Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Hocus-pocus! The stupidity of cybersecurity predictions

Ira Winkler | Jan. 6, 2016
Security industry prognosticators rely more on marketing, hype, and our own bad memories than any knowledge of security past, present or future.

crystal ball

Every year, some publication asks me to come up with a list of my top 10 predictions for the security field, and every year I tell them they might as well just dust off an article I wrote a year earlier, with maybe a couple of buzzwords and a new technology added on. What you can generally expect in any given year is more of the same, with some slight variations.

That doesn’t stop people from making predictions, though. Vendors and supposed experts can’t seem to control the urge, but when I read their predictions, I just have to shake my head at the uselessness and gross ignorance of most of the comments. Predictions are useless when they are obvious, which many of them are, and they show gross ignorance when they predict things that have already happened. Surprisingly, predictions of past events are fairly common on these end-of-year lists; the prognosticators don’t know enough about the security industry to know that what they are predicting has already happened.

What is important to know about the year ahead is that it will resemble the years behind us. All technologies can and will be hacked, and likely already have been. If a new technology becomes especially pervasive, hackers (perhaps terrorist hackers) will try to compromise it. There is no genius in predicting that many hackers, including those affiliated with terrorists and nation-states, will try to compromise IoT devices.

Prognosticators on occasion make truly sensational predictions. Unfortunately, those rarely come to pass. Back at the turn of the millennium, one analyst firm predicted a $1 billion theft as criminals took advantage of Y2K-related issues. People still pay that firm tens of millions of dollars a year for its advice. Another analyst firm predicted a Cyber Pearl Harbor in 2003. As you know, neither of those predictions, which garnered major headlines, came true. The people who make such predictions hope that people won’t remember them when they fail to come true, and of course, most people don’t.

I don’t know why people let prognosticators get away with including obvious things on their lists of predictions. This year we were told that in 2016 there will be an increase in mobile device hacking. Security spending will continue to grow. There will be security problems with IoT devices and Apple products. I would just like to add that the sun will rise 366 times.

This year was also not lacking in predictions of things that have already happened. For example, “The power grid will be successfully attacked.” Are you worried? Well, keep in mind that Russia, China and Iran have already been directly identified as having compromised the U.S. power grid. And it is likely that other power grids around the world are thoroughly compromised. Brazil’s power grid reportedly suffered an intention outage due to hackers as early as 2005. Claimed hacks against power grids were noted by President Obama in a speech in May 2009. So “predictions” about successful hacks against the power grid are about 10 years too late.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.