seek to get just a little bit ahead of the future of cybersecurity.