Scenario one

The New Normal

The internet of the world 2020 will evolve into something of a “Wild West,” with individuals and organizations seeking protection and—sometimes—justice for themselves.

Insecurity will become the starting assumption for every online interaction—not just for experts, but for everyone. Following years of escalating headlines about data breaches, internet users will operate with the belief that, sooner rather than later, their data will be stolen and their personal information broadcast. Law enforcement will fall further behind as small- and medium-scale cyberattacks become an everyday occurrence and also more personal. As the first generation of true “digital natives” comes of age (many of them having coded since they were kids), it will become normal behavior to access and interfere with other people’s data. Individuals and institutions will respond in diverse ways. A few will choose to go offline; some will make their data public before it can be stolen; and others will fight back, using whatever tools they can to stay one step ahead of the next hack.

The World

This scenario portrays a world of 2020 in which most people have lost faith in institutions (private or public), technology, or anything else to protect them from nefarious actors on the internet. People will fight their own battles—either through individual efforts or by banding together as communities—in order to live their digitally moderated lives as best they can. The “New Normal” internet world may seem on first glance like “more of the same”—a continuation of the trends and technologies undercutting security in 2016. But it is actually different in kind, because the default assumption for just about everyone in this scenario (not only the well-informed or paranoid) is that essentially nothing on the internet is “safe.” This scenario represents the culmination of a trend: a gradual but definitive corrosion in trust across most dimensions of what people and institutions do online that had been building for more than a decade. But the endpoint feels different—and is different—than the trend. Confidence or even hope that “anyone”— whether governments, software companies, security companies, or researchers—will be able to “fix” the problem is now gone, and the behaviors of typical internet users will change materially as a result.

This shift will not be driven by a single event or crippling digital strike from which the system could not recover.1 Instead, the decline will be gradual and monotonic, a steady and insidious corrosion over time that heads toward a tipping point. Given the relatively limited real-life impact of security breaches when they happen one at a time, the public in 2016 tends to adjust to this evolving insecurity by quietly becoming inured to the costs of replacing credit card numbers and paying for credit monitoring services. But running beneath this apparent complacency will be an almost invisible trend heading toward a threshold effect. The end result will be that, at some point, cybersecurity incidents shift from being a “tax” or “burden” on what you do in the digital world to being the core reality of internet life. Trust will be gone.

The seeds of this trend have been sown over the course of decades. In 2016, security problems still are perceived as mostly happening to “other people”—small groups of individuals unfortunate enough to have their data (medical, financial, social) held by the wrong company on the wrong database at the wrong time. For most individual victims, the pain is manageable. Beyond personal angst, the main costs to the average consumer are minor nuisances, such as dealing with bureaucratic paper trails, changing passwords, or entering new credit card numbers into online accounts. While illicit hacks on major healthcare companies, retailers, and government institutions make headlines, consumers and companies do not significantly alter their communication and consumption habits.

Big hacks are already semi-regular and increasingly widespread, but the stakes keep going up. State Department communications, naked photos of public figures, and email communications detailing interoffice fights at high-profile corporations are already released into the public domain. Attacks with a social agenda

...at some point, cybersecurity incidents shift from being a “tax” or “burden” on what you do in the digital world to being the core reality of internet life.

While illicit hacks make headlines...consumers and companies do not significantly alter their communication and consumption habits.

(think Ashley Madison) have already become more common. While publicly decrying these actions in social settings, many internet users secretly hunt for these images and details online. It has all been very shocking, but at the same time appealingly voyeuristic, like a new style of reality show. All of this is unfortunate and annoying, but not transformative. The mindset of most consumers remains steady: “Really bad things could happen on the internet to anyone, but they probably won’t happen to me.”

This scenario imagines the next frontier in data insecurity, in which growing vulnerabilities in a wide array of internet features—for instance, the well-publicized September 2015 attack on X-code affecting the Apple app store2-force broader swaths of internet users to realize that nothing online is safe. Security experts have known this for years, but their efforts to explain it mostly fell flat, much like the early explanations of climate change risk in the 1990s. In this scenario, their warnings can no longer be denied.

