What terrifying cyber threat will menace us in 2018? There are countless lists, produced by information security bloggers and cybersecurity consulting firms, that attempt to answer that question with varying density of buzzwords. Kelly Shortridge, a product manager at the security assessment firm Security Scorecard, decided to make the ultimate list of 2018 cybersecurity predictions by aggregating a slew of lists using Markov chains, a process that can generate English sentences based on the probability of which words come after each other.
Infosec predictions should ideally help guide decisions about where to invest resources, but instead they are often dramatized to attract attention and clicks, Shortridge said in an email. “For example, when I reviewed the predictions for 2016 last year to see what people got right and wrong, drone hacking had been a significant prediction — and drone hacking wasn’t and still isn’t a concern... When I began reading some of the 2018 predictions, I found myself often musing that this could’ve equally well been written by a bot, given the density of buzzwords and superficiality of the claims. So, I decided to proxy for a post actually written by a bot to highlight the ridiculousness of the ritual — and show how close creating a buzzword goulash compares to the real thing.”
Shortridge found 20 blog posts from well-known vendors and publications, ran them through an online Markov chain generator, then edited the result to remove vendor names and “eye-gouging grammar.” The process took about six hours, she said. The result is a masterpiece of legitimate-sounding predictions (“Many IoT technologies lack protections to ensure devices cannot be exploited by the cyberspace dark forces”) interspersed with inane but still plausible observations (“In 2018, the cryptocurrency escalates”). At times, the piece is insightful in its bluntness: “Companies can’t count on the internet. We knew full well that this was the near future. It’s simply a ‘good’ business environment of valuable data, data that allows them to move into 2018.”
Shortridge’s blog post, titled, “2018 Cyber Security Predictions,” begins sort of alarmingly, with the sentences, “In 2018, security. Cyber security people will die.” But after that, the observations are mostly broad, obvious, and laden with jargon.
“Reality is only automation.”
“Prediction: the European Union (EU) will become untenable.”
“A hoard of locusts will control systems daily.”
“In 2018, Africa will emerge to help enterprises, which when left unsecured, can become slave nodes.” (Where did the association between Africa and slaves come from?)
“Companies can’t count on the internet.”
“Vendor-agnostic implemented blockchain technology underpins the transaction ledgers used by most cryptocurrencies and will increase, driven by third-party security policies that will still lack teeth.”
“Amazon Echo devices submitted into our crystal ball to manage realization tasks will continue to grow through unpatched new vectors. Drones are used to create serious disruption of things, to say, open a garage door to legitimate organizations. The boardroom needs access to these malicious devices, so as not to have to fend off cyber security gaps using pirated social media spamming.”
This is perfect. It’s surreal and some of the items are so close to the glossy marketing you second guess it for a second. https://t.co/J6jDk5Ig2p— Ean Meyer (@EanMeyer) December 27, 2017
The generated list concluded that the top threat trends for 2018 are: a continued increase in ransomware, more attacks on Bitcoin users and companies, more exploitation of the internet of things (IoT), more nation state attacks, something unintelligible about the General Data Protection Regulation which is set to be implemented in the EU next year, more use of machine learning, and something inscrutable about company budgets for infosec. Shortridge’s Markov chain-produced blog post seems to show that infosec bloggers are in agreement that many current trends will continue, that GDPR will happen, and that companies should spend more money on cybersecurity.
The post actually included some uncannily good advice. Shortridge’s favorite lines included, “We are at the rising edge of a return to securing applications instead of building complex, expensive and defensive strategies for APT (advanced persistent threat) attacks” — meaning that developers will focus on realistic common threats for their specific products, rather than trying to guard against highly sophisticated attackers such as a state sponsored hacking group. “It’s a prediction that is surprisingly wise, and one that I sure hope comes true,” she said.
“I also enjoyed the accidental cynicism of some lines, such as, ‘The goal of GDPR is to harmonize data so privacy watchdogs can interfere with businesses worldwide,’” she said. “The point that machine learning ‘should be considered an additional security layer incorporated into an in-depth defense strategy, and not a silver bullet,’ is actually valuable advice, and I think placing credence in it would benefit the industry.”
But as if to prove her point, Shortridge’s post was picked up by another cybersecurity blog, which summarized and linked to it as if it were a genuine attempt at forecasting. “The end of the year is the time for summing up the results and discussing the upcoming trends,” wrote the author, which may have been a bot itself. “The security forecasts for 2018 demonstrate many problems that can be used.” Indeed.
As for Shortridge’s predictions for 2018, she thinks there won’t be many surprises. “I personally believe information security stays the same at a macro level far more than most suggest. When you go back and read articles from more than 10 years ago, it’s frustrating how well they could still apply today,” she said. “There are specific new technologies that might create new dynamics... But at a higher level, I still believe ‘threats’ will overwhelmingly be social engineering-based and attackers will continually test for basic security failures like using default passwords or leaving longstanding vulnerabilities unpatched.”
Update: This story has been updated with comments from Shortridge.