Look to the future: How the threat landscape may evolve next

It’s been quite the half-decade. In fact, it’s hard to know where to start when reflecting on it. The Covid-19 pandemic saw a (forced) mass shift towards hybrid working models, leaving security teams with a new and complex attack surface to secure quickly. Charges made against the CISOs of SolarWinds and Uber set a precedent of legal responsibilities for CISOs when it comes to cyberattacks and reporting. Elsewhere, new regulations are being written into law across the world to protect organisations and consumers everywhere, from NIS2 to the Cyber Resilience Act. Similarly, artificial intelligence (AI) has revolutionised cyber security, for good and bad. In some ways, AI has become a helpful ally for security teams when it comes to fighting threats, especially as teams are facing a barrage of new and novel threats daily. On the other hand, the uptick in attacks is likely due to the increased use of AI by cyber criminals to speed up and automate attacks. These notable events are just scratching the (attack) surface!

The cyber industry has always been fast paced and security teams are no stranger to change. However, the last five years have challenged the industry significantly, with the unprecedented volume and sophistication of new threats, talent retention issues and burnout rise. As always, these challenges have exemplified the resilience of the industry. We learn from one another and, as a community, we have become more open to speaking of our collective challenges and helping one another. As we head into the unknown once again, it’s critical that we continue to foster a continued sense of openness and community.

I find ‘predictions’ difficult. This feels like using sticks to find hidden wells of water. I have no crystal ball that will reveal the spring of vulnerabilities going to be released upon us in the next five years. But, I have seen some trends over the past few years that have proven hardy and are representative of significant problems that aren’t going away any time soon. These are the best spots I can look to for what lies ahead.

We might see the quantum computing event horizon in the next five years, in which case, all bets are off. I don’t think that that day will be like the vaunted Y2K that was foretold, but will be more problematic over a longer period of time. It will still be a good amount of time before quantum computing is easily accessible by criminal groups in such a way that will make it an everyday threat…governments protecting secrets though, are in a different boat.

I will also make the very spicy take that the AI, at least in the current form using LLMs or things of a similar stripe, is going to sputter and fall flat. We haven’t seen massive increases in uptake by significant parts of the economy for any of the leading companies, despite them shovelling money into the AI furnace by the billions. There are also reports that the current flavour of AI LLMs have reached their limit, with diminishing returns as there are no longer any major corpuses of human-created data and content to consume and use for training. There, I said it. We are nearing ‘peak AI’. Cue sad trombone.

And now for something completely different…

On a much more serious note, I think the major events relating to cyber security over the next five years will be driven largely by geopolitical crises, starting with China.

Between now and 2030 we will see increased aggression by China with some form of conflict both hot and cold, brought on by the possible ‘annexation’ of Taiwan. China has, for some time, been using police actions (and civilian fishing vessels) to encroach on the territorial sovereignty of regional nations including the Philippines and Taiwan. I worry that what happened in Hong Kong will be tried in a similar way, and these methods for attacking territorial water boundaries will continue, using this playbook in Taiwan, with a diminished role for some traditional western powers. If this comes to pass, and unfortunately it seems that’s the direction things are heading, this will be a cataclysmic global event with truly massive implications. Western-based manufacturers of silicon will become parts of the national security apparatus as critical national infrastructure, in a way that they have escaped thus far but are increasingly moving towards.

More critical national infrastructure will fail in larger ways, due to espionage, conflict or both, like we have seen with the actions of Volt Typhoon and Salt Typhoon, Chinese state-sponsored actors digging into infrastructure like ISPs and telcos and energy companies for use in a future potential conflict and to monitor communications of strategic importance. My fear is that disruption of telcos and other “everyday” critical infrastructure sectors that have not gone as far in their cyber security maturity journey will force governments to assert more explicit control through regulation and direct assistance. And some of this will be long overdue, for in the year 2024, is it really defensible to not require MFA for privileged (or all) users? Or not move away from memory unsafe languages? Or not keep logs on critical system events? These things shouldn’t be acceptable now but I’m afraid it will take an even bigger catastrophe than the cyber crises we’ve endured in the past few years for these requirements to get stated in a sufficiently forceful way that gets some orgs to take note.

Russia will continue its role as global bully, but we will see more cracks emerge when they struggle running out of updates to Windows devices and other western technologies that are no longer available due to sanctions. Russian-based ransomware groups will move in more close alignment with the government and become proxy actors of the Kremlin, even more explicitly than they are now.

Supply chains will get hit, again, and again, and some more. Unfortunately this is a growing trend over the past few years and as we saw with CrowdStrike this year (which wasn’t a supply chain attack…but the disruption of their software caused a global technology event that impacted millions of people, disrupted businesses, cancelled flights, and more) these technologies have become almost irreversibly intertwined with corporate enterprise IT to such an extent that they can cause cascade failures.

Whether the attackers are aggravated aggressor nation-states like Russian and China or neo-organised crime in the form of ransomware gangs, the next years will see disruptions with increasing frequency and magnitude. Eventually there will be a counterforce, deployed by governments, in the form of policy, law and cyber action. My hope for my friends still working in the halls of power in Washington and Whitehall, is that we can mount an effective response to acts of aggression in a way that is proportionate and lasting, not overcorrecting but likewise not wasting an opportunity to help set and enforce some norms around responsible stewardship of user data, technology and public services, as well as norms for conflict in cyberspace that are rooted in our principles and values as a society.

Elliott Wilkes is chief technology officer at Advanced Cyber Defence Systems (ACDS). A seasoned digital transformation leader and product manager, Wilkes has over a decade of experience working with both the American and British governments, most recently as a cyber security consultant to the Civil Service.