By 2020, widespread data breaches will affect nearly everyone who does anything meaningful online, thanks in part to the rapid expansion of illicit markets for stolen information. Already teeming with activity designed to exploit personal information, this deviant industry will grow quickly as increasingly professionalized profiteers put pressure on hackersto produce and sell data at a faster rate. Their methods and tools will make electronic systems more vulnerable and the technology and expertise needed to exploit digital systems cheaper and easier to obtain. Growth in the information black market will spill over into a premium market of “hackers-forhire,” in which specialists can be hired to facilitate large-scale hacks at a steep price. Local “digital mafias” will emerge first in online communities and later in cities across the world, where they will be capable of carrying out hybrid physical/cyberattacks.

This trend will lead to an accelerating growth cycle in criminal and illicit data, an innovation cycle much like those that occur in the licit world, with the same characteristics of positive feedback and increasing momentum. In 2011, Marc Andreessen captured this dynamic when he said that “software is eating the world.”3 In 2020, he might say that internet crime is doing the same.

With internet crime almost normalized, the knowledge and programs needed to pull off digital attacks will quickly proliferate. It will become normal for individuals and digital mafias to carry out acts of revenge through hacking. “Digital natives” who grew up online will prove particularly adept and creative at pulling off these crimes. The kind of cyberbullying through social media that people worried about in 2016 will give way to personal, small-scale petty cybercrimes that—whether motivated by revenge, curiosity, frustration, or boredom—will pile financial and sometimes physical damage on top of embarrassment and harassment. Tomorrow’s cyberbully won’t just spread nasty rumors about your child on Facebook. She will brick his phone, lock your garage door in the “open” position, and flick the lights

on and off in your bedroom all night long. And you won’t have much recourse available, other than to get in line for help from . . . who exactly? Local police? ISP technical support? Cybersecurity firms that are mostly focused on defending large enterprises? Or perhaps your “friendly” digital mafia team that can strike back in small-scale acts of “active defense”?

At some point, the political narrative will likely shift (much as it has for some in the United States around gun violence) to “it doesn’t have to be this way. We just need to agree on commonsense actions to change it.” But (again, as with gun violence) there will be no consensus to act decisively, and the lack of investment in law enforcement and security infrastructures will belie the rhetoric. In some cases, under-resourced police forces, already struggling to make progress or stay even with the advance of major internet crime, will give up responsibility for the digital sphere because of the growing number of small attacks and the widely distributed damage to individuals and property. This dynamic might also become self-reinforcing:

  • Many criminal hackers will evade detection by keeping their impact just under the media’s radar and by exploiting weaknesses in cross-jurisdictional coordination. Small, distributed internet crimes will prove more foolproof and more profitable than traditional petty theft. Talented criminals will be able to walk this line most effectively, while less talented and sloppier criminals may find themselves pushed out into other kinds of crime or employed as relatively low-wage workers in the illicit money machines run by more successful thieves.
  • Decision-makers will find it difficult to appropriate increased funding toward combating these crimes in an austere economic climate where individuals and families are losing assets and where the efficacy of countermeasures remains uncertain. State and local governments will feel increased pressure to shoulder the responsibility for place-based hacking, even though true locality will often be difficult to identify. At the same time, local and regional law enforcement agencies will struggle to staff a technically savvy workforce due to the low wages they offer, the monotony of investigating small-scale hacks/stalking/ vandalism, and the inability to properly investigate and bring suspects to justice, particularly as digital jurisdictions do not follow traditional geographies.
  • Private-sector firms that depend heavily on e-commerce will call for solutions as they witness the detrimental impact of rising internet crime on their markets and business plans. A coalition of the biggest players might, in theory, join forces to help people around the world combat digital insecurity, but that nascent coalition will be hamstrung by anti-trust law, competitive dynamics, and the companies’ own (ironic) complicity in the problem (having waited too long to do enough about it). Meanwhile, cybersecurity firms and their venture capital backers will be focused principally on enterprise security, not the security of families, individuals, and their connected homes. As a result of these pressures, digital firms will protect themselves first and foremost, allowing the public to bear the brunt of the losses. Firms that cannot afford such protections will be pushed out of the market and, as a result, online innovation will slow incrementally but noticeably. Minimal security and minimal trust will become the new barriers to entry for startup firms.

