Scenario THREE

Bubble 2.0

This is a world in which many of today’s data-intensive internet companies—and the neutral platforms and advertising revenue underpinning them—collapse as a result of perceived overvaluation.

An equity market rout follows, with valuations plummeting along with profits. The data that these firms collected will be among the few recoverable assets. Datasets will be stranded in bankruptcy proceedings, sold off in fire sales, auctioned, bought by governments, or stolen. As a result, an open market for datasets will arise in which both licit and illicit players race to gain ownership of these time-sensitive, underpriced, but (potentially) high-value assets. It is a “war for data” under some of the worst possible circumstances: financial stress and sometimes panic, ambiguous property rights, opaque markets, and data trolls everywhere. As a raucous market for data evolves at the intersection of value and security, an equally interesting market for the (underpriced) human capital to work with that data will develop. In both the licit and illicit worlds, pressure will mount to find ways to generate returns quickly and aggressively while protecting them along the way. Cybersecurity and data security thus become inextricably intertwined.

The World

This scenario grows out of the next great financial disruption, which this time will be focused on data. The prelude to such a crash has already occurred—at least three times—in the modern internet era. First was the circa-1990 end-of-Cold-War recession that shook up the defense sector and led to the market release of both technology assets and a trove of hungry and opportunistic engineers. During the mid- and late-1990s, the first-generation World Wide Web drew on these underpriced assets to create new firms and business models. These dot-com firms, in turn, underwent their own major financial disruption around 2000. That recession released another tranche of engineers, along with underpriced assets ranging from fiber-optic capacity to intellectual property. These were the foundations of Web 2.0. The 2008 “Great Recession,” which had roots in structured financing around the housing market, was not set off directly by internet economics. But the value destruction and market disruptions that followed in the wake of this crash similarly drove many weaker IT companies into bankruptcy, releasing assets for cheap acquisition and contributing to the growth of a new generation of internet companies.

From these disruptions, a pattern emerged. In a cyclical manner that invokes an accelerated version of Carlotta Perez’s technology cycle logic,1 financial disruptions spawned new players that buy or use valuable inputs at fire-sale prices. They then leveraged these inputs to create innovative new business models, particularly when governments (anxious to rekindle growth) subsidized them with money and regulatory relief.

In late 2015, the conventional wisdom was that this cycle had been suspended or perhaps overcome by the “real” business models of data-intensive firms that emerged in the new millennium.2 In 2016, question marks started to arise over that hopeful view. This scenario makes clear in the not-so-distant future that the conventional wisdom of 2015 was wrong and the question marks of 2016 fully justified.

In a “Bubble 2.0” world, slow-moving trends already underway and visible will set the stage for a third internet business model crash. Engineers will start abandoning the high-priced Silicon Valley world for alternative clusters in Singapore, China (Beijing), South Korea, and elsewhere (or perhaps virtual clusters spanning these and other well-connected cities). This exodus will be in part driven by brewing ideological disillusionment within the tech community and broader society about the Valley’s product mix (“When did we stop trying to change the world and instead just make indulgence products for rich 30-year-old singles?”)

The value destruction and market disruptions that followed in the wake of [the 2008 Great Recession] similarly drove many weaker IT companies into bankruptcy, releasing assets for cheap acquisition.

With macroeconomic concerns about stagnation in the broader economy continuing to mount through 2016, the word “innovation”...will begin to feel tarnished.

In Europe, there will be increasing pushback against digital overreach in the privacy and public services realms. Political coalitions similar to the anti-Uber movement and the antitrust movement against Google might form, giving European resistance to the tech revolution more velocity, scope, and credibility. Even in Washington, DC, skepticism will grow about the regulatory arbitrage game, in which companies take advantage not of price differentials per se, but of differences across markets and regulatory regimes. (Consider Uber’s argument that it is not a taxi service, but a platform for likeminded people to meet and “share” rides.3) Regulatory arbitrage is already a key driver of super-charged growth, both in scale and geographic scope, among many platform businesses. However, rising skepticism, regulatory realignment, or simple blockage in some geographies will significantly complicate the growth and profit projections that have pushed these firms toward extraordinary price-earnings ratios on public equity markets. It will become more common to hear arguments that these valuations represent a financial bubble about to burst.

