Dan Geer probably wouldn't call himself a prophet. But he may come about as close to it as anyone in IT security. And his view is that while current trends in the online world are not necessarily irreversible, they are headed in a dystopian direction.
Geer, CISO at the venture capital firm In-Q-Tel, who gave the closing keynote at SOURCE Boston 2017 this past week, even cited a New Testament prophecy early on – I Corinthians 13:12: "For now we see through a glass, darkly; but then face to face: now I know in part; but then shall I know even as also I am known.”
But while he doesn’t claim prophet status, he is all about predictions. “The future is once and always the topic for any security talk,” he said, because, “cybersecurity and the future of humanity are conjoined now.”
Also because while geologic evolution can take millions of years, the cyber world is evolving, as he put it with significant understatement, “at a faster clock rate.”
Making predictions is practically universal – humans are hard-wired to make them, he said, quoting neuroscientist and engineer Jeff Hawkins, who called them, “the primary function of the neo-cortex, and the foundation of intelligence.”
But making them also requires an element of humility, he said, taking a line from novelist Warren Ellis: “I try not to get involved in the business of prediction. It's a quick way to look like an idiot.”
“Nevertheless,” Geer said, “I will now make some predictions.”
He made a lot of them – more than two dozen. Not the Alvin Toffler “Future Shock” type, but the kind that forecast the logical consequences of what is happening in the present. And they came across as through the glass clearly, not darkly.
Geer’s glimpses into the future included:
- Cyberinsecurity is and will remain the paramount national security risk.
- Mutual Assured Destruction, of the kind demonstrated by the Stuxnet attack on the Iranian nuclear program, won’t work the way it did with nuclear weapons. “The reason is attribution,” he said. “While intercontinental ballistic missiles have a visible flight path and a limited number of launch-capable governments, offensive software has neither.”
- Just as a public safety argument led to a mandate for continuous geocoding of mobile phones, a public safety argument will mandate geocoding of the internet.
- Major nation states will prevent products of other nation states from being used in some parts of what they consider their critical infrastructure. “Industrial espionage will thus rise in importance to nation states, as if it were not high enough already,” he said.
- Pre-deployment of cyber weaponry in otherwise non-military positions – devices, networks, etc. – is all but certain. Much of that will be for denial of information services, “but is likely to expand into disinformation as soon as sensors assume a place in the critical path for autonomous devices.”
- The most significant cybercrime rings “will continue to operate from a small number of sovereign jurisdictions where they enjoy tolerance, if not revenue sharing.”
- Cyber attack detection using behavioral techniques – anomaly detection against long-term norms – “will be used with greater vigor, but with immense side effects.”
- It will be “seductive” to turn over decision-making to machines, but it won’t be safe unless such systems will let humans override the machines. That will require maintaining, “the conditions for operating without that delegation.
- “Except at the level of especially sentient cybersecurity practitioners such as some of you, this lesson will be learned the hard way,” he said.
- The characteristics of financial high-frequency trading – rapid-fire decision making by self-modifying algorithms – will begin to appear in other domains including government.
- The skills shortage in cybersecurity will not be solved. The 1 percent – the half-dozen enterprises able to pay any price for talent – will get all or most of that talent. Government won’t be part of that 1 percent.
- Because most critical infrastructure in Western societies is privately owned, governments will “deputize” them, willingly or not, to do things in the service of national security.
- “This was, of course, the story around telephone records at AT&T, et al., and will be the story soon enough around cloud computing and data handlers,” he said.
- End-User License Agreements (EULA), most of which deny any liability for damage cause by a product, “will be effectively challenged as soon as a suitable crisis appears. Autonomous vehicles may be where such challenges draw their first blood.”
- The cybersecurity industry is in no danger of collapse, because there will always be more to do than can be done. “Cybersecurity as a formal science will remain a goal and not an accomplishment,” he said.
Sign up for CIO Asia eNewsletters.