Internet users will prove stunningly resistant to altering their online behaviors, despite the escalating risks.

With internet crime almost normalized, the knowledge and programs needed to pull off digital attacks will quickly proliferate.

This slow-moving tsunami of small and medium-size criminal enterprises4 will be hard to stop or even slow down. In the United States, continued Congressional polarization, along with diffuse and multijurisdictional responsibility for cybercrimes, will result in more of the same: an ongoing lack of appropriate laws to prosecute small-scale internet crimes. Prosecutors will be hamstrung by limited and outdated statutes (like the Computer Fraud and Abuse Act 5) that restrict prosecutions to serious financial crimes. The global footprint of the hacking mafias will further complicate law enforcement’s response. Because successful prosecutions require multinational cooperation, the United States will become highly dependent on international support to succeed in law enforcement—as will other countries.

Hackers will seek sanctuary (either physically or virtually) in precisely those states that refuse to cooperate with international law enforcement. These so-called “hacker havens” will benefit from the presence of illicit criminal enterprises, which bring wealth and prosperity to previously destitute and remote areas. Authorities will use diverse tactics— such as offers of fake job interviews to lure suspects into the United States,6 or waiting until suspects move to locations where law enforcement is more cooperative—but these ultimately will have little measurable impact. In extreme cases, hacker havens could become profitable enough to drive significant economic development in some countries—a kind of deviant version of Information and Communication Technologies for Development (ICT4D)7 — leading those governments to offer more than passive protection.

Can the encryption-security infrastructure reverse these trends? Human behavior more than anything else makes that unlikely. Internet users will prove stunningly resistant to altering their online behaviors, despite the escalating risks. Encryption systems will provide a significant measure of information security, but their adoption will remain limited due to lack of usability and failed implementation of best practices. The average internet user, unwilling to fully encrypt his/her web activity, will make the situation worse through the simplest mistakes: writing down passwords, leaving computers unlocked, or simply forgetting to encrypt. Once hackers improve their ability to access password aggregator websites (which will be seen as a top target), the obstacles to serious password protection will only heighten. The development of biometric or other physical passcodes will work well as a short-term fix—until that data gets hacked too, at even higher cost to the victims.

Some countries may mandate controversial backdoors in crypto standards8, setting up a modern-day security dilemma9 or “spiral of insecurity”: such backdoors will not only make encryption systems vulnerable, but will increase incentives for criminals to pursue additional entries. There will also be pressure to restrict the export of encryption technologies and even make some encryption illegal.10 The expert community will be nearly unanimous in its opposition to these measures, and for very good reason. But terrorists’ inevitable use of encrypted communications— accurately reported or otherwise—will compel governments in many parts of the world to head in a different direction. Meanwhile, advances in high-performance computing may favor “crackability” over encryption security— or, at a minimum, will set off an even more vigorous race between encryption and the ability to break it, including in the realm of quantum processing.11

This is how we end up at “The New Normal”: growing concerns about personal safety + significant and lucrative success by hackers + perceptions that internet industries are imposing upon society the risks and burdens of security failures = an increasing degree of “heads I lose, tails you win” sentiment among normal internet users. As trust in the system collapses, the baseline reality of the internet will change such that everything is insecure. By 2020, the internet will feel like an extremely dangerous neighborhood where you tread at your own risk, and where everyone is pretty much on his or her own.