With macroeconomic concerns about stagnation in the broader economy continuing to mount through 2016, the word “innovation,” which had carried so much political-economic clout in national capitals and on Wall Street, will begin to feel tarnished, and might even start to take on a negative valence. (Will the phrase “innovation wash” be used in the tech sector the same way people use “green wash” in the environmental sector to describe the triumph of marketing over reality?) A gradual shift in market psychology will brew just under the surface, as valuations of data-intensive companies continue to mount. The feeling will grow that investors had yet again built “castles in the air” on a fragile and corroding foundation.4

As often happens in markets, it could be an exogenous shock that turns these rumblings into a crisis. A seemingly unrelated concatenation of events—a contested presidential election in the United States, a ratchet-up of violence in the Middle East, a dramatic rise in oil prices—might lead to a sharp fall in confidence. Or it might be the underperformance or even failure of a single iconic firm. Whatever the shock, a slew of earnings reports showing a decline in mobile and desktop advertising revenue among major firms, including Google and Facebook, might exacerbate the downward trend. Within a short period, the market capitalization of big and small technology companies alike could collapse—declines on the order of 50 or 75 percent would not be out of the question.5 When “castle in the air” narratives lose their luster, the carnage is frequently swift and ruthless—and this time would be no exception.

A significant and sustained decline in the valuation of major tech companies would deepen concerns that even the most visible firms have few real and defensible assets above and beyond their datasets. Many believe that the market capitalizations of these firms reflect not so much the services they provide but the expected future value of the data they collect. When “the market” decides, perhaps in late 2017, that these datasets no longer provide sufficient justification for high valuations, many firms that have grown on the basis of that argument will see their market capitalizations blow up with it. From that point onward, 90 percent tumbles in stock price would be entirely plausible. Cash crises and bankruptcies would follow, as banks and venture investors quickly and brutally pull back funding.

This is a well-understood financial panic dynamic—but that may not make much difference in how it plays out. As the crisis enters full force, people like Nouriel Roubini (or his would-be successor) will declare Yahoo to be this decade’s equivalent of Bear Sterns, and Facebook the next Lehman Brothers.6 Sequoia Capital or its equivalent will release a slide deck titled “Good Times RIP 2.0,”7 reminding industry insiders of the famous 2008 deck that signaled life support at all costs for that generation of companies. Firms will race to hoard (and find new sources of) cash wherever they can. Survival mode will become the dominant strategy.

Many internet business models that were taken for granted in the first half of the 2010s will disappear. If a company as prominent as Twitter were to announce with no warning that its services will be discontinued as of a particular Friday afternoon, it will feel to many like the end of the third era of internet companies has arrived. A few elite media companies will tighten their paywalls; most would have to double down on sponsored content, product placement, and other revenue sources. Some hardware companies will begin to charge full price for their devices (for instance, Amazon might revoke all special-pricing offers on its Kindle). To reduce their reliance on “monetizing data,” service companies will charge higher prices. “Freemium” will become a word of the past, and many of the “free” apps that had been iconic symbols of Web 2.0 will no longer be free.

The logic of firms putting their data up for sale in this situation would be straightforward. If data is the one truly monetizable asset a company has, it makes sense to sell it to raise cash (which Good Times RIP 2.0 will say is the only real option) and survive long enough to figure out what to do next. Even a well-organized market can run into trouble when everyone rushes to sell at the same time. But the market for data—to the extent that it exists in 2016—is decidedly not well organized. On the licit side of the fence, there already exists a vibrant and well-functioning market for specific kinds of consumer information, fostered by companies such as Blue Kai and Acxiom that act as clearinghouses for data about individuals.8 On the illicit side, there is also a robust market for different types of personally identifiable information (PII), including but not limited to financial information about individuals. In both sectors, however, access to data remains limited in 2016, and the quality and price of data being sold is hard to determine.9 Even so, criminal networks already show strong demand for consumer data, suggesting that there may be equally strong interest for data in other sensitive areas, such as critical infrastructure, transportation, and national security, once the financial crisis allows them to be acquired.

