Adversaries have a long game. As the severity of the 2020 security compromises are still unfolding, let’s fix our eyes on our long game and the future of cyber risk management. Taking a look back on our predictions from 2009 when we authored Security 2020: Reduce Security Risks This Decade, published in 2010, we got a lot of it right. If you get input from 53 industry experts, you can make some solid predictions, and here are just a few of the scenarios we anticipated (See Chapter 9: Eleven (maybe Not So Crazy) Scenarios that Could Happen):
Which way do I go? The GPS system for the world is taken down or manipulated. Although there have been some glitches, I would admit this one is still yet to happen but would argue the impact and reality of this happening remains a future threat that is very high.
Is the network down? And snip the lines. We identify the real risk of taking out physical assets in the world, specifically data centers, cloud concentration points, and network assets. The impact of the bombing in Nashville, Tennessee, sadly shows some of this fragility. Now, imagine a few critical locations in the United States, such as New York, Arizona, and Virginia, being taken offline and our internet and communications lifeline to it drastically impacted.
The pandemic. Unfortunately, we got this big one right. This is a scenario where a pandemic is initially spread through air travel through the U.S. and the world. At the time, we were referencing the swine flu and how remote work for technology and certain jobs might flourish but others, where remote work isn’t practical, would have a disastrous impact on the social fabric and global economy.
Cyber hijacking, blackmail, and ransom. We referenced examples of using ransomware attacks on healthcare environments and how it’s not only a hack as a monetary tool but eventually can be used to affect human life, as we saw in Germany this year through the supply chain manipulations.
The Facebook killer. We explored a scenario of using Facebook to cover up a murder and leveraging social media to make friends believe the victim is still alive for a period of time due to the social media postings. While we have seen reports of people dying prematurely, we haven’t seen this happen directly, though there certainly have been many account takeovers and, of course, social misrepresentation.
Is it getting hot? In this scenario, we cover the risk of solar flares to the electrical and electronic infrastructure of the world, and we are extremely lucky this hasn’t happened yet. Researchers from NASA and various universities published a seminal study of the storm in the December 2013 issue of the journal Space Weather. Their paper, A Major Solar Eruptive Event in July 2012, describes how a powerful coronal mass ejection tore through Earth’s orbit on July 23, 2012. Fortunately, Earth wasn’t in its path. Instead, the storm cloud hit the STEREO-A spacecraft.
“I have come away from our recent studies more convinced than ever that Earth and its inhabitants were incredibly fortunate that the 2012 eruption happened when it did,” says Daniel Baker, Colorado University. “If the eruption had occurred only one week earlier, Earth would have been in the line of fire.”
Which way is up? There were many reports in 2020 that the North Pole has been shifting toward Russia, moving slowly like this is the best scenario. Let’s skip the idea of an abrupt “swap” and just hope it never comes true. If you’re a worrier, never research the frequency of a polar shift and how past due we are for one.
Cyber hypothermia, cyber heatstroke, and utility terrorism. We know the power and utilities sectors have been targeted and compromised around the world. In this scenario, attackers align their execution of an attack on an operational technology infrastructure in line with actual physical weather events, thus creating a multiplier effect in their targeted areas or even limiting response to a physical intervention with a major situation like a nuclear power plant.
The pundit hack. Well, I’ll stay out of politics here, but the scenario is influencing opinion and outcomes by manipulating press, news, or social media, specifically by also representing influences with false messaging to get a desired outcome. I’ll just leave it at that.
Stock manipulation. Like No. 10 above, stock manipulation is leveraging social media and other variables in the cyber world to impact the price of a stock and then taking financial gains through buy/sell or shorts/puts.
So we forecasted with a good degree of accuracy in 2010 what would happen by 2020. What do you think the next 10 years of cyber risk management will look like? Take a look at the Pondurance 2021 predictions for what we expect to see in the year to come.