Outcomes

“The New Normal” may seem in some respects like a straight-line extension of 2016, at least in terms of its causes and driving forces. But once people and institutions cross the perceptual threshold from security to insecurity, how they make decisions about their digital presence will change significantly. In a world where almost everyone starts from the presumption that “digital” means “insecure” and all internet-enabled devices (including billions of newly connected “things”) are hackable, the security landscape will shift its focus away from preventative efforts to reduce vulnerabilities toward mitigating the consequences of pervasive insecurity through threat and attack response.

Individuals and institutions will face a new menu of possible actions and choices. Three will predominate. Important data and transactions will be: (1) “protected” through legal means that limit the use of data (e.g., medical records need not be private because discrimination or adverse uses will be illegal); or (2) shifted offline, in an attempt to manage insecurity (e.g., mobile banking will be limited and in-person transactions will be encouraged to minimize risk); or (3) performed with an assumed base level of risk that data transacted digitally will not be confidential.

How individuals adapt to this environment of ambient insecurity will be quite granular and complex. But over time, the general population will likely segment into three broad groups: those who embrace transparency as a way to undercut the value of stolen data (the “open sourcers”); those who resist the culture of openness and boost their privacy through various arcane practices (“the resisters”); and those who detach from digital networks (the “neoluddite rejectionists” or “neo-Amish”).

“Open sourcers” will embrace the electronic world’s inherent vulnerability by making their data transparent by default.12 Their logic will be simple and extreme: information cannot be stolen, manipulated, or held hostage if a definitive version has already been made public. Some people will go so far as to release read-only versions of their hard drives and email histories on new websites (“TakeMyData.com” or the like), essentially giving up confidentiality in order to reinforce their confidence in the integrity and availability of their data.

Transparency has limits, of course, and everyone has sensitive secrets that he or she tries to keep behind tightly guarded doors. But overall these individuals will manage their vulnerability by hiding “in plain sight”. This kind of radical transparency will have some strange manifestations, like people posting nude pictures of themselves to fight the stigma faced by women who have been exposed or “doxed”, or a new kind of campaign to voluntarily publish tax returns, bank statements, and other financial data. Norms about what is public and private change, and some will find this radical transparency empowering, seeing it as a way to make ambient insecurity their choice rather than a condition imposed upon them by criminals and technology.

“Resisters”—individuals who resist and try to hold on to higher levels of privacy—will face constant, unrelenting pressure to deploy new practices and technologies (such as bots and GPS spoofers) to protect their data and actively obscure their actions. These efforts will take far more time and effort than they did in 2016 and will only sometimes prove effective. But some techniques will succeed in controlling the illicit flow of personal data streams. There will be widespread fear-mongering, and snake-oil salespeople will target this group, offering the “next great security tool” or do-it-yourself measures to stave off potential hackers. It will take a great deal of time, money, and expertise to avoid being duped into a false sense of security. Some individuals in this group will find ways to self-select into their own restricted-access communities that disallow any outside (or only NSA-certified or equivalent) technology to enter their gated walls.

“Neo-luddite rejectionists” (though they would almost certainly reject this label as being pejorative and anachronistic) might be young reactionaries seeking a temporary respite from modern digital experiences, or very rich people for whom digital conveniences are no longer worth the price. They also might be families with traditional values who embrace a life largely disconnected from digital networks. And they might appear in surprising parts of the world—including among vibrant technology clusters, where the costs of insecurity are best understood.

Within this group, “dumb” phones and “disconnected” homes will make a resurgence, and some people will make their best effort to eschew the use of cellular devices and sensors altogether. Given the proliferation of sensors around large population centers, some neo-luddites could adopt a more extreme isolationist approach and move to rural communities that largely reject the use of post-1970 digital technology. They may be less likely to appear in developing countries, where national infrastructures of 2020 may not allow such wholesale disconnection. It is difficult to reject technology if you require internet access to obtain your monthly water ration, for example.