Many internet business models that were taken for granted in the first half of the 2010s will disappear.

There will simply be too many datasets of uncertain quality and unclear source flooding a poorly organized market all at once—almost the definition of a fire sale.

Not all data owned by distressed or at-risk firms will suddenly be for sale on the open market. Some contracts will restrict data resale, with courts intervening in high-profile cases. Companies with physical or other assets will be less likely to engage in data sales, given the uncertainty of the new markets. And for some data—that which gets outdated quickly (the equivalent of yesterday’s weather) or is already publicly available (such as most people’s addresses and phone numbers)—there may be no market at all. Even so, a significant portion of data about people, companies, infrastructure, and many other (sometimes unexpected) things will be for sale. Once these datasets prove lucrative for a few early movers, other firms will likely follow.

If it is hard to place a dollar value on data before the market gets swamped, it will become still harder as more and more datasets are put up for sale in rapid fashion. How “good” is the dataset? How “clean”? How timely? How accurate? How comprehensive? What could one do by combining this dataset with others? Answering those questions and attaching concrete dollar values to the answers (price discovery, in economic terms) will be almost impossible under panic selling conditions.

Short-term schemes for valuing data would pop up from many places in a competitive manner. Some schemes might differentiate among concrete categories of data assets, such as PII vs. real estate vs. national security vs. financial. Others might try to establish differential value according to human demographics or behaviors. It is unlikely that any of these schemes would stabilize by 2020; instead, data assets would get further jumbled up and confused. The market for data will be tumultuous, volatile, semi-opaque, prone to rumor and cascades—and at the same time, impossible to avoid.

Of course, the great data market explosion of 2017 (or soon after) will not be uniformly bad—not for web users nor for data scientists, and not for the organizations buying and selling data. Optimists will make the argument that data assets were actually more valuable than Web 2.0 firms had understood, and that, by releasing them from their lock-up in retrograde advertising-based business models, a whole new generation of productivity and value—and a Web 3.0 that takes advantage of these new assets—could be created. Whether that kind of optimism proves right or wrong in the long run, the short-run dynamics certainly would not feel positive. There will simply be too many datasets of uncertain quality and unclear source flooding a poorly organized market all at once—almost the definition of a fire sale.

Economists might label this a Coase-theorem moment, when property rights dramatically reset around valuable assets, and those assets then redistribute themselves toward the actor that can create the most value with them. In other words, it could be a moment that encourages economic efficiency.10 But the Coase theorem works only when property rights are clear and transaction costs are low—and neither of those conditions will fully hold in this world. Grabbing at the assets will be an unconventional mix of actors—not just private firms but governments, criminals, intermediaries, and academic institutions—hoping to maximize their value. When a massive amount of what used to be “captive” data escapes into raucous markets, the only certainty is that it will be put to uses that no one expects.

Outcomes

Because this is a market-driven scenario, its primary effects largely fall into two categories: licit market effects and illicit market effects. The tensions and interactions between these two broadly defined spaces—and in the fuzzy boundaries between them—would cause significant secondary effects detrimental to security.

Licit Market Activities

Two foundational principles will drive licit market outcomes in this scenario. First, high-quality datasets have long been hard to come by because they are difficult to identify, very expensive, or simply unavailable. In this scenario, that reality changes partially. For the “right” price, data of all kinds will be obtainable, but the quality of that data will often not be clear. Second, the need for available and functional algorithms that make it possible to analyze complex datasets will multiply far beyond what it is today. After the crisis, the advantage will go to companies that monopolize the talent of top algorithm development, as well as to data and computer science departments around the world.

