Predicting the Future of Cybersecurity

About the Author

Mike Bacidore is the editor in chief for Control Design magazine. He is an award-winning columnist, earning a Gold Regional Award and a Silver National Award from the American Society of Business Publication Editors. He may be reached at 630-467-1300 ext. 444 or [email protected] or check out his Google+ profile.The number of global Internet users will double to 4 billion by 2020, with ever more of these users—about three quarters of them—living in emerging economies. Along with these rising numbers will come an exponential increase in cybersecurity threats.

That was the message presented during a presentation at ABB Automation & Powerworld today in Houston. The numbers come from a Microsoft study called Cyberspace 2025, which was shared by Tim Rains, chief security advisor, Cybersecurity & Data Protection Group, at Microsoft.

"If we don't do cybersecurity right with the Internet of Things," Rains warned, "the next generation will have a bunch of untrustworthy devices. The legacy is not going to be smooth."

The Microsoft study looked at socioeconomic factors to determine how public policies made today will impact cybersecurity 10-15 years from now.

"We're very used to talking about the impact of the Internet in the United States," said Rains. "The number of Internet users in the western nations is finite. Other countries, such as China and India, will eclipse the United States in terms of users and broadband penetration."

50 billion devices

"At Microsoft, we assume we will be breached. And that gives us the permission to think about what we will do." Microsoft's Tim Rains explained how today's cybersecurity practices will affect future generations.

By 2020, 50 billion devices will be connected; they will be ubiquitous. "In India, by 2025, you'll see a 3,000% increase in broadband penetration," Rains said. Internet connectivity will be everywhere, and students in science, technology, engineering and mathematics (STEM) will be equally diverse globally. In fact, according to the study, the STEM students of the future will mostly come from countries such as Morocco, Saudi Arabia, Kenya, Peru and Guatemala.

The Cyberspace 2025 study foresees three different types of future scenarios: plateau, peak and canyon. In the plateau scenario, cybersecurity responses are often limited to individual nations, despite the trans-border nature of Internet infrastructure. In the peak scenario, governments, businesses and societal organizations are connected and cooperative; they foster the widespread and rapid adoption of technology, and the Internet of Things fulfills its potential for innovation. In the canyon scenario there is deepening isolation in a protectionist economy.

Getting to peak performance requires focus on talent, governance and cooperation, Rains said.

"To grow talent, do you have a public policy for STEM?" he asked. "Align strategic investments in infrastructure and R&D. Balance talent mobility and retention by educating a modern workforce. Governance must commit to an open, free Internet where privacy is protected. Harmonization, collaboration and cooperation requires sharing best practices."

Evolving business means evolving threats, Rains said.

"The bad guys aren't slowing down," he said. "They are not static. They're constantly trying to find new ways to compromise organizations. On average, organizations that have been compromised were compromised 243 days before the victim notices. Once the bad guys penetrate that shell of firewalls and cybersecurity, they can get at that soft gooey center. At Microsoft, we assume we will be breached. And that gives us the permission to think about what we will do."

The impact of cyber attacks on global industry could be as much as $3 trillion in lost productivity and growth, Rains said.

"Cybersecurity is a board-level issue," he said. "At Microsoft we've been doing this a long time. In 2000, there were 389 million global Internet users. In 2006, there were 1.14 billion. In 2013, it was 2.4 billion. You have to have tools and a repeatable process that will help people do cybersecurity on a scale. I spend a lot of time with chief security information officers, and they have reputations for saying, ‘No.' Over time, they've learned they have to support the business. It really is about understanding risk—probability of a threat and its impact. You create risk statements and prioritize them against one another. It all starts with a risk-based approach."