Of course, few people will fit neatly into one of these ideal-type categories. Rather, as individuals come to grips with the new realities of digital insecurity, they will decide which aspects of their lives to allocate to which response pattern, and they will respond in nuanced and highly contextualized ways. Inevitable and difficult-to-manage frictions will emerge at the interfaces and edges, both between people and communities and within individuals managing different aspects of their lives. Imagine applying for a mortgage loan when banks require that your tax returns have been public for at least three years—2020’s version of “proof” (to both the public and shareholders) that you are a secure investment.

Institutional Reactions

Companies, industries, local and national governments, and global crime syndicates will also start adapting to the new baseline assumption of insecurity, not security, leading to some profound changes as a result. For example, the full recognition of deep digital insecurity will impact the structure of cities and “communities” of all kinds. Many physical communities will create specialized local networks, such as “cyber neighborhood watches,” in order to protect themselves. These communities will try to make secure information and communication exchange possible within limited geographic areas, particularly neighborhoods, while also trying to separate (to the extent possible) from the broader internet. On a small scale, “gated” communities may take on new meaning, with visitors required to leave unverified devices at a physical or perhaps digital security booth. Larger cities will probably see better success in banding smaller communities and neighborhoods together to minimize exposure to “outsiders,” providing more herd-like protection through interlocking community watchdog organizations.

Communities with high levels of social capital will have to turn some of that capital toward developing digital public goods. That might take the form of a new wave of online “broken window policing” or the emergence of a cyber equivalent of New York’s 1990s mayor Rudolph Giuliani, with zero-tolerance policies for bad behaviors.13 But few communities will find enough social capital to make these policies stick. “Surfing Alone” will become the latter-day equivalent of “Bowling Alone”—an activity that signals a lack of social capital and a deterioration in community cohesion, safety, and joint action.14

Commerce will, of course, be deeply impacted by the changing norms of internet activity. If the starting assumption for customers becomes internet insecurity, some industries—notably, but not limited to, banking—will retreat to delivering primarily offline services to consumers. In a dramatic reversal, offline transactions will once again become the default. The reversion to paper and in-person communications will make physical co-location increasingly important. Tremendous advantage will accrue to current financial centers (New York, London) and tech centers (Silicon Valley, Tokyo) that already have co-located companies and employees.

In sectors where online transactions are less sensitive, there may be a resurgence of non-neutral intermediation platforms (like the early AOL) that provide a proprietary security layer for sensitive online operations like logins and purchases. These platform companies (Google and Apple, perhaps?) would receive more of users’ data in exchange for providing better security than most could achieve on their own. However, because such platforms would not be foolproof—indeed, they would be high-value criminal targets—their use might be limited. Top companies would also come under regular antitrust scrutiny, given the regular cross-corporate cooperation on security vulnerabilities and the added power that companies have over consumers.

Some industries, like healthcare, will benefit from this environment of insecurity in surprising ways. In the United States, laws that were designed to help keep information private, like the Health Insurance Portability and Accountability Act (HIPAA), will create significant and sometimes insurmountable transaction costs for the sharing of health-related information in research and clinical settings. Moreover, in this scenario HIPAA willbecome nearly irrelevant, because many patients will voluntarily make information more available, enabling healthcare providers to access and process health-relevant data with much greater ease. We might see a rapid increase in new insights and therapies that have a self-reinforcing impact on the willingness of patients to make their previously private data (available to criminals but not to legitimate healthcare providers and researchers) public.

Of course, some individuals will hesitate—even more than they do today—to have certain illnesses treated (psychiatric problems, for instance, or degenerative mental and physical conditions) out of fear of having their health records made public and feeling the associated stigma. But the opposite could also happen: norms sometimes change quickly when information about previously “secret” conditions can’t be kept secret anymore. Consider mental illness. Thomas Eagleton, the US Democratic Party’s 1972 vice-presidential candidate, had to withdraw from the race when information about his history of depression was leaked to the press.15 Twenty years later, President Bill Clinton talked openly about his psychotherapy, as do many people in public life today. If most or even all medical records were in the public domain, how many conditions would remain stigmatized for long—particularly if there were laws that effectively constrained discrimination on the basis of that knowledge, as laws do today around visible disabilities?