The nontechnical public might find itself with a different mindset after the crash. As investors, they will lose significant money in the stock market crash, as even diversified portfolios will be hit hard by the overvaluation of large technology companies. As consumers, they would find themselves paying more out of pocket for goods and services because the exchange of data no longer subsidizes the costs. Many people will pivot from utter fascination to a sense of disillusionment with Silicon Valley, its innovation culture, and its overall societal impact. Could this extend to a broader skepticism about technology per se and digital technology in particular? While this seems unlikely, the general decline in what is now called “permissionless innovation” (you get a lot of space, time, and legal license to experiment with new technology applications as long as you can claim “innovation”)11 would have a meaningful impact on the magnetism of the digital world. It might make the average user even more cynical about cybersecurity “fixes” and “investments” as well, precisely at a moment when security will become even more tenuous and important.
What would almost certainly change in this world is the ongoing debate about personal data and privacy. For at least a decade, consumers have engaged in an implied “grand bargain” with the tech industry, giving up their data quite freely on the assumption that their world (and perhaps even the world at large) would change for the better as a result. Privacy activists have tenaciously questioned the value and legitimacy of this bargain, but whether it was a comparatively unregulated deal (in the United States) or a considerably more constrained deal (in many parts of Europe), the privacy agenda never really stuck with the public. That likely will change when core assumptions about what personal data delivers break down.

When the implicit (sometimes explicit) bargain breaks as decisively and broadly as it would in this world, it will feel to many consumers that their data was “stolen” under false pretenses. The legal ramifications that follow could spawn decades of litigation. Perhaps the earliest and most obvious targets would be the click-through contracts and terms of service agreements underpinning much of this data release. The risk of datasets being hung up in litigation would be another constraint on price discovery: who will want to pay a high price for a dataset whose use might be frozen by a court? This might create a price advantage for actors in illicit markets, where calculations of a dataset’s value would not be as burdened by concerns about legal usage restrictions.

Tech companies in this world will be driven by the need to generate cash and quickly find new ways to show that data is relevant again. A variety of market response strategies will start to take shape. Small and nonprofit organizations that survive the crisis will be able to access underpriced data assets that they could not have afforded in 2016. This might give a major boost to segments of the pharmaceuticals industry, where “real world data” (RWD) is showing promise for drug development and testing,12 or to public interest applications like public transport optimization.

The biggest challenge for these firms will be to invest adequately to secure their new data assets against criminals...

Because there will be considerable pressure on new data owners to extract value and demonstrate that value quickly, some sectors (healthcare, for example) would likely see a major boost in competition, subject to first-mover advantage. De-concentration of data from the biggest players could turn out to have a stimulating effect on innovation overall, as newly empowered small firms race to become the next first mover. The biggest challenge for these firms will be to invest adequately to secure their new data assets against criminals, who will be closely monitoring for vulnerabilities wherever interesting datasets land.

Another underpriced asset that would flow into markets—or at least become more “liquid” after the crash—will be human capital: unemployed and underemployed data scientists who, like their defense industry engineer predecessors in the 1990s, will be hungry for opportunities to do great work and make great money. The best of this group will find attractive opportunities designing algorithms to analyze newly available data, but many others will not have the advanced skills needed to engage in algorithmic design. The most pressing question for the remainder, depending on geography and temperament, may be whether the most attractive opportunities lie within licit or illicit/semi-licit enterprises. Some governments will weigh in on that choice with cash and coercion, just as the United States did with regard to decisions made by Soviet nuclear scientists after the end of the Cold War.13

As this world moves closer to 2020 and the acute phase of the crisis evolves into its chronic aftermath, new financial instruments will develop to manage the exchange of data assets—for example, data bonds that place claims on the stream of income produced by a dataset over time. As a secondary market in data bonds develops, there will emerge a new and valuable source of information about the perceived value of particular datasets and how that might change (and change hands) over time. Data rating agencies would then emerge to rate both data sets themselves and the repackaged rights to data sitting in bonds or other kinds of derivatives. A futures market on data that is yet to be produced or released to the market—such as data on children that legally must be withheld until age 18—could become a vibrant place to fund new initiatives in data collection. And, of course, there will evolve a vast black market for other types of non-sanctioned data, including all the kinds we know today as well as new combinations of data that offer criminals the opportunity to do damage. For instance, can past shopping preferences help criminals target phishing schemes? Will IP address locations be used to predict when a particular individual will or will not be home?

