Who Says You Can’t Predict the Future?
While preparing to introduce today’s keynote (Dr. David McGrew) at the 23rd CERIAS Symposium, I was reminded of an exercise in crystal ball gazing. Every December we have various people publish a list of their top predictions for the coming year. Some are thoughtful, and others simply risable. The track record is often quickly forgotten.
However, what of an effort by real experts and visionaries to make some bold predictions for a decade hence? Many people have repeatedly claimed that such a thing is impossible for cybersecurity – the field moves too quickly, innovation disrupts truisms, and biases complicate the mix.
Here, I present at least one worked example that proves that it could be done – and was.
In 1992, the COAST Laboratory was started. Around 1996, Cisco became a corporate partner with COAST, providing equipment and funds for student scholarships. When CERIAS emerged from COAST in May 1998, Cisco stepped up as a founding sponsor. This included not only continuing financial support, but increasing some researcher involvement.
In 2000, another CERIAS partner at the time, Accenture, agreed to cosponsor a workshop at their St. Charles conference center. The workshop would be organized by CERIAS and was to focus on making some “bold” predictions for the next decade. We were supposed to identify some “visionaries” who could participate and discuss the future.
I (Spaf) identified some personnel I knew were deep thinkers, some of whom were not yet quite widely known in cybersecurity. I invited them, and Accenture added a few of their own senior staff. These people went on to build significant reputations in the field. (I’d like to claim it was because they participated in the workshop.)
The visionaries who attended, and their affiliations at the time:
- Whit Diffie (Sun Microsystems)
- Becky Bace (Infidel)
- Howard Schmidt (Microsoft)
- Phil Venables (Goldman Sachs)
- David McGrew (Cisco)
- Dan Geer (@Stake)
- John Clark (Accenture)
- Dan Deganutti (Avanade)
- Glover Ferguson (Accenture)
- Anatole Gershman (Accenture)
- Mike Jacobs (NSA)
- Fred Piper (University of London/Royal Holloway)
- John Richardson (Intel)
- Marv Schaefer (BWAP)
- Spaf (Purdue CERIAS)
An impressive group, in hindsight; fairly impressive in 2000, too!
I won’t recapitulate the whole workshop report, which you can read if you wish. However, I will summarize what we saw as the top 10 trends for cybersecurity in 2000:
- The EverNet: Billions of devices proliferate that are always on and always connected.
- Virtual Business: Complex outsourcing relationships extend trust boundaries beyond recognition.
- Rules of the Game: Government regulation increases as lawmakers react to real losses that hurt.
- Wild Wild West: International criminals exploit lack of cooperation and compatibility in international laws.
- No More Secrets: Privacy concerns will continue to compete with convenience and desire for features.
- Haste Makes Waste: “Time to Market” increases pressure to sacrifice security and quality of software.
- Talent Wars: Lack of security skills will compound weaknesses of delivered solutions.
- Yours, Mine or Ours: Identifying intellectual property and information ownership will become key areas of debate.
- Web of Trust: Standard security architectures and improved trust will spur eCommerce growth.
- Information Pollution: Information exploitation becomes more lucrative than hacking.
I remember when the report came out it was dismissed by some in industry as “too pesimistic.” Perhaps because the “visionaries” weren’t all well known, the conclusions were largely ignored.
Looking back on the list, I’d say we scored at least 90%, especially for the decade that followed. Both #3, and #10 took a little longer to manifest, but we were on target with all ten.
You can apply some hindsight bias now to say they were all obvious, but that really wasn’t the case in fall 2000. The iPhone was 6 years away from introduction and the Motorola StarTac CDMA phone was effectively the state-of-the-art. Wireless was basically defined by the recent release of 802.11a/b. Internet penetration was less than 6% of the world’s population (it is over 66% now, in early 2022). At the time of the workshop, Facebook and Twitter were years away from creation, and Google was a small search engine company less than 3 years old. Ransomware had been described theoretically, but would not become prominent for several years.
Interestingly, the action items the group defined are still relevant, and notable perhaps in how they are still not practiced widely enough:
- Improve Software Quality Focus on improving the quality and assurance of software. Prevent distribution of weak software with security exposures. Conduct research to find better methods for designing and developing higher quality software.
- Invest in Training and Awareness Develop a sound educational program that focuses on security and ethics. Focus resources throughout the educational spectrum. Teach respect for electronic boundaries. Develop comprehensive curriculum to educate our next generation.
- Implement Best Practices Incorporate baseline safeguards and practices. Use best practices to ensure security is done right in development, implementation, testing, business processes, and consumer practices.
- Initiate Public Debate Initiate public debate on identification, ownership protection, use of personal information, and responsible use of computing.
- Advocate Holistic Approach Advocate and pursue a well-rounded and pro- active approach to the overall problems: business, social, technical, and government.
- Package Security Architectures Encourage packaging of a basic security architectures with standard services that integrate with applications and infrastructure.
One of the workshop participants informs me that the workshop was held in late September 2000. The report is copyrighted 2001, which is why I thought that is when it was held that year. Unfortunately, I no longer have my appointments calendar from that time so my initial posting indicated 2001. His recollection of this is strong, and is likely correct. I have corrected the dates in the entry above to reflect this correction.