HIPAA will become nearly irrelevant, because many patients will voluntarily make information more available.

For governments, “The New Normal” could be a very different world in terms of public-sector actions and responsibilities.

Similar dynamics might unfold in education. If data about students were by default public, school districts would have to become more adept at leveraging that data to improve teaching. At the same time, governments would have to step up quickly and boldly to constrain illegitimate, discriminatory, and undesirable uses of such data. Decisions that are now often made quietly and indirectly, such as segmentation of students by ability, would have to be debated openly. Longknown but unspoken biases (for example, in admissions processes at selective colleges) would become transparent to outsiders. Once these data sources are no longer privileged and private, how long could institutions like these argue that their algorithms for processing and drawing insights from data should be held secret?

For governments, “The New Normal” could be a very different world in terms of public-sector actions and responsibilities. At the highest level, cybersecurity will no longer be treated as a baseline public good for which the state is ultimately responsible (even if that belief was mostly illusory in 2016). Rather, it will become—in perception and reality—more like a narrow service provided by defense departments and other specialized government institutions to support a limited number of critical public safety objectives, a form of critical infrastructure.

Within the United States, government agencies will experience important shifts in power. Intelligence agencies may benefit at first from the availability of vast new open data sources, as messy, noisy, unstructured, and likely biased as they might be. But they will also face a decline in their traditional sources of leverage, as former “secrets” will be increasingly made public. As a result, these agencies will move into new domains of practice. The NSA might take on an expanded set of intermediary roles—for example, certifying the validity and reliability of certain security fixes in exchange for participants agreeing to have their data screened by NSA systems (akin to an Underwriters Laboratories for security16). Other domestic government agencies will struggle to keep up with the flow of data, and the public will get out ahead of what those agencies would be ready to release through “open government initiatives.” This will be particularly challenging when agencies are required by statute to protect data that is suddenly, as a result of private individual action, in the public realm.

Governments will reshape the most significant forces of demand facing the cyber defense industrial complex. Instead of asking contractors to build systems that protect huge, widespread systems and assets, the challenge will be to offer extreme protection to a relatively small number of assets, which in turn will be under more intense scrutiny and higher risk of attack. Almost every battle will become high stakes, and every failure a potentially catastrophic loss.

At the same time, increased transparency, combined with increased cyber military capacity, will render “digital wars” and “cyber Pearl Harbors” even less credible. Of course, countries that invest heavily in strategic cyberattack capabilities will not give them up altogether. Instead, they will modify their strategic focus, doubling down on the capacity to carry out very large attacks that truly put other states at deep risk. Because the ability to carry out small- and medium-size attacks that create moderate levels of “cyber insecurity” no longer has any meaningful impact, states will instead focus even more strongly on preparing for big attacks on major and vulnerable systems. This will add to tension in the Sino- American cyber landscape in particular and also give rise to a dynamic much like a bipolar nuclear balance of terror. Somewhat ironically, it might also yield a higher level of strategic stability, at least when it comes to state-to-state cyberwar worries.

State-based distinctions in cybersecurity regimes will become tauter and cause additional friction. Some countries (e.g., China and Russia) will find economic and social advantage in balancing apparently competing interests—like the need to protect civil liberties while simultaneously exercising quarantines, strict protocols, and activity surveillance—because expectations of privacy will be limited given the state already controls and actively monitors network activity. These and other relatively authoritarian regimes may find “The New Normal” easier to deal with, as it facilitates state focus on a few big targets that really matter while leaving low-level financial crimes behind. Such governments nevertheless will be increasingly challenged by citizen cyber vigilantes, though they may be able to make deals with the largest firms about when and where a private actor can legitimately retaliate.

In contrast, the starker the choice between civil liberties and freedom of expression on the internet, the greater the cost for many Western countries. European countries will find they have the furthest to pivot, given the entrenched privacy protections and mindsets that will be shaken by widespread transparency. Some may respond by restricting internet access at the point of the consumer/citizen, rather than risking a wholesale loss of privacy. New cleavages may also arise, for example between the Cold War generation insistent on strong privacy and younger generations that have never experienced such privacy and see less value in it.