Many large firms will have plenty of willing buyers for their data—but the buyers may not always be desirable from a broader political economy and security perspective. One particularly interesting strategic option for large firms might be to seek government rescue, as auto companies and banks did in 2008 and 2009. Could a firm like Google argue that it was “too big to fail”? In an ironic echo of General Motors circa 2009, imagine Eric Schmidt claiming that more than a million US jobs depended on Google directly and indirectly.

The US government will have to listen seriously to these arguments. The economic and national-security policy communities might push for governments to act as “data buyer of last resort.” Protecting jobs, maintaining the value of an illiquid “systemic risk entity,”14 and keeping valuable data assets out of the hands of foreign companies and governments all favor government intervention. The expressed intention, as with GM in 2009, would be for the government to buy up the data assets, hold them through the crisis long enough for markets to stabilize, and then resell them to legitimate private firms on the other side.

In the interim period of ownership, though, the federal government could find itself in a very awkward place regarding privacy and data rights—a much more complicated situation than was the case with GM. Datasets that citizens felt “okay” about Facebook having might suddenly be “not okay” when they are held in escrow by governments, at least in the United States. (In Europe, by contrast, citizens may be more comfortable with governments holding data than with companies doing so.) And what of data about foreign citizens and companies held abroad, particularly those subject to the new transatlantic Safe Harbor 2.0?15 The US Government would certainly go to great lengths to assure the world that it had only a financial presence in data markets and would not do anything with the data that it now “owned”—but who would really have confidence in that assurance?

Governments will have interest in acquiring data not only to save companies that might be suffering in the crisis, but also to ring-fence sensitive datasets that they do not want in the public domain. Predictably, governments would be interested in protecting critical infrastructure data and information on government employees. But other categories might be more surprising. Is it possible that data on farm locations and product lines could give rise to a food security question? Could data on top university students be considered a source of leverage in the hands of foreign governments to recruit effective spies? Lobbying in national capitals around these issues would be fast, furious, and intense—as would, potentially, covert counter-lobbying by commercial interests, adversarial states, and possibly criminal networks.

The reset button will also be pushed around beliefs and regulations that pertain to personal data property rights and privacy. As personally identifiable information (PII) is sold to new owners, the people who were the source of that PII will more often than not react with astonishment: “I didn’t agree to have my data sold at bankruptcy to a government or firm I’ve never heard of!”16 The truth is that in most cases they did agree to it, simply by accepting common terms of service. The fight over such contracts will heat up in new and vehement ways, but it is unlikely to be settled quickly and cleanly. The controversies will be even more difficult to manage when de-anonymization hits combinations of datasets that were thought to have been rendered “safe” through (imperfect) anonymization protocols.

Governments will have interest in acquiring data not only to save companies...but also to ring-fence sensitive datasets that they do not want in the public domain...

It seems likely that some cybercriminals would switch tactics, finding the licit market more favorable than the illicit.

Governments thus will come under even greater pressure to limit downstream privacy effects. In the United States, the Attorney General’s Office and the Federal Trade Commission, among other agencies, will try to keep track of data mobility and restrict the movement of certain types of data. The Committee on Foreign Investment in the United States (CFIUS) will try to prevent foreign acquisitions when national security issues come into play (or when firms are able to make that argument successfully as part of their survival strategy). In Europe, the movement for data privacy will become even more vociferous. But markets will often be moving faster than regulators. Although governments may be able to limit some particularly “dangerous” transactions among large licit entities, regulators will be much less successful in keeping up with small criminal players, who will find themselves with broad freedom of action as they operate under the radar and at smaller scale.

The most important constraints on how licit markets for data would evolve post-crash would be national borders, national regulatory schemes, and national security concerns—a back-to-the-future moment for the “global” internet economy. In 2020, the de facto level of globalization in digital data markets may look surprisingly far below the level of globalization in markets for goods and services.17

Illicit Market Activities

Parallel data-market response strategies will take shape in the criminal sector. It seems likely that some cybercriminals would switch tactics, finding the licit market more favorable than the illicit. Imagine the slogan “Who’s dumb enough to break into a salvage yard?” floating around hacker websites. Why bother stealing datasets when you can buy them cheaply on a distressed asset market? Even if criminals sometimes have to set up intermediaries or shell companies to complete transactions legally, the licit market will be seen as a good bargain for many. This would present a major challenge for legal authorities trying to “regulate” as best they could the raucous fire sale. Exactly who is buying the data will be difficult to determine.

