Predicting the future of cybersecurity is a melancholy exercise, judging by the prognostications of CNBC, USA Today, Cipher Brief, and others. Cyber breaches are frequent and costly, and it would be foolish to predict that they will decline when the financial incentives for stealing data remain. 2016 will see more high-profile hacks, of companies and governments, and increased insecurity around financial data and personal credentials.
More interesting than the certitude of future hacks is the way society’s systems are addressing their cyber vulnerabilities in concert with the possibilities of their system-specific data. Children’s data, financial data, and health data are each covered by their own legal privacy protections, and the data considered valuable within a system vary according to that system’s function. Most data breaches, however, result in financial fraud (whether your credit card number is stolen from an online purchase, a gas pump, a hospital billing transaction, or a school’s fees processing system, the attempted crime is the same); a smaller percentage of breaches result in harassment (e.g., swatting, cyber bullying, and the like), and an even smaller number result in impersonation not related to financial fraud (e.g., stealing IP, access credentials, or personal information without your knowledge or direct financial loss). The framework for this categorization is the individual as victim; when considering cyber crimes in which institutions or nations are the victims, the proportions of crimes falling into these three categories are likely inverted.
The proliferation of IoT, a key trend of 2016, will change the predictability of the effects of a breach by dramatically broadening the threat landscape. Your credit card information can still be stolen, but the interconnection and digitization of cars, home appliances, and other “smart” devices allows hackers to profit through mischief: installing ransomware on a car, for example, or altering the behavior of smart devices to drive traffic to their websites. Hackers could use interconnected smart devices to build profiles on individuals that can be resold to advertising companies—or to the manufacturers of those devices themselves, who may be prohibited from gathering such data, but protected when buying it from a third party assumed to be legally in possession of the information. Hackers affiliated with a local heating oil company could attack smart thermostats, reconfiguring them to heat each home a degree warmer than the displayed setting, thereby using more heating oil and delivering profits to the company. While obviously unethical (and perhaps too blatant to go undetected for long), the recent tampering of VW puts this type of cyber crime within the realm of possibility. These attacks will be system-specific, and will target devices for their utility within a system, rather than for their ease of access to a network linking data stored on other devices.
While there are plenty of potential negative consequences, the positive future of cyber-social systems in 2016 is one of greater connectivity, greater access, and greater respect for the autonomy of citizens. Self-driving cars are on track to restore autonomy and privacy to those who cannot drive—the elderly or disabled, for example—while the proliferation of smart devices, AI-supported virtual assistants, and “wearables” points toward an increased personalization of services that will allow individuals to complete more tasks by themselves, or at least without additional human assistance. The prevalence of smart tech in the healthcare setting will allow us to track more aspects of our health than ever before, and connect tracked indicators to location, time, and activity data, improving the ability of public health officials to track an E. coli outbreak, for example, or quickly respond to dangerous environmental conditions.
While privacy defined as the ability to conduct activities “in private”—to run errands without employing a driver, or to make a purchase without querying a sales clerk—is increasing, the privacy of our information is not. When I pay in cash for a watermelon at a farmer’s market, the external record of that sale persists only as long as the farmer’s memory of me; when I buy batteries on Amazon.com, the record of that purchase could persist for hundreds of years, depending on how it is stored. Furthermore, not only will my credit card company and Amazon retain information on that purchase, that information could be sold or transferred to any number of third parties, who also continue to store it beyond its perceived utility to me. My hope is that the persistence of data is addressed in 2016, and the ability of individuals to retract data on their activities—as begun in 2014 by Right to be Forgotten legislation in Europe—is expanded to provide greater transparency and privacy to individuals. Perhaps a statute of limitations on data will decree how long non-essential records are stored, or data will be stored with tags that allow users to access, aggregate, and delete data associated uniquely to themselves.
In 2016, social systems will become even more intertwined with the cyber technologies that support them. When we think of “the financial system”, we think of the people who work at banks, or trade stocks, or set interest rates, but we also think of the computers and algorithms that provide the system’s functionality, now even more than we think of physical bank buildings and trading floors. A financial system without cyber technologies sounds critically incomplete, and a bank’s security by necessity includes cybersecurity. Considering and including cyber technologies has become second nature for nearly every industry and sector of activity, and our interactions throughout our professional and person lives are forming, more than ever, cyber-social systems.