International dynamics will be further complicated by the growth of “hacker haven” countries that seek to legitimize their own position in the world order. Hackers will provide these havens with a new income stream that will invigorate local economies. Yet that income may fluctuate wildly or dry up as more data is made public; those havens that track high-end resources and provide a home for the most sophisticated criminals will have a greater likelihood of achieving economic stability. Over time, the trend toward making nearly all data public may become a rallying cry for haven legitimation in some places. Hacking revenues are licit, havens will argue, given the realities of the internet. After all, you can’t steal something that is already free, and the essence of entrepreneurialism is creating value from cheap (or free) assets—legitimately or otherwise.

It seems likely that terrorist organizations (groups like ISIS or its successors) will at first become more prominent in this new world. To the extent that their strategy involves creating a gradual corrosive drag on Western economic power, they will invest a fair amount in cybercrime. But over time, their profits will probably shrink as they are out-competed by the more sophisticated and technologically adept criminals motivated by money more than ideology.

Meanwhile, foreign relations and diplomacy will become a different kind of game, one that has long been talked about in the post-WikiLeaks era but never before realized. Because international actors will no longer be able to prevent foreign companies, intelligence officers, and governments from taking information that has been made public, informal security networks will be constantly at risk of breaking down, and states will no longer have leverage to trade. One end result will be greater overall transparency, for better or worse, on controversial decisions. Foreign partners with lesser ability to protect highly secretive calls and memos will be weak links in the secrecy chain and may get shut out of diplomacy as a result. There will surely be more attempts at international cooperation on cybersecurity issues, but those countries that benefit from the emerging regime will have an interest in slowing down the process, making efforts to cooperate less effective. In this scenario, the hesitaters and blocking coalitions will almost always have the wind at their backs.

The Way Forward

In this scenario, the internet of 2020 will have evolved along lines that already exist today—but it will feel like a very different place. Commerce, politics, social relations, and the meaning of privacy will have been transformed by digital technologies that make insecurity, not security, the internet’s foundation. The last vestiges of techno-utopianism will vanish. Crime (and the ever-present possibility of crime) will color everything that people build, do, share, and learn. Priorities will be set about what absolutely must be kept secure, but only a small number of those priorities will have a chance of holding up. In some cases, data and interactions will be taken increasingly offline. In other cases, users will abandon technology altogether. More than anything, individuals and organizations will try to leapfrog ahead of criminals by letting data become public.

In this scenario, cybersecurity researchers in the year 2020 will wish that researchers in 2016 had been looking more deeply at how different institutions (e.g., government agencies, corporations, and nation states) could adapt to an environment of such vast data insecurity. They—and the public at large—will wish for further clarity about:

  • Tipping Points
    How to identify the tipping points that will lead to a wholesale change in attitudes and behaviors about cybersecurity
  • Privacy
    The shift from privacy as protecting data from being released to the public to privacy as preventing the abuse of data that has already been released
  • Infrastructure
    The changes in infrastructure—both the legal regimes required to regulate transactions and the training, staffing, and funding of law enforcement—needed to adapt to a world where the internet is both ubiquitous and insecure
  • Hacker Havens
    The terms and conditions under which nation states that support international criminal hacker enterprises gain or lose legitimacy
  • Boundaries
    The ways in which boundaries for exclusive, secure online communities can develop, and the mechanisms by which those boundaries, once violated, can be restored

Cybersecurity researchers will also need to produce new insight into possible warning signs that this new world of baseline insecurity is indeed approaching, and possibly faster than people think. These warning signs might include increasing weakness in the market for encryption solutions and the growing popularity of new and ever-more complex password protection techniques (or replacements for passwords altogether). Identifying these signs early could help individuals and institutions better prepare for the surprising behaviors and interactions that will emerge in “The New Normal.”