In other cases, datasets will become attractive targets for attack and theft. This will be especially true when their new owners fail to take adequate security precautions with their recent acquisitions. How will they make decisions about how much they should invest to protect the data? Criminal groups could grow aggressively by systematically attacking these fresh targets, including both private-sector companies and government agencies that had taken on data, even if only temporarily as stewards.

Other criminal organizations might offer to act as cut-out intermediaries for governments that seek to buy up certain data assets for national security or competitiveness purposes but prefer not to be identified. Imagine a virtual hacker meeting where participants talk about the possibilities of a “Godfather” strategy: if they could make a deal with a government to look past their previous illegal activities, might they be able to pull off the transformation into legitimate businesses that Michael Corleone couldn’t quite finish?18

As these data markets become more sophisticated, multilayered, and important, the markets themselves would become an attractive target of attack. Cybercriminals could very well turn their existing tools—physical and network penetration of data centers, denial of service attacks, introducing fraudulent data or noise to manipulate market prices—to these new primary and secondary data markets, as well as the meta-data they produce and depend upon. Some criminal activity will also likely become “financialized.” Why steal data itself if you can make money more reliably by manipulating the new and untested data-backed financial products and instruments more directly? The geography of attack may very well move toward more traditional financial centers like New York, London, and Tokyo, where data security professionals will also cluster.

Cybersecurity Challenges and Tensions

In this world, cybersecurity and data security will become inextricably intertwined. There will be two key assets that criminals can exploit: the datasets themselves and the humans who work on them. In this environment, the ability to trace the origins of a particular dataset will become critical; proof of “provenance” will become a highly valuable asset. And just as in markets for fine art, falsifying the provenance of data may be a particularly lucrative means of manipulation.19

The “price” of a dataset, then, will reflect its value and its overall security characteristics, the same way that in 2016 the price of a house reflects its “inherent” value, its construction and maintenance history, and the crime rate around its physical location. Parallel pricing dynamics will likely emerge in illicit markets as well, with pricing based not only on the inherent value of the data but also on how “insecure” it is—and thus what other illegal manipulation possibilities it presents. In both environments, data with the most security features will become the most valuable. Where and when these markets become relatively efficient (if they do), there would be a de facto regularized price for moving data between the legal and illegal sectors as well.

Sudden job loss for many thousands of tech-industry employees—at least some percentage of whom will be actively recruited by criminal enterprises—will also raise significant security challenges. Governments will be tempted to monitor and try to control the actions of disgruntled or dispossessed data scientists and engineers. They will also seek to preferentially direct these human-capital resources into licit rather than illicit enterprises. This will be an expensive and intrusive proposition with uncertain results.

It may be in the gray areas—the blurry boundaries between legal and illegal, state and private, intelligence and law enforcement, criminal and parastatal, etc.—that the most challenging security predicaments will arise. Consider the likely retrenchment of global communications platforms like Google and Facebook—a tricky situation for insurgent and terrorist groups (whether ISIS and its successors or extreme-right wing organizations) that use them to communicate and recruit, and equally tricky for the intelligence agencies that track illicit activity. In this scenario, “bad actors” will lose some ability to achieve global scale through a small number of platforms and will have to distribute their efforts across a larger number of smaller platforms. Intelligence agencies will have to track this distributed activity, which means losing economies of scale in surveillance as well. It is unclear who would be advantaged and disadvantaged overall by this dynamic.

There will be two key assets that criminals can exploit: the datasets themselves and the humans who work on them.

The recombination and new sorting of data assets among firms, states, criminals, and others will substantially change the way such actors behave.

The recombination and new sorting of data assets among firms, states, criminals, and others will substantially change the way such actors behave. Many incumbents—who benefit today from their first-mover advantage in the earlier phase— would try to reassert dominance through different means. Others will lose control of their data and possibly their competitive advantage to newcomers. Significant opportunities will emerge for traditional, native, non-data firms (the GMs and Safeways of the world) to transform themselves with a leapfrog move: rather than playing catch-up, they can buy the data assets and expertise they need if they act fast and boldly. Other opportunities will arise for nonprofit organizations and universities, which may want to buy what used to be expensive proprietary data of public or research interest and place it into “open” or “trust” settings. Would organizations like the Marin Agricultural Land Trust set up a sister organization called the Marin Data Trust?

Such a reorganization would create the conditions for an interesting and potentially dangerous multiplayer game between states, criminals, entrepreneurs, and mixtures of each that would be different in important ways from today’s dynamics. Criminal networks might be well positioned to make early and ambitious investments in newly available datasets, as their risk-return appetite rises above that of any other actor. Courageous states with lots of capital and economies that would be less, or at least less directly, damaged by the bubble bursting (which might include China, Russia, and Iran) would be presented with attractive opportunities to improve their positions. There would be similar opportunities for capital-rich states that are less active in the cyber and data realms, such as Saudi Arabia, to get into the game. Criminal networks that are not principally digital (like drug cartels) might use this moment to extend their business models aggressively into the data and cyber realms, and those already in the game could go much deeper. Could we see joint ventures between criminal networks and fresh sources of capital—and even the possibility of some such ventures using this moment to “go legitimate” as cyberdefense or digital services businesses?

New attack vectors are also likely to arise as a result of criminals’ extensive, in-depth access to data. Blackmail may become the new spear phishing: rather than stealing someone’s credential, a perpetrator might force the victim to do the dirty work themselves, on the threat of making their private data public. Of course, such attacks could focus on institutions as well as individuals. Releasing data relevant to ongoing litigation could be as threatening to a company as a web browsing history might be to an individual.

Cybersecurity in “Bubble 2.0” will become a broad landscape in which the political economy of data plays out. Once data is released into highly imperfect markets, its valuation will become the core question that people, organizations, and governments must answer in order to reasonably and rationally set a security agenda. Pressures to act quickly and grab first-mover advantage before data assets become “stale” or are locked up in new ownership configurations will drive the process along much faster than anyone really wants, but it is difficult to see who has the power and influence to slow things down. For consumers, the overall effect may be deep apprehension about financial security, national identity security, and even physical security. (Could, for example, criminals more effectively burgle houses based on geolocation data?) Skepticism would grow that anyone—governments, security firms, or other companies—has the power to alter these volatile, unexpected dynamics.

The Way Forward

In this scenario, another tech bubble will burst around an overvaluation of data assets. Licit businesses and associated markets will struggle to cope, marking the sunset of previously dominant actors and the entry of smaller players, including from the developing world. Criminal enterprises will grab new opportunities in both the licit and illicit sectors. Governments will become regulators of data sales and purchasers of key competitiveness and national security-relevant data assets, but will fulfill both responsibilities imperfectly.

Cybersecurity in this world will converge even more fully with data security, as datasets, repositories, and data markets become the principal targets of attack. Maintaining security investments during a severe economic downturn (when firms need to hoard cash) creates a challenging dynamic. Investments and capital expenditures will be under pressure, and those that protect against loss, rather than promise gain, will be under the greatest pressure.

In this scenario, cybersecurity researchers will wish that in 2016 they had been looking at:

  • Criminal Control
    How criminal activity would be revalued and refocused in a devalued data market. If criminals can buy a dataset cheaply in a fire sale market and gain legal property rights, would they still bother stealing it
  • Authentication
    Techniques for proving the origins of datasets, protecting meta-data against attacks designed to falsify their provenance, and (later) defending against having data collected in the first place (in other words, “privacy-hardened computation”).
  • Efficient Markets
    What role government might play in creating mechanisms for making markets for data more efficient and secure.20 A murky legal and economic environment in these markets may present as much of a security risk as a direct attack.
  • Human Capital
    Approaches to fostering talent and human capital “security,” in order to prevent significant growth and transfer of assets to the illicit sector.

Finally, the US public in particular may wish that researchers had thought more specifically about the second- and third-order consequences of a data-centered financial bubble bursting. Would (mainly) American platform companies flip from being seen as champions of innovation to being the villains of yet another US-induced global recession?